EP 122: Hack-Proof Your Life Now! – Interview with cybersecurity experts Sean Bailey and Devin Kropp

“Over the years, the issue of hacking and identity theft has become more and more serious and we started to see…stories about hacking and people losing money in any variety of ways through making mistakes or just in general having poor security on their computers.” — Sean Bailey, author

“I think one thing for people to keep in mind is when you’re choosing a divorce attorney or someone to work with, you definitely want to ask them about their security practices. Make sure that they have methods in place to keep your information secure.” —  Devin Kropp, author

How do you keep your ex-spouse from stealing your information and identity? How do you keep your private information private? You’re probably not even following the most basic practices to keep your spouse – and potentially others – from taking your electronic information. In this episode we interview Sean Bailey and Devin Kropp, authors of Hack-Proof Your Life Now! The New Cybersecurity Rules: Protect your email, computers, and bank accounts from hacks, malware, and identity theft. They are going to share some valuable information about how you can protect yourself.

Be sure to check out their cybersecurity test at hackproofquiz.com. Find out if you’re doing all you can to keep your private information…private.

This transcript has been edited for clarity.

Shawn: Today on the show I have with me Sean Bailey and Devin Kropp. They are the authors of Hack-Proof Your Life Now! The New Cybersecurity Rules: Protect your email, computers, and bank accounts from hacks, malware, and identity theft. Sean and Devin, welcome to the show.

Sean: Thank you.

Devin: Thanks.

Shawn: So why don’t we start with just a little background. Tell us how you came to this book and writing about it?

Sean: Devin and I worked for a company here in Manhattan called the Horsesmouth. The main mission of our company is to help financial planners create educational content to teach their clients and the public. I have been a journalist for thirty years, and have written extensively at certain points during my career about fraud over the years, and a bit of computers and actually using computers very early on to analyze government data and do investigative reporting. I’ve had familiarity with fraud and computers. I’ve been working here at Horsesmouth for eighteen years.

Over the years, the issue of hacking and identity theft has become more and more serious and we started to see, leading up to around 2013, stories about hacking and people losing money in any variety of ways through making mistakes or just in general having poor security on their computers, that sort of thing was growing in frequency. We began to think who is it in the publics world that should be the person teaching people or nudging people to do better with their cyber security? When you think about it, if it’s any professional, it’s not going to be your doctor or your dentist. It’s going to be a person in your community who helps you with your finances and financial planning, and that sort of stuff. So we decided to create a workshop that financial planners could deliver in their community. The workshop was called: One Hour to Cyber Savvy Security.

Devin works with me as an associative editor here at Horsesmouth, where I’m the Editor and Chief. We created this program, and what we wanted to do, and what we believed as we started to look at the issue, was that there were actually a handful of important easy to do things, that will dramatically boost people’s security. Even though, whenever they’re written about constantly on the internet, or whatever the case may be, or you hear about it on the radio or TV, you always get the scare but you hardly ever get the solution. There are a lot of easy solutions out there that can go a long way to building an effective cyber security fortress around your private life. So that’s kind of how we got into it, Shawn.

Shawn: I think that’s great, and I think you’re right in that you hear all the news stories or you see the advertisements from various companies, but it’s hard to figure out one consolidated way of what you can do to protect yourself. What we’ll do today is get into some of the main topics in the book. There’s no way we can cover everything. There’s a lot of information in there. Let’s just start with a few different categories. One of the questions that I get from people that I work with as a financial advisor, typically in a divorce situation, “My ex spouse knows everything about me, how do I protect my identity?” I know there’s a lot of facets, you have some recommendations. I see on TV everyday, commercials for LifeLock. Why can’t we just all sign up for LifeLock and call it a day?

