In this episode of The Cyber Jack Podcast, we sat down with Petros Efstathopoulos, Global Head of Research at Norton LifeLock, to dive into how consumer security online has become increasingly more complicated - thanks to mass data breaches and hackers understanding that social media can be used as a malicious tool. We also discuss how consumers can keep their sensitive data secure online and what the future might hold for cybersecurity in the metaverse.
[automated transcript for your accessibility and reading leisure]
Today Petros Efstathopoulos, Global Head of Research at Norton LifeLock joins us to talk about mass data breaches, the dangers of social media, and the future of the metaverse. All this and more on The Cyber Jack Podcast.
Petros, thanks so much for joining us. Today, we're looking forward to talking about some exciting topics. As always, let's kick things off with a bit of background on yourself and what you're focused on in your role today.
My name is Petros Efstathopoulos. I am the Global Head of Research for Norton LifeLock, which basically means that I'm in charge of a team of very talented researchers, and most of them are PhDs with a lot of expertise in their respective fields. And we are primarily an innovation lab. So, we're building new technologies, we are providing thought leadership for the community and for the benefit of consumers. And we're generally trying to invent the future of security, identity and privacy. On a more personal note, my background is in computer science, I did my PhD at UCLA, specifically in computer science, spend a lot of my time building operating systems and things like that. And I've been with the company for about four years or so. So it's been a great ride.
Well, that sounds like an exciting gig. So today, I know we wanted to start off by talking about the culture of security amongst consumers. How has the explosion of data breaches changed how consumers need to think about cybersecurity?
If we think about data breaches, one thing that we, first of all, need to keep in mind is that typically, attackers are not really interested in one individual, leaving aside certain kinds of targeted attacks, which are not the common case, right? Attackers just follow the money, they just want to make money that's at the heart of everything, it's very unlikely that they will target a particular individual unless there's money to be made. So these types of massive data breaches is exactly the kind of thing they're going for, because they can monetize them more easily, rather than putting time and effort to attack an individual. What's interesting is that the easy way to make money using data breaches for them is to sell the data. So either because they are the original, quote-unquote, hackers that acquired the data or because they got the data some other way, they go ahead, sell it, there's a market for that the prices are very well known. And they know how much money they can make on each individual piece of data.
Now, from the point of view of consumer perception, and the way that consumers need to think about cybersecurity, in the face of data breaches, I would say that consumers should not think about this as much in terms of the traditional security implications, like, Oh, I got some piece of malware on my computer or whatever not, I think the best way to think about it is in terms of their identity when their data is being used, essentially, what's actually being used is their identity, somebody is trying to collect information that's included in those data breaches, so that they can impersonate them, or take advantage of some portion of their identity in order to perform an action that is lucrative that is going to make money. So let me give you an anecdote so that maybe this will help people understand a little bit better what I mean by this many years ago if somebody wanted to steal your identity, and I don't know, issue a new credit card or whatever not.
They needed to perform all kinds of social engineering, they had to befriend you, and try and ask you questions, understand when your birthdate is or whatever not, maybe sometimes people would go through other people's trash in order to maybe find documents and see a bank statement that you threw away or whatever not and collect all the pieces of the puzzle so that they can reconstruct your identity and then go and do something with it. Nowadays, that's not the case. Nowadays, the information is readily available from the data breaches to be purchased online, and then they can go and claim unemployment benefits on their behalf or whatever not which is something that happens very often. So yes, cybersecurity is important. It's the way to maybe get access to the data. But the better way to think about this nowadays is from the identity angle.
Yeah, that is an important mindset shift. So, from the other side, how are hackers leveraging the data that they are obtaining from mass data breaches?
Yeah, everything is about the money. They're doing this to make profit. When hackers gain access to this type of information. One way would be to go and sell it, that's usually what happens. If you have a large amount of such data in your hands, the easiest way to monetize it is to go sell it. For instance, if you go on the dark web and try to buy information like this, it's very easy to find a credit card valid credit card typically goes for about 15, maybe $20, your credit record typically goes for a little bit more than that maybe 30, or 40. name and social security number is pretty cheap. One or $2 should give you a name and a valid social security number for that name. When you have massive amounts of data, and you try to sell it, you make money. And that's typically the way that they will try to monetize the data breach. Otherwise, this is also a marketplace, right.
