A 3-point philosophy for cybersecurity

At Black Hat MEA 2022, Frank Abagnale (Cybercrime and Fraud Prevention Expert) gave us a fast-paced introduction to identity theft and scams – and how organisations and individuals can protect themselves.

Abagnale is one of those rare cybersecurity experts who’s renowned not just within the industry, but among the general public; because he’s the real person behind Leonardo DiCaprio’s character in the 2002 movie Catch Me If You Can. Today though, instead of pretending to be a pilot or forging cheques, Abagnale is pushing the needle on cybersecurity – encouraging professionals and laypeople to understand the human elements that make cybercrime possible.

During his keynote, Abagnale shared his three point philosophy for cybersecurity. So here it is – in a nutshell.

1. Prevention

“Because,” Abagnale pointed out, “once you lose your money, you will probably never get your money back.”

The perpetrator might be caught, arrested, even convicted and given a custodial sentence; but even then it’s unlikely you’ll get your money back. Abagnale cited figures showing that in the United States alone, at the time of #BHMEA22, there was over USD $110 billion in court-ordered restitution that was still outstanding – “and 91% of that money will never be collected.”

“If you make it easy for someone to steal from you – it’s unfortunate – but someone will,” he said. “We have a lot of great technology in the world but if companies and governments don’t use it, then it’s worthless.”

2. Verification

“Today, anything can be replicated, duplicated, counterfeited, deep-faked. So before you part with any money or information, you absolutely have to know who’s on the other end of that device.”

A growing number of organisations are implementing zero trust protocols to better manage the complex boundaries that most networks now have to deal with – with endpoints now in homes and employee hands all over the world. But as it stands, even the tightest tech-based verification protocols still require a level of understanding and diligence from the people holding those endpoints.

Which brings us to the third point:

3. Education

According to Abagnale, “education is the most powerful tool to fighting crime. If I can explain to you how the crime or the scam works; you understand it; you will not fall victim to that crime.”

Abagnale has written several books on identity theft. His first one, Catch Me If You Can (on which the film was later based) was published in 1980, when identity theft wasn’t often a topic of conversation. “Back in those days there were identity thieves,” he said, “but it took a lot of work, took a lot of research; and because criminals are basically lazy, many of them didn’t commit the crime.”

“Today, technology has changed all of that. Technology breeds crime, it always has and it always will, and there will always be people willing to use technology in a negative, self-serving way.”

Education is an essential route to creating more effective and resilient cybersecurity. Why? Because “every single breach occurs because someone in that company did something they weren’t supposed to do, or someone in that company failed to do something they were supposed to do.”

Hackers don’t create breaches. They look for doors that are already open.

Cybersecurity is working at a deeper level

As well as protecting individuals from identity theft and scams, and minimising loss of funds for organisations, cybersecurity has a deeper purpose: to protect the most vulnerable people in the world.

“All of that money that comes out around the world from all of these types of crimes – fraud, identity theft, counterfeiting – all of this returns back to us in the form of narcotics, weapons, terrorism, human trafficking, child pornography. So even when we put a small dent in that number, we save a lot of misery as well.”

In the US, identity theft and fraud cases have almost tripled over the last decade, with a particular uptick in cases since the start of the COVID-19 pandemic. This type of crime can be committed with limited resources, and it can be done quickly; and as more and more data becomes available online, criminal efficiency will only increase. In 2018 more than 2.6 billion identity records were either stolen or exposed globally; and by the time Abagnale stood on the stage at BHMEA22 more than 14 billion identity records were available online and on the dark web.

“That means probably everyone in this room has already had their identity compromised,” Abagnale said.

So it’s not a question of whether your identity will ever be stolen – it’s just a question of whether criminals will actually use it or not. And the easier it is to pretend to be you, the more likely it is that you’ll be the victim of an identity crime.

To illustrate this, Abagnale noted that the cost of buying the identity of a child on the dark web is much higher than the cost of buying a successful, wealthy adult’s identity. Because a child has no history; no credit; and it’s easy to step into their identity without being detected. “If I can get the identity of a newborn child coming out of the hospital, by their date of birth, their social security number, their name; I can become that child for 18 to 20 years before anyone would ever know.”

When you look at it like that there’s no doubt that we all have a responsibility to protect the youngest and most vulnerable people in our communities. Prevention, verification and education isn’t just about protecting adults from financial theft – it’s also about ensuring that those who aren’t yet able to protect themselves have the best possible chance of being secure.