Chantelle Ralevska

Thank you. I'm so excited to be here.

Yes. Okay. Well, I help businesses reduce their cyber risk by delivering education and training.

20%.

Over 90% of cyber attacks are because of human error. So that's where I come in, so educating people like you.

No, no. That is the cliché, but that is not the reality. It is human error. So if we think about some of the biggest cyber attacks that we've had over the past few years, let's take Medibank as an example.

Please elaborate. Yeah. So 9.7 million Australian customer data was breached. We're talking information about whether someone has cancer, if they've had a pregnancy termination, uh, mental health conditions. All of this sensitive data was posted on the dark web.

The, the hacker.

No, we're getting there. Okay. So a compromised username and password. That was the cause of that attack. So this hacker got access to an employee's username and password for Medibank, and they were able to gain access to Medibank and steal that data because of a username and password.

Yeah, that's a good question. You don't know. No, I, I don't know the specific answer for that. But the reality is that most people, they either use simple passwords, which is then easy to crack. It can take sometimes seconds.

I, I've used that as well back in the day before I knew about cybersecurity. Um, but that can take a couple seconds to crack. But also, a lot of people reuse passwords. So if you use the same password across all of your online accounts or a lot of them, and that password becomes breached, like for example, in the case of Medibank, that could have been the reason. And then they access another account because they've, they've found your password online. They'll try it for a bunch of accounts to see if you're using that password across several accounts.

Yeah, it is hard. I don't, I have a different, the answer, the solution, have a password manager.

Yeah. Use a password manager. That's what I use. I have a different password for every single account that I set up and I store them all in my password manager. So then the only password you need to remember is that one password for the password manager.

Yeah. So if we, if we think about what happened really recently with the superannuation scams.

So over 10,000 credentials, again, talking about usernames and passwords, was stolen and they were used to log into a bunch of different superannuation accounts. So again, going back to that element of human error, which is which is what it comes down to, which is why we as the user have so much responsibility in securing our own data.

Yeah, for sure. Well, I think the first thing is that it's not about being perfect. Yeah. It's about improving. Okay. And we're talking about the most basic of things. We're talking about a password. How hard is it to create a strong and long password? That is the most simple thing that you could do.

No.

What about, what about using a password manager?

Yeah. Well, I think that's the danger with cybersecurity today is that it is becoming so much more difficult. And attackers are using things like AI, like deep fakes, to make attacks so much more sophisticated and realistic. So if we were to go back a few years and look at things like phishing, right?

Phishing emails. Back even two, three years is...

So phishing is any attempt to get you to give up information. So it could be in the form of an email. We all see those scam emails that we get where the link here.

That's a phishing email. There's also vishing. So voice call phishing. We get those calls all the time from people.

The at you owe the ATO $79.

Yeah, exactly. That's, that's another example of vishing. Um, so that is what phishing is. Yeah. So, so a few years ago, phishing was pretty obvious to spot.

I mean, not to the extent that people weren't weren't falling for it because scammers make so much money. But now it's becoming so much more difficult and they can, they can perfectly mirror an organization's branding, the way they communicate and make it look like it's coming from that business or that individual. And so now we're, we're seeing that with deep fakes as well. So we joked about it earlier that I could deep fake you, which we should have done for this episode.

Um, but now I can, for anyone who doesn't know what a deep fake is, it's basically any artificially generated photo or a video or audio that can make it look and sound like it is coming from you. So I could get you to say whatever I wanted you to say. It would be exactly in your voice. It would sound precisely like you.

Exactly. Yeah. So I could call one of your close friends that I, that I see online from social media. I could spoof your number. "Send me $5,000 to this account." I could be like, "Hey, it's Nick. I, I've run out of money. My credit card's not working. This is urgent. Please can you, can you quickly transfer me? Here's my BSB and account number." And a friend will be like, "That sounds exactly like Nick. It came from his number. Why wouldn't that be Nick?" And then they go and make that payment. So that's what we're seeing now with deep fake technology. And actually in the UK last year, an engineering company lost 25 million US to a scam like this.

