How clicking a single link can cost millions | Ryan Pullen

Episode Summary

In his 2022 talk at TEDx University of Bristol, cybersecurity expert Ryan Pullen sheds light on the human vulnerabilities within cybersecurity, emphasizing that the greatest threats to our security often don't stem from technical shortcomings but from human behavior. Pullen illustrates this point with a personal anecdote about an organization that fell victim to a ransomware attack, which was triggered by a single employee clicking a malicious link. This incident, which cost around 5 million pounds and 14 months to recover from, highlights the profound human and financial impacts of such breaches. Pullen points out that, according to a 2021 IBM study, 95% of cyber attacks exploit human elements, underscoring the need for a more human-centered approach to cybersecurity. Pullen further explores the concept of human vulnerability in cybersecurity through two additional narratives. The first involves his commission to test the security of a well-known building in London, where he successfully bypassed security controls through social engineering, simply by exploiting human empathy and trust. The second narrative recounts Pullen's own experience as a victim of a sophisticated phone scam, where fraudsters, armed with just enough personal information, attempted to gain access to his bank account. These stories collectively demonstrate how easily individuals can be manipulated and how cybercriminals exploit human psychology rather than relying solely on technical prowess. The talk concludes with Pullen advocating for greater awareness and education on the human aspects of cybersecurity. He suggests practical steps individuals can take to protect themselves, such as using unique passwords for different accounts and being cautious about the information shared online. Pullen's experiences serve as a powerful reminder of the pervasive and complex nature of cyber threats, highlighting the importance of understanding and mitigating human vulnerabilities to enhance our collective security.

Episode Show Notes

Is cybercrime getting easier? Cybersecurity expert Ryan Pullen dives into his work investigating massive digital breaches and testing security blindspots — which led to him gaining access to the software controls of a well-known building in London. Learn more about how cybercriminals exploit human vulnerabilities and hear the latest on how to recognize and protect yourself from scams.