Sean: We decided to write the book because we were creating a presentation called, One Hour to Cyber Savvy Security, and it was so well received we thought about how we could reach more people. So that’s why we wrote the book. The last chapter of the book is about LifeLock because the book is divided into three sections. The final section is about developing a sense of mindfulness around your security. Part of that means that you have to fully take control of certain aspects of your life, and not only make these changes that will boost your security but some of them you need to stay on top of and watch on a regular basis. The problem with companies like LifeLock is that they want to give you the impression that if you pay them fifteen bucks a month or twenty bucks a month for your whole family, or more, that you can just sign up and be perfectly fine and not have anything to worry about. The truth of the matter is; you don’t even need to spend any money with LifeLock to enjoy a considerable amount of security. That relates to identity theft. What LifeLock wants you to do is they want you to keep your credit files at Experian, and Equifax and Transunion. They want you to keep your file in it’s current default mode, which is is open. That means that any retailer that would want to check on a credit application in your name, could just get on the internet or use their databases to check the validity and check your credit scores. Here’s the problem with that. LifeLock enjoys the fact that it is open, because then if somebody tries to impersonate you and take out credit in your name, LifeLock might find out about it at some point in time by monitoring your file, and then tell you “Did you know that you now have a credit card with a twenty-five thousand dollar credit limit that was taken out through this furniture wholesaling company?” And you would say, “I didn’t have anything to do with that.” LifeLock would then say “We can step in and help you solve this problem.” We think that doesn’t make any sense at all. We think that you should put into place a simple thing that would just never allow for that to happen in the first place. That’s called a credit freeze.

Everybody who is listening, unless you are contently applying for a new credit all the time –and frankly, hardly anyone is –you want to go to the three credit bureaus and it takes just a couple of minutes with each one, and you want to put your credit files on a security freeze, also known as a credit freeze. When that is done, your files are automatically, by default, closed. This means that retail furniture company that could give you a credit to totally refurnish your home or your apartment, someone impersonating you, couldn’t defraud them, and you, by going on and falsifying an application and taking out credit in your name. Your credit files would be locked; they’d be in a frozen situation. So when that retailer contacted any of the three credit bureaus to process the application that the fraudster is trying to run through on your name, we will come back and say “Oh I’m sorry, your credit is frozen. We can’t do that until you lift the credit freeze.” And of course you can lift it with your own personal identification, with your own pin. Everybody should do that.

Shawn: So I actually did it myself. I know we’ve spoken in advance and you were recommending this and I decided to try it out myself. It was really quick, it took five or ten minutes per place, and it costs about ten bucks a piece. What happens when I need to get a new credit card or I need to apply for a mortgage or something like that? Then what do I have to do?

Sean: Funny you should ask because I, myself, this last summer when our book was in production, had to get a second mortgage. As we were going through the process they came back and said, “We can’t get into your credit files.” And I said “Oh you’re right. I put them on a freeze. Which one are you checking?” Sometimes they don’t go and look at all three. And they said, “We’re looking at Experian.” And I said “Okay.” So I logged into my Experian account and I lifted the freeze. You have an option to lift it for 24 hours, a week, or thirty days. I just put it on thirty days because going through the mortgage process can take time. At the end of thirty days it automatically drops down into the frozen state again. So it’s very simple.

Shawn: That’s great. Does this work for children too? What should people be thinking about?

Sean: The children thing is complicated and it’s scary. A number of industry experts will say that about five hundred thousand children a year suffer from identity theft. Meaning, somebody has taken their social security number and added that to some fake, or their own personal information relating to where they live, and taken out credit under a child’s false identity, using the child’s social security number. So this is not a good situation. Changes are starting to happen that would allow for all of us to, A, contact the three credit bureaus; we all must do this if you have minor children. You must contact the credit bureaus and ask them to do a search on your child’s social security number, to see if there’s a credit file existing. If there is a credit file existing, that’s really bad news. That means somebody has taken out credit. Unless you have a teenager and you have signed off on them having a credit card, otherwise, that’s a bad problem.