Crazy. So it is more common than we think. It's more accessible now. If we talk about, we're not even just seeing it with scammers, we're seeing it with kids as well. And kids using this technology against other kids in their school, in their grade, generating nude images of them and spreading them. We've seen that online as well now too.

So there's just so many facets to this technology being used for bad.

Yeah. Well, you, you were talking earlier about the the teenage boy with the hoodie on. That is the cliché representation of what a hacker is, but that's not the reality. The reality is that cybercrime is now the number one source of revenue for organized crime.

Really? Really.

Not really, not really. When I talk about cybercrime, I'm talking about things like scamming, like ransomware attacks, those sorts of things.

And I was at a conference a few weeks ago with Microsoft and they were talking about how if cybercrime was considered an economy, it would be the third largest economy in the world just after the US and China.

So to go back to that point about who is a hacker, right? They are, there are different types of groups, but you've got organized crime. Yeah. And then you also have nation-state actors as well. So if we're talking about organized crime, these are crime groups and this is, this is what they do to make money.

There's a, a lot of different names. There's names like Scattered Spider. They have a bunch of random names.

Yeah.

Yeah. You have you have a lot of hackers out of Russia, Ukraine, the US, the UK.

No. It's that cliché. So a couple years ago, MGM Las Vegas was hacked. And it's so funny. You watch the video online and the man's like, "It's terrible. We couldn't gamble today," which is just so funny. Um, but it actually disrupted their operations for 10 days.

They say at the time that it cost them $145 million US.

Just over the 10 days. And that was a group of hackers from US and the UK. This is at least the information that we know. And what they did was they called the help desk at the MGM and they pretended to be an employee and they had all this information on the employee and they convinced the help desk to reset the password for that employee. And so they got access to MGM.

And then to respond to that, MGM shut down a lot of their systems so that the hackers would stop stealing data. And that's what, that's what led to that disruption where they they shut down. They had to check guests in manually. Um, the slot machine stopped working. All of this drama. It impacted not just MGM Las Vegas, but MGM globally. So a lot of the other hotels as well.

And if we go back to that, that was because they socially engineered or they they vished, voice fishing, at the IT help desk.

Yeah. So if we, if we look back at what we were talking about, how they organized crime groups, right? Any objective with organized crime is to make money. Yeah. So a lot of the time they'll hack a business or even just an individual. And if we talk about from a business landscape, they hack a business, they encrypt that data so that the business can't access the data. And then they say, "Pay us X number of millions of dollars to get this data back." Or, "Pay us X number of dollars so that we don't post this data on the dark web." And so if they can't get the money from the organization or the business, then they post it on the dark web because people pay for that data.

So with the MGM case, they stole 6 terabytes of data. So for people listening, that's about 6 million high-def photos, if we're going to put it like for like. And that was information like names, addresses, dates of birth, passport information, credit card details.

And if you think, "Okay, who cares?" But the reality is with that sort of data, you can steal someone's identity and you can steal their life savings and it's pretty devastating.

I have.

Uh, it's actually she was on the news. This lady, I spoke to her, I've spoken to her several times, but she was part of a large Australian breach.

She was sharing her story. She was sharing her story. Yeah, she was on the news sharing her story. And, um, her, her, her passwords, I feel like we're talking about passwords so much. So hopefully this is a lesson for people listening to go and change their passwords. But her passwords were part of that breach and the password for that account that was compromised was then used for her PayPal. So her PayPal was hacked and the hackers used her PayPal account to sell fake Adidas products. So then the US court sued her for millions of dollars. Adidas in the US was suing her for millions of dollars for selling counterfeit products. And she had to go to court for over a year to prove that this was not her.

Because they had used her PayPal to conduct criminal activity. So that's just one example of identity theft in that way. Using your identity to conduct crime because then that falls on you and they don't have, people don't know who they are. They don't have the responsibility. They can't get in trouble for conducting crime. And then the other part is using your identity to steal your money.

Yeah. Yeah. I used to work with a lady actually at an organization. I worked with a few organizations ago. I won't say which one, but she went on holidays and she had swapped her SIM card to a new local SIM in the international destination. And so she wasn't receiving any messages from her bank with with MFA codes, right? So, you know how when we, when we set up our banking, we say, "Send us a code and go see my number."