Episode Transcript

SPEAKER_01: TED Audio Collective. It's TED Talks Daily.I'm your host, Elise Hu.We hear about giant, costly cyber attacks and assume it's the work of the technically skilled.But cybersecurity expert Ryan Pullen points out in his 2022 talk from TEDx University of Bristol that our greatest weaknesses in security don't require technical solutions, but a far more human-centered one.After the break. Ted Talks Daily is brought to you by Progressive.Progressive helps you compare direct auto rates from a variety of companies so you can find a great one, even if it's not with them.Quote today at Progressive.com to find a rate that works with your budget.Progressive Casualty Insurance Company and Affiliates. Comparison rates not available in all states or situations. Support for TED Talks Daily comes from Odoo.If you feel like you're wasting time and money with your current business software or just want to know what you could be missing, then you need to join the millions of other users who switched to Odoo.Odoo is the affordable all-in-one management software with a library of fully integrated business applications that help you get more done in less time. for a fraction of the price.To learn more, visit odoo.com slash TED Talks.That's O-D-O-O dot com slash TED Talks.Odoo.Modern management made simple. SPEAKER_00: Support for TED Talks Daily comes from Airbus, helping create a better future by leading the decarbonization of the aviation industry, pioneering disruptive technologies, and using new energies.Visit airbus.com to learn more about our journey towards reducing our environmental impact and collaborating to create a supportive ecosystem for innovation.Airbus, pioneering sustainable aerospace for a safe and united world. SPEAKER_02: I received a phone call from somebody who needed my help.And they explained to me that this organization had suffered a cyber attack.More specifically, a ransomware attack which is designed to both steal your data and make it unusable.It replicates itself throughout the business and can drive you down to paper-based controls.And this was an opportunity that I saw where I could influence something positively. And it was my job to investigate what happened, how it happened, and why.And I saw something that I hadn't experienced before firsthand.In 2017, the NHS suffered something similar, and it cost nearly 100 million pounds to recover.This incident cost around 5 million pounds to recover and took 14 months.Yet, what I saw was the human impact. How this happened, a single individual clicked a link, and a single individual enabled this unknowingly to happen to an organization.Multiple people were signed off sick due to stress, and multiple people weren't able to go to work the next day and carry out their job.Now, for me, cybersecurity is a very technological-focused term, and yet... IBM did a study in 2021, and 95% of cyber attacks use the human element.Now, that's all well and good, but what does that actually mean?It means people can be exploited too.There's no lines of code, and there's no fancy software. Cybersecurity, as far as the media is concerned, may be teenagers in their bedrooms causing trouble, stealing things and learning how to use them.Yet, what people don't see is the impact and how is day-to-day life.And this incident, for me, made me think slightly differently around cybersecurity. And recently I had an opportunity which presented this thought process. I was commissioned to evade security controls for a very well-known building in London.That's a snazzy way of saying break in.And effectively, it was my job to see if I could get past the security controls and get into the building. And so for me, thinking kind of outside of the box, this building has floor to ceiling doors, 24-7 security team, endless budget for this kind of thing based on where they are.And so thinking slightly outside, I needed to come up with a different plan.And... What I did was I tried to go down the social engineering route, which is the art of kind of deception and making people believe something without the full information.And what I did was I walked in the front door, dressed quite similarly to this, and I was greeted by eight people.I thought, ooh, that's a bit over the top. And it's because every single person should have the right information and should know where they're going.It's very rare for them to be visitors.And this person asked me, why are you here, who are you here to see?And I explained, I didn't have an appointment, but I was here to see a specific person.And they said, yeah, there's no chance you're getting in.And I thought, oh, goodness, I traveled all this way. And yet, what I know is people are empathetic and people want to help each other, right?And so I made up a story and I said I was here for a legal matter and I was only able to achieve what I needed to achieve on these premises.And they said, yeah, sorry, we're still... And I explained the urgency and I made them feel sorry for me. And when I was thinking about giving this talk, I was going to pause and I was going to pretend that I was struggling. And that motion that you would have felt where you wanted to help me or you wanted me to continue is exactly how this person felt.They felt they were stopping me from doing my job, which they were, but not for how they expected it.And so then I pretended to be on the phone in the foyer, pacing up and down, pretending to be aggravated. And then the manager came across with a QR code for me and said, so sorry.So sorry for the issues.No problem.And they showed me around a side passage away from the two rounds of security.So I had my laptop bag with me with the evidence.And it wasn't checked. And I was able to go in.And I was able to go to the floor that I needed to. And I was paid as a cybersecurity expert to evade the controls of this building, and all I did was ask for access and make someone feel sorry for me.And so that's two very different perspectives.One, the five million pound job and took 14 months to recover where I was helping people, but the second I was the aggressor or the person trying to get in. Now, this is all enabled through the way that humans exist and human behavior.And cybersecurity as a whole doesn't really represent that in a way that is sufficient, I don't think.And so I have one more narrative and different perspective to share.And it's when I was a victim.This happened only a few weeks ago. And what happened was I received a phone call. It was around 8 p.m.I received a phone call from a phone number.And they said, hello, is this Mr. Pullen?And I said, yes.And they said, we've seen your bank cards be used in a different part of the country.And I thought, oh, goodness.And what they explained was, they explained there's been three different transactions and would they like to block them for me?I said, yes, please.That would be really helpful. And I googled the number out of instinct, and it was the phone number from the fraud line in the bank.And something didn't add up.I'm a bit of a pessimist.I don't really trust people.And so I was instantly on the back foot, and they're saying all of these things, and they were confirming my identity.They told me where I lived.They told me my mother's maiden name.And they told me a few other bits of information that a bank would know. And all of this is to build a perception of credibility.Why