Most of the time people are going to discover that there is no credit taken out in their child’s name, and that’s a good thing. You’ve confirmed, at least up to this moment in time, that their social security number has not been used in a fraudulent manor. Here’s where it gets a little tricky. The laws related to this sort of thing are controlled at the state level. It sounds crazy, but it is. About twenty-five states in the nation will allow a parent to ask the credit bureaus to open a credit file there with the bureau in that that social security number, and then freeze it. Twenty-five states won’t allow that. It’s been moving in the positive direction, but it’s a difficult situation. If anybody has ever seen credit card applications and things come in the mail in their minor children’s names, that’s not necessarily a sign that there’s credit card fraud happening but it is yet another indication that you might want to contact the credit bureaus and do a search on your child’s name, and just get a little piece of mind that your child isn’t being impersonated by someone. Put the freeze in place if your state allows it. Otherwise, you have to keep checking back from time to time.

Shawn: That’s great information. I want to shift gears a little bit. Let’s move away from protecting your identity for a bit. Let’s just talk about exchanging information. For the people who are going through the divorce process now, they’re often sending to me or to their attorney, or to whomever else, important information that might have addresses, social security numbers or other sensitive communications. How do you protect that and keep that from getting hacked, or keep a spouse from maybe intercepting those communications, or just anyone in general from tracking what’s going on during this deeply personal time with the sensitive information?

Devin: That’s a very important question. There’s a couple different ways you can go about that. I think one thing for people to keep in mind is when you’re choosing a divorce attorney or someone to work with, you definitely want to ask them about their security practices. Make sure that they have methods in place to keep your information secure. Like you said Shawn, you’ll be sending very confidential information and you don’t want that getting out. So the first thing to do is kind of get an audit of whoever you’re working with and make sure that they have things in place to keep you secure. On your end personally, you want to –I’m going to say the word encryption here and I know that kind of scares people, it’s very technical. It actually isn’t anymore as technology has made it pretty easy using encryption and sending encrypted messages. A lot of the times you are sending encrypted messages and you don’t even know it because whatever method you’re using; it’s done for you. For example, iMessage on your iPhone, that’s encrypted by default, and you don’t even know it. If you’re sending a message to another iPhone that is encrypted but you’re not doing anything about it. But just a general overview of encryption, basically what that means is that when you send the message to someone else, to anyone outside of that conversation it would look like a random string of characters, it wouldn’t make any sense. The person that you’re sending it to, has a special key, and they can use that key to unlock the message and read what you’re really writing. That key comes in as the form of a passcode. So you’re entering that in and now you can read the message.

A lot of divorce attorneys in general already have this in place where if you send them a message you have to sign into some sort of secure platform in order to read the message and respond back, not even going through their email if you’re doing that platform. That’s encryption, and if your divorce attorney doesn’t have something like that, there are services that you can use on your own. The one thing to keep in mind is that you both need to be using that service to have those communications between both of you

Shawn: So what if I want to send a PDF file or an excel file? Is there a way to protect those as well?

Devin: So one thing you could do and especially know, if the encryption thing is maybe too complicated, any zip file you can put a password on that. We recommend any sensitive documents that you’re going to be sending via email, you put it in a zip file, you put a pass code on that and you call the person that you’re sending it to and give them that passcode. You don’t want to be sending that in the same message. It kind if defeats the purpose. Another point we make in the book is creating a separate email address for your financial accounts. The point of doing that is that you don’t want the email address associated with your bank account to be the same email address that you’re using to sign up for retails or coupons, or different newsletters. Chances are if something gets messed up in a data breach, that company could get hacked and all of a sudden your email is now out there for anyone to see. We recommend using a different, private, separate email for your financial accounts that has nothing to do with your name or your birth date, or anything like that. In this case I think it also could work where if you’re going to be sending this important communication you can create a separate email that you only use when you’re communicating with your divorce attorney, or someone else in that situation. Now your spouse doesn’t know that email. I’m sure they know your personal email but they don’t know the separate email that you’ve created. If you’re worried about hacking them in or knowing your password, that way you can avoid that because this is your separate email that you’re only using for your communications on the divorce.

