This week, I got a fascinating — and sometimes scary — look behind the scenes to see and hear about things we normally watch in action or spy movies.

A professional break-in artist showed me some tools of his trade he uses when companies and others in the U.S. and internationally hire his firm to see if he can break into their businesses.

Some really tech-savvy guys showed me some websites on the “Dark Web” where things like Paypal and eBay accounts are being bought and sold.

Luckily, these are the good guys.

They work for TrustedSec, a "white-hat hacking" and cybercrime intelligence group based in Strongsville. TrustedSec was founded by former NSA hacker David Kennedy, who also is an adviser to the "Mr. Robot" show. The company does everything from hacking into phones and car systems to ethical hacking and “social engineering” tests for large organizations, which is a fancy way of saying the professional break-in artist uses different methods, such as dressing up as a delivery person to convince someone to let him into a secure high-rise building in New York City.

They also hunt criminal groups in the Dark Web, and monitor the latest advances in malware.

Data breaches seem to make headlines constantly. The latest — and possibly one of the biggest ever — involves Marriott/Starwood hotels. Information taken from 500 million guests included names, phone numbers, email addresses, passport numbers, dates of birth, credit card numbers and card expiration dates.

Alex Hamerstone, governance risk and management and compliance lead for TrustedSec, who helps companies build security programs and assess them, said our information is in so many places that it's only as safe as the companies that are storing the data.

It’s really tough to fully protect yourself unless you live by yourself in a remote cabin and use cash, but even then you still have to pay taxes and share information, Hamerstone said.

Hamerstone and his colleagues did provide some good tips that we as consumers can still do — many of which I’ve discussed in previous columns — to best protect our information.

That includes placing a credit freeze on your credit — and that of your spouse, too — if you haven’t done it already. They are now free to place and lift, so there’s really no monetary reason stopping you. For more information on credit freezes and how to place them, you can go to www.tinyurl.com/BettysBestTips.

But Hamerstone also said it’s important to keep in mind that “the sky is not completely falling. One point I always want to make is in our industry especially, there’s a tendency to victim blame. When someone gets scammed, you say, ‘Haha, you clicked on (something wrong).' I hate it. But the fact of the matter is they are the victim of a scammer and they sometimes don’t want to report it because they’re embarrassed.”

Scammers purposely prey on people’s emotions — like the grandparents’ scam, where the scammer pretends to be a grandchild in crisis — or are hoping you are not paying close attention in your busy lives and will let down your guard, he said.

“No legitimate commerce is conducted in the form of iTunes gift cards,” Hamerstone said.

What often happens is victims will fall victim to a phishing scam, where they click on an email that looks legitimate. With the click, they may open up their computer to malware or hackers, who can get information and start sending messages to contacts for further victims. Recently, I was told of a former colleague who got a text message from what she thought was her boss and named her by name. But it wasn’t her boss. TrustedSec's Tyler Hudak said it's likely the phone wasn’t hacked, but the boss’ iCloud or other type of account with contact information got hacked.

The Dark Web

TrustedSec and companies like them are hired by companies from small businesses to large national and international companies in cities all over the world to help them with their security. We were joking during the interview that if I’m hiring TrustedSec as a company, I probably want to see Hamerstone since he’s helping me build my security programs, but I don’t want to see his colleague, Hudak, who comes in after the client has been hacked.

TrustedSec and its employees do “ethical hacking or white-hat hacking.” Companies pay TrustedSec to break in and find vulnerabilities before the hackers do.

You can’t just Google the Dark Web, but Hamerstone said the hackers know where to go and most of the sites are hidden.

“The stuff that is on there is ridiculous. You can go out there and buy packages of information. You can buy credit card numbers in a package from a certain ZIP code from a higher than average income,” he said.

Hudak showed me a few Dark Web sites, such as one where Paypal accounts and balances were being sold and bought.

“A lot of times what happens is when a website gets hacked, the attackers will go on and grab the database and post that to underground forums to say, ‘Hey, I hacked this site.’ "

The attackers are smart. They know that people re-use passwords. If you use it to log into Gmail, chances are you used it to log into Paypal,”  Hudak said.

 

Beacon Journal consumer columnist and medical reporter Betty Lin-Fisher can be reached at 330-996-3724 or blinfisher@thebeaconjournal.com. Follow her @blinfisherABJ on Twitter or www.facebook.com/BettyLinFisherABJ and see all her stories at www.ohio.com/betty