shouldn't I trust you? And why shouldn't you be phoning me to help me?And we go back and forth for around an hour and a half.And there was a few things that didn't sit right with me.And so when I was a hold when they were blocking my transactions, I phoned the actual fraud line and I said, is there a way that I can verify their identity?The person on the phone said, they sound very professional and legitimate.And they were.I asked for their name and they had a fake LinkedIn profile.They had a fake crime reference number for me.And Me experiencing this firsthand, having investigated things like this on a regular basis, from mortgages and transactions ending up in the wrong place, I knew something wasn't sitting quite right.And the true person put a note on my account, and I explained to the person, can you tell me what the note says, please?That was the first time they got a little bit flustered. And it took them five minutes, and they said, yeah, we'll go and check with the accounts team.But in the meantime, can you tell me the code that it says in your mobile app?At which point, I hung up, got my cards replaced, and I was okay.But these three narratives of cybercrime or scams or... criminal behavior, are all technology-focused with the end goal, but are human-led.And you may ask, how is this possible?Why can this be so easy? I've literally just walked into a building and asked someone to let me in with a fake story.And someone's phoned me up with a small piece of information and built this incredible picture around, OK, yes, I should trust you. And it's because data has a value in different pockets.And with small bits of information, you can build quite a narrative, as you can see.And so today, what you would be able to do on the kind of criminal underground, if you like, would be buy 1,000 email addresses and passwords for around $6.A cup of coffee in some places, right?That's 1,000 people's account details that you may be able to log into or have tangible information to create a case.And that might be pretending to be Amazon for a password reset.It might be what location you went on holiday, and we're going to do a bit more of a targeted attack that way. And this information is available because of vulnerabilities from a technical standpoint, yet this is to exploit the human behaviours.Take my parents, for example.I think I'm in cybersecurity because my parents give me a balance.My mum is 110% optimist, nothing's gonna go wrong, everything's okay, no one's gonna hurt my little boy and all of this sort of stuff.And my dad's much more on the pessimistic end, where, why do you want to know me?Why do you want this information? And so that balance for me brings kind of both sides of the story.And my mum is the sort of person that would have shared the traditional WhatsApp messages, 250 pounds at Christmas, oh, how lovely that would be, pay for your Christmas lunch and all of those sorts of things.And that then becomes a whole different attack vector because it's coming from someone you trust and they're sharing your link and they're sharing something you might want to click. and you begin to trust it even more. And so my talk is around really focusing on the ways in which human behavior is exploited and how we can benefit and protect each other.And it's okay to call these things out.And so there's some basic things you can do, such as resetting passwords and making sure you're not using the same password for all your accounts.Because if one of your passwords did get leaked, you would like to know, okay, it's just this one account, and I understand, that's the one I need to look after. when many people will use the same profile for Facebook, their bank, their online banking, sorry, and sites that you can purchase things.So you might be able to go on Amazon and buy an iPhone with someone's username and password, right?Bank account details are stored.And that creates a whole different perspective of risk and cyber crime.And so, for me, I don't believe any generation can avoid this anymore. Children are being raised with iPads and older generations are online shopping because of convenience and accessibility to services they may not have had before.And so I believe that understanding how these things may happen and putting some light on them can really impact the way in which people conduct themselves and challenge when things may not feel quite right. And so, for me, going through this journey and those three different perspectives, the one where I was the person helping five million pounds and seeing people really suffer, the second one where I was putting people potentially in that position, however fully ethically, and I was meant to be there for my job, and the third where I was the victim, it shows that it can take many different shapes based on information.And information can come from social media. And so, if you're going on holiday to Mexico, say, for your honeymoon, you've saved up all of this money.Wonderful, have a lovely time.Yet, someone you know, or an acquaintance, or you have public visibility of your arrangements, if someone knows that information and they know the bank you may work with, they could phone you whilst you land and say, we've seen your card be used in this location. Now, how are you going to feel if someone's saying, your card's being used and it's you?You're going to feel, okay, cool, yeah, this is me.No problem. And they say, okay, can you just confirm your identity because we want to make sure this is you.Can you just tell me your card number? So you do, and then you ask why you're there.I'm on my honeymoon, have a lovely time.All of these social engineering empathetic side of behaviours.And then you get down into the more conversational elements.Okay, can you just confirm your card isn't going to expire?When does it expire, please?There's many different ways you can pose questions to make people feel acceptance.And then lastly, can you just check the security pin so I know which card I'm going to disable? And by that time, what you've done is you've told someone you've got money in your bank because you've been saving for this wonderful occasion, and also you're not going to be in the country to do anything about it.And so from a cybersecurity perspective, exploitation can happen in many different ways, and I don't think it's publicized around the human elements enough.And so if you take one thing from today, I ask that you see this as your opportunity to make sure that you protect your own information and your loved ones and your identity online.There's no problem with using social media.All I ask is you consider who you're sharing that information with.The reason being that information is valuable even if it's not to you.It could build a picture and it could cause you some trouble.Consider who you share your information with.Thank you. SPEAKER_01: Support for TED Talks Daily comes from Odoo.If you feel like you're wasting time and money with your current business software or just want to know what you could be missing, then you need to join the millions of other users who switched to Odoo.Odoo is the affordable all-in-one management software with a library of fully integrated business applications that help you get more done in less time. for a fraction of the price.To learn more, visit odoo.com slash TED Talks.That's O-D-O-O dot com slash TED Talks.Odoo.Modern management made simple.