Somebody else who buys this data, they may want to spend the time and therefore to try and use these credit card numbers or these kinds of personal information like social security numbers, and so on, in order to make purchases in order to issue new credit accounts in order to maybe get loans or do Social Security scams or tax fraud or whatever.
Now, it's also quite common to use this type of information to do money laundering in any case. But you need to also remember that all of this data has a shelf life. At some point, this information will start getting replaced by consumers who have been notified that they're breached, and so on, and therefore the value of the data goes down with time. So from that perspective, the volume, the massive volume from data breaches is actually a big benefit for attackers in order to actually make substantial amounts of money in that respect. And there are certain accounts that are more valuable than others.
So for instance, if you're able to provide a full bank accounts, credential so that they can go into your bank and issue a new loan, that's obviously more valuable than other things.
It seems like hackers are becoming more and more creative with the ways that they're leveraging this type of data. So how can consumers protect themselves and educate themselves about cybersecurity and ensure that their data is secure?
That's a great question. There are a few things that people can do. And to some degree, it's a little bit of a, let's say, canonical list of things in recommendations for consumer. So just to name a few things, having a good set of security, privacy and identity protection tools is a very big deal. That would be your typical AV suite, or VPN solution, or a solution that helps you with online tracking for your privacy, and so on. Another very good tool that is highly recommended, and it's highly effective with respect to these things is a password manager. I'm very big on password managers, because they allow you to use very complex passwords, and not actually repeat the same passwords at the same time, because using a password manager, you can store all that stuff. And they're very easy to use and readily available. And of course, consumers need to follow best practices. And those have been published in many outlets. Be careful about using public computers use difficult passwords and so on. But aside from these obvious tools and techniques that consumers should use to stay safe, I would want to take a little bit of a step back here and discuss why this is still such big of an issue.
We have a lot of vulnerabilities, we have a quite big attack surface in terms of our technology and our computing systems, their software defects that hackers take advantage of, and so on. But at the end of the day, as we say, in the security industry, the biggest vulnerability continues to be the human element. People often make mistakes or make bad choices, click on the wrong thing, open the wrong attachment and so on. And humans are naturally inquisitive and curious, and they enjoy convenience.
And there's nothing wrong with that. But the problem is that this may lead to some bad decisions as they go around the internet and their daily sort of digital life. Again, the issue of human understanding and human instincts is what comes in this environment of digital conduct. So let's think about this in terms of metaphor, right? So in the physical world through natural instincts, or many years of conditioning, we have been trained to identify the telltale signs that tell us when we are getting into a dangerous or suspicious situation. When we are working at night and you see a dark alley, you know that this may be a bad idea like to go down that alley. Or for instance, if you're sitting in your living room, and you see some people looking at you through the windows, you have an immediate, very instinctive reaction. that this is not acceptable, this is a threat to you and your well-being and your safety.
The problem in the digital world is it is very hard to map these instincts, this trust or lack thereof into a digital version of that. So if somebody is tracking you online and seeing everything you do, and every website you go and everything you buy or browse, that's essentially the equivalent of somebody looking through your window. But it's really hard for people to develop the kinds of instincts and the kinds of reactions that we have in the physical world.
I'm sure that with time and generations get more involved into the digital world, we will develop those kinds of instincts. But it takes a little bit of time and effort and education in order to have those kinds of reactions to threats online. What I think is the most important element in the effort to protect consumers from these types of threats, is to educate them and help them develop those kinds of listings similar to the ones that we have in the physical world. And that's hard, it takes time. And consumers need assistance in doing that, and being able to sort of exercise their cyber safety instincts and their cyber safety muscle, which is why the community and experts are here so that we can assist them, provide them with the right tools, remind them at all times what is safe and what is not safe, what are the best practices, and so on and so forth.
And speaking of safe, one of the things that most consumers have in common is that they all use social media. Can you talk a little bit about how users should protect themselves while using platforms like Facebook, Twitter, and LinkedIn, and why hackers target social media accounts?