Shawn: I think that makes a lot of sense and I know a lot of my clients have their own email address they just used just for divorce communications. Usually it’s just something random that no one knows. When the divorce is over that’s the last time they ever check it. I saw in the news there was an issue with a governor of a state and it has something to do with –I only know the high level details –how iTunes and iCloud and all of that, the accounts are kind of linked as a family. Why don’t you tell us briefly about the situation and how to avoid information getting shared in that case?

Devin: Now the former governor of Alabama was caught up in a scandal involving a mistress. Long story short, basically what had happened was he was texting his mistress from his iPhone, but he had his iPad linked up to his iCloud. So they were both linked up to the iCloud, he was sending these text messages. So the wife at home was using his iPad and the text messages began popping up on the iPad. All his communications with his mistress were now being read by his wife and she leaked it to the public. That’s how that whole thing happened. I think it highlights a really important point that people don’t really think about.

We have all of these different devices linked to one account, whether it’s iCloud or Google, and it’s super convenient. You can answer a text message on your phone, on your iPad, or on your computer, no matter where you are. When you’re in a situation like divorce you really need to take a look at that and separate your life from your soon to be ex spouse’s life. You don’t want the situation where you’re trying to send these messages or communicate with someone and your iPad is sitting around, and all of a sudden the messages are popping up. It’s important to keep in mind all your accounts that are linked with one another, but also with your spouse or anyone else in your family.

Shawn: In the book you set a really good scene. All it takes to lose, get hacked, or lose a lot of personal information is a single click just on the wrong message or just something you shouldn’t be clicking on; even though it looks like it’s real. Why don’t you tell us a little bit about, I think the term is “phishing”, and how to protect yourself and make sure that anything you click on or put your information to, is legitimate.

Devin: So phishing is probably one of the biggest threats. Chances are you see it everyday or even if you don’t see it, you’re getting the messages, your spam filter is just catching that. What phishing is, it’s when a hacker or a malicious person wants to get your information or put malware on your divorce. What they do is they send you an email. That email appears to come from a legitimate company.

One of the most popular fish companies that we see is actually Apple. I’ll just use that as an example here. So they send you an email that looks like it’s from Apple, it has Apple’s logo, maybe the from line it says Apple Support, and the message will have some urgent call to action. Maybe they’ll say “We need you to update your billing information or we’ll delete everything in your iCloud.” So something that’s going to get someone to act very quickly. Either there will be a link for you to click on that will lead you to a page that looks like it’s apple and ask you for your first name and last name, and your credit card information, your address, a bunch of information that someone could then go and use against you. Or, it will make you click on a link and that link will secretly download malware onto your machine. That malware can record everything that you do. So anything that you type, your passwords and usernames, are being recorded by a third party. So that’s phishing. There are thousands of phishing messages that go out every single day, and thousands of people fall for it. It’s really dangerous because a lot of them are so sophisticated now that they look real when you first look at it, and that call to action makes you look at it.

We do have a way in the book that we go into a lot more detail to combat that, and that’s called the ten second EMAIL rule. Here EMAIL is an acronym and that stands for Examine Message and Inspect Link. We really believe that implementing this rule in your life can help you not fall for these phishing impacts, and give all your personal information away. How you do that, the first part, examine message. What we teach people is you really need to take a second look at where that email is coming from. So sure, the from line may say “Apple Support”, but is it really coming form Apple Support? The best way to find that out is to simply hover your mouse over that from line in the email. When you do that, a little box will pop up, and it will still say Apple Support, but it will also show you true, full, email addresses. That email address may be just gibberish, a bunch of characters. All of a sudden you realize that email is not coming from Apple at all. That’s your first guess and you’re like “This is wrong.” Once you see that, delete the message, don’t click on anything.

