We’ve seen terms like hacking, cybersecurity and DDoS explode into our popular vernacular and for good reason. Real cyber-attacks have increased exponentially in the past 12 months, and the growing fear of them has gone off the charts. Still, many of us do not incorporate simple, best practices when it comes to things like creating passwords and engaging with social media. The book Hacked Again details the ins and outs of a cybersecurity expert and CEO of a top wireless security tech firm, Scott Schober, as he struggles to understand the motives and mayhem behind his being hacked.
Excerpts from Chapter 1: Cash in the Mattress
For small businesses to be competitive, they need to align with a strong bank. This allows a company to borrow capital, pay bills, and maintain a trusted source to safely hold valuable funds as their business grows. My parents, Gary and Eileen Schober, opened Berkeley Varitronics Systems’s (BVS) bank account back in 1973 at United Jersey Bank in Edison, New Jersey, when I was only four years old. BVS was one of the very first corporate accounts opened at United Jersey Bank. Back then, it was not uncommon to walk into a bank where everyone knew everyone else and were on a first-name basis. This provided a level of comfort in knowing who was watching your money. There was an implied level of trust when you saw those familiar faces, and you felt secure.
BVS continued to grow, and United Jersey Bank grew as well. United Jersey eventually bought out its rival, Summit Bank out of Summit NJ, but kept the Summit name. In the early 2000s, Summit Bank was acquired by Fleet Boston and kept the name Fleet Bank in New Jersey. By 2005, Fleet Bank was acquired by Bank of America (BoA) in a large transaction. Needless to say, the friendly local bank that BVS trusted for decades has changed significantly: it’s now a goliath of a bank, not at all reminiscent of the early days of personalized small business banking.
It was late in 2012 when I logged onto BVS’s Bank of America (BoA) account and noticed multiple unfamiliar transactions. Since we had several debit cards corporate officers used for travel and trade-show expenses, I figured the charges were legitimate, albeit unknown to me. Upon closer inspection, though, I found many charges originated in states where no trade shows were scheduled. Something was not adding up. My eyes began to scan down the screen, seeing transaction after transaction of numerous unfamiliar debits from our account. Disbelief was followed quickly by disgust, and I blurted out the only thing I could see in front of me and the last thing I wanted to hear:
“We’ve been hacked.”
I immediately called our local BoA Edison branch that we have dealt with for decades and reported the breach. Even though under $10,000 was stolen, it was still a painful ordeal I never wanted to endure again. The process involved writing several letters to the bank and credit-card issuer, along with providing copies of invoices for our legitimate transactions so the fraudulent ones would stick out like a sore thumb.
Trying to prove a transaction is unauthorized is futile, as no documentation ever exists to show what you did not do. This process, although lengthy and distracting, provided a valuable lesson to me as a small business owner: It is essential to maintain copies of all banking and customer invoices so that if you ever do suffer a breach, you can quickly work toward resolving it with well-organized documents to back your case. In the end, we jumped through all of the bank’s hoops, and after three long months, we received one hundred percent of the stolen funds back.
During those three months, we could not use our company debit cards and waited until they issued new cards. For credit card transactions during that down time, I used my personal card for purchases and was reimbursed from BVS. This proved to be a bad idea, as my personal credit card also became compromised. I realized I was not just the typical consumer being targeted, but that the hackers were now targeting both my company and me as a cybersecurity expert. This was personal.
Before I go further, I want to quickly clarify some terms: Almost all credit card users have experienced what the banks and card issuers call fraud, which is why they have fraud departments. But what you may not realize is that all of these fraud claims and thefts are the result of hacks perpetrated by hackers. These might not be the images of hackers we have come to know through popular movies and TV of the evil criminals sitting in front of terminals all day writing code in some dank basement. Hackers don’t actually even need a computer, just some basic social skills and the audacity to use someone else’s money or identity to steal for themselves. Social engineering is an effective tactic hackers employ that involves tricking individuals to break normal security procedures. When someone uses your credit card to make an unauthorized purchase at a retail store or a website, they are socially engineering the situation to fool the store into believing they are you. Some might see it more as a con game or simple theft, but make no mistake: these thieves are manipulating people and policies in order to control the technology behind it all. That is the essence of hacking.
During the investigation of the BVS hack, we discovered our debit card was compromised (meaning a hacker stole our debit card information as we purchased items online) on a website we did not normally frequent. Unauthorized debits appeared all over our bank statement. The hacker took our credit card credentials and sold them on the dark web, along with thousands of other victims’ compromised credentials. The dark web is the term for a portion of World Wide Web content that is not indexed by standard search engines and is generally attributed to hacking and illegal cyberactivities. Cyberhackers can search forums in the dark web for particular individuals they want to target, and it seemed likely my name was on their list.
I relentlessly pushed the bank’s fraud department to explain what we could have done differently to prevent the breach. They emphasized that we should only deal with companies we know and have worked with in the past. The irony of this statement from BoA was not lost on me. Here we are dealing with a bank that we used to know intimately, and through numerous name changes, buyouts, and mergers became a veritable stranger to BVS for all intents and purposes. Now they are telling me to only deal with people and companies I know and trust. I can understand why many people have lost their faith in banks altogether and store their hard-earned cash under their mattresses. Realizing the pain of moving all our company assets to a different bank, we reluctantly agreed to the bank’s recommendations and trudged through the process of getting new cards issued and new passwords. It was back to business as usual – or so I thought.