In part one of TechRepublic’s four-part series “Mastermind con man behind Catch Me If You Can talks cybersecurity” TechRepublic’s Karen Roby sat down with Frank Abagnale, the famous con man turned FBI Academy instructor, who inspired the Leonardo DiCaprio character in the movie Catch Me If You Can to discuss his work at the FBI’s law enforcement training and research center and what C-suite executives need to know regarding cybersecurity.
The following is an edited transcript of their interview held at Louisville’s Bowman Field Regional Airport.
SEE: Mastermind con man behind Catch Me If You Can talks cybersecurity (free PDF) (TechRepublic)
Why breaches happen
Karen Roby: What do you tell CIOs and CEOs about cybersecurity?
Frank Abagnale: Well, first of all, I tell them that the most important thing that they have to do is educate their employees, and the most important job they have is protecting the information that’s been entrusted to them by their clients. So, that’s the most important thing.
Unfortunately, a lot of people are not trained by their companies, and so they fall for phishing scams, or they fall for social engineering scams over the phone where they give away a lot of information where they shouldn’t. People are basically honest and because they’re honest, they don’t have a deceptive mind. So, when they see an email that looks very official looking, they assume that it is real.
I’ve been an instructor at the FBI Academy for 43 years. I’ve taught two generations of FBI agents who’ve gone through the academy. What’s amazing to me is how much easier crime is than when I did it 50 years ago. It’s actually 4,000 times easier because I didn’t have all of the technology that exists today. So, technology absolutely breeds crime. It always has, and there will always be people who will use technology in a negative, self-serving way.
I’ve been involved in security breaches going back to TJ Maxx 14 years ago, up to Marriott and Facebook just a few months ago. One thing that I’ve learned over my career is that every breach occurs because somebody in that company did something they weren’t supposed to do, or somebody in that company failed to do something they were, excuse me, suppose to do.
Hackers do not cause breaches, people do. All hackers do is look for weak points to get in. So in the case of Equifax, they didn’t update their systems, they didn’t fix their security patches, and that opened the door for hackers.
SEE: IT leader’s guide to cyberattack recovery (TechRepublic Premium)
I live in South Carolina. Someone hacked into the tax revenue office four years ago and stole 3.8 million tax returns from the citizens of South Carolina–that was everyone. After the investigation, it was determined that an employee took home a laptop they shouldn’t have taken home. They opened it an unrestricted environment, and the hacker got in. So this is why it is so important to educate your employees about the most important part of the job they have, and that is protecting the information that’s been entrusted to them.
The future of passwords
Karen Roby: What is your take on passwords and password authentication? Where is this going because passwords aren’t getting the job done?
Frank Abagnale: Passwords are for tree houses. Passwords are 1964 technology. So, they were developed when I was 16 years old before I did any of the things I did. I just turned 71, and we’re still using passwords, and passwords are the reason we have most of the malware, ransomware, and all the things that are going on.
I’ve spent the last five years on a government project to eliminate the world of passwords, not just in our country, and we basically have done that now. There is a company out in Arizona called Trusona that I advise which stands for true persona. You may have seen an ad where Serena Williams is running through a marketplace, in her jogging outfit, and she only has her phone in her hand. She sees a necklace she likes. So she walks over to a Chase ATM, she presses an app on her phone, she gets her money with no password, no card. Basically, most of all the banks in America are starting to convert to no password.
All of the airlines, all the places that use passwords, it will take two or three years to get people used to no password. So a lot of those sites will come up and say, “You can use your password, or you can not use your password, it’s up to you.” But we’re finally to the stage where we’re getting to eliminate passwords, and that was long, long overdue.
There is no technology nor will there ever be any technology including AI that can defeat social engineering. I used it 50 years ago on a phone to get a Pan Am uniform. I didn’t know I was social engineering someone, but that’s what I was doing, but I only had one form of communication, a telephone. Today there are many forms of communication. So what happens is, for example, there’s a big thing going on right now with the phone companies where I call the phone company, and I say that I’m you. Then I basically have all the security questions answered that they could possibly ask me, and then I tell them that I broke my sim card in my phone, and I need to have it replaced. So, they send me a new sim card. I put that in my phone and now I have your phone.
So, I have everything you have on your phone. All of your contacts, all your banking information, all your information. Again, that’s a form of social engineering where they’re using a call center, and they’re convincing that person that they truly are me, but that person doesn’t know other than to ask whatever questions have been put on the computer. What’s your social security number? What’s your mother’s maiden name? These are things that anyone can find out on social media. So it’s not difficult to find all the answers to these security questions.
So consequently, unless you’ve actually taught the employee to understand the questions they’re asking you and how they’re answering them is actually their social engineering you. Then you can stop and say, “You’ve gone far enough. I don’t believe you are who you say you are. You have to actually go in-person and identify yourself to someone at one of our stores or somewhere like that.”
Catching criminals today
Karen Roby: How much more difficult is it now for these FBI agents, and people in those types of roles to narrow all of this down?
Frank Abagnale: Well the problem is that the internet has made all of this global. So back when I was doing these things, the FBI was dealing mainly with domestic criminals. So they have the power to go arrest them; they have the power to investigate them.
Today, most of these things happen. We have about 5,000 phishing emails every day. Most of the money, about $12 billion a year from phishing emails goes out to 115 other different countries around the world–Russia, China, India, where they initiate these phishing emails. Even if we know who they are, and we have the address where they’re located, we really don’t have the power to go arrest them, bring them back, and extradite them and all that. So it makes it much more difficult. And that’s why over the years, what’s become much more important is prevention then after the fact, because once they steal your money, you’re probably never going to get your money back.
So the whole thing is not to let them steal your money to begin with. We have great technology. The problem is that most companies don’t use it. They’re all of that attitude, “Oh, this will never happen to me. I’m not a big company. I don’t want to spend the money on it.”
And so if you don’t use the technology, then you just open yourself up to that door that opens for the hacker to get in, that’s all he’s looking for.
At the FBI Academy, I teach new agents. I teach our national academies where we bring law enforcement in to be educated and go through an 11-week training program. But I also teach with the FBI CSO Academy, and twice a year we bring in about 50 CSOs from Fortune 500 companies. They spend a week at the academy, and I teach part of that class while they’re there.. This goes back 40 years ago when I used to go out and only speak to bankers about check forgery, embezzlement. I used to sit up there and say to myself, “I must be singing to the choir” because I would assume that all these people know everything I’m telling them.
SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (TechRepublic Premium)
And then I came to realize they didn’t know any of it. Well this is the same thing now, 40 years later. I’m speaking to people who are supposed to be the chief information security officer of their company, and I start to realize they don’t know a whole lot.
It’s just some job someone’s assigned them to do, and they’re kind of learning as they go along, and that’s–what’s to me– is a little scary.