They say that crime doesn’t pay, and that’s often true – but some former hackers have enjoyed lucrative afterlives as security consultants, once they’ve finished their jail time. Others have drawn on their experiences to write novels. Many end up authoring nonfiction for consumers and business owners looking to protect themselves from…well, people like the author.
To some, the ethical merits of hiring former fraudsters to do security work are debatable. Regardless of your moral proclivities, though, it’s hard to deny the former criminals’ expertise. Here are four surprising lessons that these cyber criminals-turned-good-guys have to teach us.
1. Stealing your identity is easy
Actually, it’s embarrassingly easy. In his book The Art of Invisibility, former hacker Kevin Mitnick says that an average hacker can commit identity theft using a computer or mobile device in just 60 seconds. Most “private” information is accessible through databases maintained by information brokers. Mitnick, who’s known as the “world’s greatest hacker,” says that most fraudsters can use these databases to access social security numbers, birthdates, addresses, and phone numbers. This personal information can then be leveraged in account takeover (ATO) attacks.
And it doesn’t stop there. You probably remember when John Podesta, Hillary Clinton’s presidential campaign chair, fell victim to a hack that claimed his emails, which were then leaked throughout the campaign – but Mitnick says that with the right training, a 14-year-old could have committed that attack. Hackers aren’t usually the sophisticated, high-tech characters we see in movies, he explains. Just about anyone is capable of manufacturing a legitimate-looking link that, once clicked, exposes the victim’s information.
2. When it comes to online safety, people are the weakest link
Though hackers may disagree on the best methods for duping a victim, they all agree on one thing: human fallibility. Cybercriminals often attribute their success to their victims’ carelessness, regardless of whether those victims are businesses or individuals. In his book Kingpin, hacker-turned-security-consultant Kevin Poulsen describes how a group of cybercriminals exploited careless businesses and their employees to steal credit card numbers.
As these criminals discovered, internet security systems can be consistently dependable, but the people operating them sometimes can’t. The hackers of Kingpin – and Poulsen himself – relied on social engineering to carry out their dastardly deeds. Instead of spending time and resources building programs to infiltrate personal or corporate accounts, the cyber criminals simply tricked people into handing over private information.
3. Online safety is impossible to guarantee
How do you make sure your data is safe online? Former cybercriminals get this question a lot. The more information people store online, the more they fear that a fraudster might get ahold of it. As reformed hacker Mark Abene explains, it’s a catch-22: as technology gets better, fraudsters get better at what they do. So, how do you guarantee your safety online?
Former hacker Kevin Mitnick says that short of completely erasing your online presence, it’s impossible to 100 percent guarantee online safety. And to completely disappear online, you’d have to take three difficult steps: first, scrub your devices of their IP addresses; second, obscure your hardware and software so fraudsters can’t figure out what device you’re using to get online, and third, create anonymous email accounts that aren’t associated with your social media, online payment programs, gas or electric bill, student loans, or anything else.
4. Understanding cybercriminals is the key to beating them
Robert Schifreen, a former hacker and author of Defeating the Hacker, says “[t]here’s no such thing as an unhackable network.” But by understanding how cybercriminals operate, he explains, businesses and ordinary users can beat them at their game. The bottom line is that hackers and fraudsters want to maximize gains while minimizing effort. What does that mean for businesses and consumers? You can deter fraudsters by making their lives just a little more difficult.
Former cybercriminals agree that there’s no way to guarantee your privacy online, but they also cite one reliable method for keeping would-be fraudsters at bay: multi-factor authentication. Multi-factor authentication secures your data by requiring more than one piece of information to confirm your identity, like a PIN and a password, or a passphrase and an answer to a personal question. Cracking this extra layer of protection requires more effort than a typical hacker is willing to invest.
Businesses that require employees to use multi-factor authentication are less likely to suffer data breaches. That’s why reformed cyber criminals insist that companies and lay people use it to secure their data. In fact, Kevin Mitnick goes so far as to say that Podesta may have prevented the email hacking scandal just by enabling multi-factor authentication on his mobile device. No one can say for sure whether that’s true, but why take the chance?