The second part of that is called inspect links. You see those URL’s in the emails that you can see exactly where they are actually leading you to. Most of the time it’s hyperlink text or a button that’s telling you to click somewhere. Again, what you’re going to do there is, any URL in the email, you’re going to hover your mouse over it. That same box will pop up with the true destination of that URL. We really recommend you doing this on every email that you get from a third party. Most of the times the email is probably legitimate but this is the easiest way to get in the habit of really taking a look at any messages that you get. If any of them ever seems off, what you should do in that case, if it’s from Apple or if it’s from Google, or from American Airlines is to just go to that site directly and try to take it from there. Don’t click on anything in the email. You can call their customer support and ask “Did you send me this email?” Really start taking a closer look at the message that you’re getting and think about things before you click.

Shawn: I think that makes a lot of sense. I guess it seems like one of the biggest issues is the link can be real too. It will be in blue or whatever the default link color is on your screen that has a URL that’s Apple.com/support, but then when you hover over it you’re actually going somewhere else that you didn’t intend to go it sounds like.

Devin: Exactly.

Shawn: One other area I want to cover, and there is I know a bunch that we can cover and probably could talk for days about many of the subjects in the book. One question that I also deal with a lot is, how do you protect your bank accounts? Particularly if one spouse starts to withdraw a lot of money or is making suspicious withdrawals or transactions in general. How do you protect yourself and are there also things that people should be looking for or concerned about?

Sean: One aspect of the book, we introduce about five rules that address the topic of omniscience or as stated better, financial all knowingness. What we say is that we need to use the technology just like the banks use the technology. They know up to the second how much money is coming into or going out of any of our accounts, or being charged to any of our credit cards, or any other payment. The technology is in place for us to actually know just like the banks do. That comes about by simply logging into your credit card account or your bank account, to implement their alert services. You can find a spot with any of these accounts online, and you can tell them “Send me a text alert every time money leaves my account,” that’s above a certain amount. It can be as little as one dollar. That’s what we recommend. We basically say you want to know the money that’s leaving your account so that when you go to the ATM and withdraw three hundred dollars from your chase account. Here in New York, before I even finish that transaction, my phone has dinged and I have an alert form chase that says withdrawal of three hundred dollars. You can do this for your credit cards and any other payment services as well. When you do that you’re at the center of your financial life. You’re seeing the money leaving and it acts as a safeguard. You can monitor what’s going on.

Every now and then you don’t get the alerts instantly but you get it within a few hours. You’ll see it and sometimes you’ll have to scratch your head a little bit and try and remember, what it is. If you start seeing some unusual large or unusual patterns you’ll know, something is not right, and you can investigate further. That is a key aspect of another simple low cost protection that you don’t need to pay anybody else to do. It’s easy enough, you can configure your accounts to do it, and you’ll know exactly what’s going on.

Shawn: What’s the best place for people to learn more about you and the book, and your recommendations?

Sean: If anybody is listening right now and they’re at a computer, they can plug in the URL of hackproofquiz.com. That will roll you over to a page that’s associated with our book site; hackproofyourlifenow.com, and you’ll take a ten question quiz and it will step you through the major aspects of all the topics we cover in the book. You do the quiz, you answer yes or no, and then you’ll get your own personal cyber security score. Don’t be surprised, almost everybody scores low. That really comes out of the first chapter of the book where we have people reading the book do the same quiz. But then we take you step by step through these three major sections of the book to implement a number of the things we just talked about today. If you implement these things, you’ll get some additional points and your cyber security score will literally start to grow, you’ll be much better protected against the variety of frauds and hacks that really increase every single day. That would be our biggest recommendation. Find out what your cyber security score is now, and then start taking these specific actions that will boost your security. You can do that by starting at hackproofquiz.com.

Shawn: Excellent. I’ll provide a link to that in the show notes and also a link to the book on Amazon; Hack-Proof Your Life Now!

Well Sean and Devin this has been really informative. There’s so much in here in the book, and in this episode. Thank you very much for coming on to the show.

Sean: Thank you.

Devin: Thanks for having us.