That's multifactor authentication. Right? So she wasn't getting any of these requests when she was overseas. So then she comes back. She swapped her pin. She swapped her SIM card.

So she swapped her SIM out, you know, when she went traveling. She went traveling. She wanted a local SIM, maybe cheaper rather than paying that $5 a day roaming, those sorts of things, right? So she had no access to her messages is what I'm saying. And so when she came back from overseas, she put her SIM back in and she got a flood of notifications about all of these accounts being set up or money being taken out. And she had no idea. So what had happened was her house was broken into.

They stole her identity documents. And then rather than stealing her TV and her laptop and those sorts of things, they actually broke into her house to steal her identity.

They stole her life savings. They opened credit cards at every single bank with her identity. And she came back from a trip and she had lost everything. Could you imagine that?

Having a good time. Yeah. Almost a blessing.

Yeah. Almost a blessing. She finally got some 10 days of relaxation before coming home to a nightmare.

Yeah.

It's really, it's really hard in those cases because and even with banks now, who bears the responsibility? And that's the challenge. And you don't even want to be put in a situation like that.

Well, so I can give an example. I, I woke up one morning and my credit card had been scammed. And I called the bank and they refunded me. But there was no action taken on my part, right? I didn't give away my credit card details. I didn't click a phishing link. So the responsibility then is not on me. Whereas if, if it's say, for example, you, you click a link, you accidentally put your credit card details into the wrong form.

You've give, you've, you've taken action.

To give that away. So that's sort of your responsibility. Um, so yeah, it's, it's a hard one.

Yeah.

You have to be really careful with where you're putting your information online. So, Theo, no more OnlyFans for you.

I just couldn't help myself. Sorry, Steve. Um, no, but being really careful about where you're putting your information is, is it a legitimate website? You know, there are...

No, I know. I know. It's, it's dumb. It's and it, it's hard. A lot of people think that same way. That's why I would recommend purchasing from legitimate retailers like Amazon and...

Yeah. David Jones, the iconic. Um, or you can also look at trust reviews or product reviews.com. Those sorts of websites. A lot of the time people write on there and say, "I lost money. This website's a scam." So being careful about where you're putting your information. I know with Westpac, they have a dynamic CVC. So your your card details change every single time you go into the app and copy them. So that's another great, great tool to use. So that if someone does say, capture your card details at that point in time, they won't be the same the next time they try to use them.

No, I'm not saying who I bank with.

Oh, okay. I see. Yeah, I see. So, um, no, I'm not saying who I bank with.

It's really challenging. I think that on one end, it's going to be incredible for being able to detect threats and detect unusual behavior by users. So for example, if I log in, I'm an employee at Nick Bell's business and I log in at 3:00 a.m. from Russia. That that's suspicious, right?

But al, but also you can hide your IP.

So but then that still logging in at that time is suspicious. That's an anomaly.

Oh, probably surprises me now. Exactly. Yeah. But from a, from a detection side of things, I think that AI will be great for that. Being able to support cybersecurity experts in the field. And then on the other hand, increasing the sophistication of attacks. Making it harder for individuals. Um, you know, people like us every day putting information into ChatGPT and all these AI tools and not really thinking about the ramifications of it. Or who could access this data that we're putting in. Are we putting in personal data and where is this being stored? And could a, could an attacker access this? So from that front as well, thinking about how we're engaging with AI.

Yeah. Yeah, do. And I, they're definitely using AI to enhance how they engage with people. Right? Because you could think, you're, there's, there's something called sexual extortion. We've all heard about it. They're targeting kids as well.

So what a lot of these actually, it's coming a lot out of Nigeria, which is why I'm bringing it up. But what they're doing is they might text a 16-year-old boy, right? And they have a photo of a young girl. And this young boy thinks he's talking to this beautiful young girl. So innocent that they don't know what's going on. And there's a lack of education as well in schools. Uh, and so now with AI, they could call this, this person and it could look like they're speaking to her. And again, just just making it so much harder for people to spot these things. So I think that it's going to automate a lot of tasks for them, make things more realistic. But I think that human element will always be there because it's not just about the AI that scams an individual. It's also that human component. So I think it's always going to be a bit of both. I don't think it's going to make these people redundant.

