How can you protect yourself from hackers? An IBM social engineer offers advice

Stephanie "Snow" Carruthers, Chief People Hacker at IBM, gives advice about protecting yourself online. She also explains how the robocalls and spoofing process works.

How can you protect yourself from hackers? An IBM social engineer offers advice

CNET and CBS News Senior Producer Dan Patterson and CBS Investigative Reporter Graham Kates spoke with Stephanie "Snow" Carruthers, chief people hacker for IBM's X-Force Red team, about how to protect yourself from cybercrime.

This is part four in a four-part series. Download the entire series: How an IBM social engineer hacked two CBS reporters--and then revealed the tricks behind her phishing and spoofing attacks (free PDF).

See part one, IBM social engineer easily hacked two journalists' information; part two, How cybercriminals trick you into giving your information over the phone; and part three, How a hacker at IBM uses disguises and devices to steal private information.

Dan Patterson: All right, Stephanie, a large part of your job requires that you build trust, build a rapport, and you do that often by spoofing a phone number to appear as though it's coming from a trusted source. It could be a friend; it could be a family member; it could be a bank. All of us have seen these spam robocalls on our . Sometimes the robocalls that get me look as though they're coming from my number or a very similar number. You can even spoof how two different contacts could look like each other. Tell me how this process works, and can you show us?

Stephanie Carruthers: Yes, absolutely. You need a mobile app, and I'm not going to tell you which one, but you put in the phone number that you want to call.

Dan Patterson: In this case, it would be, if I were calling Graham, or you want to look as though I'm calling Graham.

Stephanie Carruthers: What I'm going to do in this case is I'm going to call you, and I'm going to have it appear as if Graham is calling you.

Dan Patterson: Okay, and we can show this live.

Stephanie Carruthers: Exactly.

Dan Patterson: You are using a mobile application?

Stephanie Carruthers: Yes.

Dan Patterson: And you're doing all of this hacking from your phone?

Stephanie Carruthers: Yes.

Dan Patterson: So, you are going to make it look as though my phone is being called from Graham's phone.

Stephanie Carruthers: Right.

Dan Patterson: I feel it calling, and it says Graham Kates, but it is, in fact, you calling from your mobile phone.

Stephanie Carruthers: Exactly.

Graham Kates: I think there's something that's really important to point out here, which is that it's not that you designed some sort of program, but it's that anyone can get that app and then do the same thing.

SEE: Mastermind con man behind Catch Me If You Can talks cybersecurity (free PDF) (TechRepublic)

Stephanie Carruthers: It's just an app, and you can make your phone number appear as if it's anyone, which builds instant trust.

Dan Patterson: Snow, you've demonstrated to us that we're absolutely unsafe everywhere. We're unsafe online because you can phish us, you can social engineer us, and you can find our addresses, phone numbers, and other very intimate details about our lives. You've also demonstrated that we are not safe in our buildings, or I would assume our cars, our key fobs, anything that's RFID based that opens locks. And you have demonstrated that our phones are not safe or secure. How do we protect ourselves? How do we not just give up and say, "Everything is exposed, oh well, I don't care about cyber"?

Stephanie Carruthers: That's a great question. How you can protect yourself online is really stop and think about what you're posting. Do you really need to tell everyone that you're going on vacation? Also, check websites to see if your information is leaking anywhere so you can get that removed. Those two things are very important when it comes to social media. As far as your badges and wearing them outside of the office, there is no reason you need to take it everywhere with you or leave it in your car. It should be hidden so that someone like me or an attacker can't visually see it to recreate a copy or clone it. That's things that you should really protect and not show.

Graham Kates: Before you came here, you told us that you had some surprises to show us, some things that you found about us that you didn't necessarily want to put in your report, and we're ready to see them.

Stephanie Carruthers: All right. Graham, this is for you, and Dan for you.

Graham Kates: Oh, man.

Dan Patterson: The magical mystery envelope.

Graham Kates: Oh, wow.

Dan Patterson: Thanks for finding our passwords, Snow.

Graham Kates: This is maybe my oldest password. It's one that I've been trying to phase out from like various websites from when I was just like a little kid, and I didn't know any better.

Stephanie Carruthers: Unfortunately, things like this are in data breaches, and if I can get it, so can attackers.

Additional reporting by Graham Kates.

Don't miss this related coverage: A hacker invaded 2 CBS reporters' lives without writing a single line of code (CBS News) | This hacker will trick you, and you'll be glad she did (CNET)

Also see


Graham Kates and Dan Patterson interview Stephanie Snow Carruthers at CBS News in New York.