Right. In computer security in general, there's this notion of what we call an attack surface, which basically means what are all the opportunities that an attacker has, in order to attack a system, whether the system is a technical system, like a computer, or a network, or the system could be an individual. What's happened in recent years, is that what we call the individual's the consumers attack surface has expanded very quickly and by a lot. What I mean by that is that the ways in which a malicious actor can attack an individual in order to steal information or valuable data, or in order to lock down their computer with some ransomware, or whatever, not all the opportunities to do that have expanded a lot. And part of the reason why is social media. Because on social media, we put a lot of information a lot about us remember the example I gave earlier, regarding collecting information back in the day, you had to do a lot of work in order to get information about an individual if you wanted to steal their identity or whatever known. Now they do it for you. Right, they volunteered information.
So, at the high level, we could say that the issue with oversharing, or the fact that we have multiple platforms that where we share some piece of our identity puzzle that somebody can kind of put together by collecting all this data. That fact is what we call the problem of an expanded the back surface. So again, going back to the identity protection, best practices, we really need to think about how much information about our identity are we exposing through social media, and what opportunities this exposure offers to the attackers, whether it is somebody who wants to steal our identity, in order to go and apply for a credit card, or whether it is somebody trying to manipulate our view of the world and try and give us biased news or biased information and eventually, essentially affect our choices and then be able to steer them in a certain direction. There's been a lot of conversation around threats to democracy and how we can protect people from misinformation and things like that. And that's also a very, very big problem. But leaving that aside, even for financial security and financial, let's say implications, yes, you may want to put your birthday on social media so that people can wish you happy birthday and send you nice photos or animated gifts or whatever not.
But at the same time, you need to remember that your identity is this important piece of identifiable information that everybody asks when they're trying to verify who you are, before you make a financial transaction. For instance, you're just volunteering that and putting it out there in a system where you can't really verify trust in the same way that you do in the physical world. In the physical world. I share my birthday with people that I trust because I know who they are, whatever not in the digital world the mapping between physical and digital Trust is not as straightforward, as I said earlier.
And a final question to wrap up our conversation and shed some light on the future: as new companies begin their attempts to build the metaverse, how do you foresee that changing consumer cybersecurity and data privacy?
Yeah, that's a fascinating topic. First of all, let's say that this is an ongoing journey, right. So it remains to be seen how things are going to play out. But my understanding of it, as me and my team are thinking about it and following the developments is that the metaverse reality is kind of a really, really fascinating future for all of us. It opens opportunities for learning, for entertainment, and all kinds of other things. But from a security and privacy standpoint, I'll go back to the notion of an attack surface, it further expands the attack surface. And we need to think about in what ways it expands it. So what new opportunities it opens for bad actors to try and attack individuals. And we also need to think, what would be the protections against those kinds of attacks. So let me give you an example. Let's say you are participating in a Metaverse virtual experience, and other people are participating as well, possibly people that you don't necessarily know, you need to have a way to first be able to represent your own identity in a way that's safe and secure, but verifiable, for others to be confident in, in that identity you're representing. And at the same time, you need to be able to protect yourself from any kind of identity theft action.
So let's say we're in a virtual events. And I want to demonstrate to you that I am who I claim I am and that I live where I live, and that I'm a real, legitimate person, and do so in a privacy preserving manner. Right? So we need those mechanisms proactively that will enable users to have those interactions safely. And vice versa. We also need the ability to recognize when somebody is impersonating someone or somebody is trying to create a persona that is far from the truth and has malicious intent. I'm not trying to say that the metaverse is bad or anything quite the opposite is a fascinating future reality for all of us. But we need to think about the issue of identity in that environment. So let's say jokingly, I can say that let's say you go to a virtual Metaverse bar, and you meet the virtual bouncer at the entrance of that bar, and you need to prove to them that you're of legal age, how does that transaction take place in a safe manner? How do you know that they are who they say they are? And that you are safe to share those credentials with them. And how do they know that the credentials you're sharing are actually correct and true. We need some new primitives, some new mechanisms to facilitate these transactions without violating privacy and other right the users.
There it is. Petros thank you so much for coming on the show. We'll be sure to keep an eye on the metaverse. To all of our listeners, we'll see you next time.