Well, it's all about if we, if we're thinking about some of these AI tools, right? It's all about the prompting.

I know, I know. It's hard because when I'm talking about the prompting, attackers can actually inject with malicious prompts and make AI act in a certain way that benefits them. So that's on that front. But then who knows what the, who knows what AI...

Yeah, it could do anything really. Yeah. How do we know what's going to happen in, especially with all this training data that it has access to. It's not just training data from, from the good side, right? It's, it's training data from, from threat actors too.

Yeah, I talk a lot about the most prominent threats targeting them. So for example, things like phishing, social engineering.

Social engineering is very similar to phishing. It's basically trying to get you to act in a certain way to take action. Um, so whether it be giving up your business's data, whether it be like we talked about with the MGM, resetting that password.

So that wasn't actually the super companies. So a bunch of credentials were stolen on the dark web. So usernames and passwords and because a lot of employee, because a lot of people reuse passwords.

It was a password issue.

Well, that's the information that we have to this day. Okay. Yeah. And so I, I was watching this video last week. They were talking to a potential victim about...

Okay. So the attack followed a spike in suspicious activity on Australia Super's website and app. Chief Member Officer, Ross Kurlin had said that the company identified the member stolen passwords were used to log into their accounts in attempts to commit fraud.

No, I haven't. No, I haven't. But I know that, yeah, they do ask for payment in so many different ways because they want it to be untraceable. Yeah.

Yeah, I would say going back to some of the basics. Password, password.

It's so simple. That's why I think that so many times people say to me, "I feel so overwhelmed by cybersecurity." And because we hear about all these, yeah, big terms, all the jargon. The reality is, it's so simple. It, it just really does come down to the basics. So setting really strong passwords that are unique. Okay. To have a password manager for starters.

Yeah. It's so simple. You then, you only need to remember one password. Yeah. Yeah. So how, how hard can that be?

Um, so passwords, setting multifactor authentication on all of your accounts as well.

Isn't it such a pain? Oh, I, I see it as the opposite because I, I see it as, "This is your..."

No, but I see it as, "I can sleep easy tonight knowing that if someone were to try to hack me, they can't get in."

But you said, you said you wake up seven times a night. Could it be that...?

Um, MFA, I would say also thinking about the data that you're storing. So if I, I recently bought a bottle from BWS online and they made me put my full name, date of birth, and all this information. And I thought, "Why do you need to know my date of birth for me to buy this?" But you could just ask for my year. And besides, when I go to pick it up, you're going to ask to check my ID anyway.

Anyway, so I put in a fake date of birth and then I actually decided to return the bottle. So I called up and he said, "You need to give me a date of birth so I can verify the cancellation and the refund." And I said, "Oh gosh, I can't remember what date of birth I used." And he got really cranky at me on the phone.

He goes, "Oh, you trying to scam us? Fake, using a fake date of birth." Yeah.

Yeah, but why should you use a real date of birth? As long as it's over, as long as you're over 18, it doesn't matter. Exactly. And they're going to check, like I said, they're going to check my ID anyway when I go in store to pick it up. So going back to the small businesses, thinking about the data you're storing. Because data is, you know, they say data is gold. Data is not gold anymore. It can put you in a lot of trouble. So not storing all this data that you don't need. Getting rid of data as well, because if you were to be compromised one day, you don't want to be in a position where you have all this sensitive data that can lead you to fines, lead you in legal drama. So I would say getting rid of data as well.

Yeah, exactly. That simple. Well, it's not that simple because depending on the business or the industry you're in, there are legal requirements you need to follow. So you may need to store data for X number of years. Um, but outside of that, yeah. And I, I think one industry particularly is people like psychologists. They're constantly targeted because they have such sensitive data. And I know for myself...

But they don't understand how to protect data and they have this data that is so sensitive to people. Almost worse than physical. Yeah.

Yeah.

So but are they? I don't know. That's another, that's another topic for another day. Yeah.

Exactly. Unhackable. Well, thank you.

Thank you so much.