Email Security Hits Home For CEO, Mike Kupfer

How I Stole Everything From My Brother While He Was Laid up In A Texas Hospital ICU. 

Ok first off, while the rest of this story will be a true story about my personal experience with handling by brother’s financial life over the past 6 months, the title is…well, a bit of click bait. In fact, it should be titled “How I COULD have stolen everything from my brother while he was laid up in the burn ICU.”

In fact, as my mother’s favorite child and a good brother, all actions taken with my access to his financials were to his benefit. However, had a “bad actor” had received even the small amount of credentials I had been given; they could have wreaked a lot of havoc on my brother. Honestly, with much more ease than I would have ever expected, and I have been around IT security for years.

On July 19, 2021, my brother was in a terrible accident. A house fire from which he honestly had no business surviving. The first day we got to the hospital, we were told that if he was to survive, we should expect an extended stay in the burn ICU. We were told to expect months.

While his health was of the utmost importance in those first couple of weeks, I did know that his laptop, wallet, and phone had been left at the site of the fire, and since the home was left pretty much unsecured, it probably made sense to make sure my brother’s credit was locked with the credit agencies and his financial accounts were monitored.

Every week or 10 days there would be a day or two that my brother was able to communicate, although admittedly not very well. When the first of those days came. I was able to ask him his login and password for his Yahoo email account, his main email. He struggled to remember the exact password, but after a few guesses I had access to his account.

The rest of this story should be read as a cautionary tale that someone even with simple e-mail credentials cause great harm. You might think all of your vendors make it difficult to hijack your account, I did. While managing my brother’s finances, I found out this is not always the case. Here are some of the “cracks” I discovered with the different types of institutions.

Credit Agencies

This was the first place I called were the credit agencies to put a stop on any attempts to run a credit report in his name. Remember, at this point I don’t have official power of attorney because he has yet to have a fully coherent enough day to do paperwork. (Nor the use of his hands to even hold a pen)

I started with the credit agencies, and these were the only companies where I said that I WAS my brother. Since I had his social security number, his birthday, and access to his email, I figured I could pull it off. For the most part I did, but to their credit, they asked me a handful of questions specific to his credit in addition to the traditional credentials. For instance, they asked which of the following streets had he lived on in the past 10 years and offered multiple choice. These questions I would not likely had known, and my cover would have been blown. However, my niece was sitting next to me, and SHE knew the answers to these questions. 1st MISSION ACCOMPLISHED we got access and were able to put a freeze on his credit.

It taught me something though. Getting access to his banks and credit cards might not be so easy even with his information. I decided moving forward that I would always come clean and tell the customer service people I was calling that I was in fact Mike, and I was calling on behalf of my brother, but had all needed information. This is when things began to get interesting, and a bit scary.

Credit Cards

My brother had a lot of credit cards. He liked to have a couple he would use for expenses and getting points etc., and others with small limits that he used once a month and paid them off just to get his credit rating

boosted. There were some differences in how these banks dealt with my requests to get online access so that I could manage my brother’s account. Mostly secured the account with basic UN and Password, and email as a 2nd form of authentication. Since his email was almost always his username, all I needed to do was request a new password and the system would send a new “reset password” link to my brother’s email, which I had access to. Bottom line- on most of these accounts, having nothing more than a story and email access, I was able to take over access to his credit cards as if I was him.

Cell Phone

This was my favorite. I did not have a login or password. I called in and told the customer service rep that I was calling on behalf of my brother and looking to get access so that I could replace his phone for him. (I actually needed this because some companies with stronger procedures required his cell phone for the second authenticator and not his email) They did ask if I had his PIN, which I literally guessed. He CONFIRMED that was the PIN. However, he insisted that he “get approval” directly from my brother. So even though I explained that my brother was in the hospital and getting him on the phone was not an easy task, they made me get him on the phone and give a verbal ok to allow me on his account. Even though my brother was not able to remember his pin, because the service manager had confirmed it with me, I was able to text it to my brother’s nurse and tell him to give that PIN. This seems like a decent policy, but honestly, I could have had him call me on a different phone line or an accomplice, so it seemed kind of stupid to require speaking with my brother. At least I was not just able to talk my way into a representative changing security protocol.

Banks

Banks were also an interesting bunch. My brother banked with 2 banks. One of which I was getting nowhere with until I had full Power of Attorney. So, from a security standpoint they were solid. The other bank was one that my brother had a relationship with. He would like to go into the banks and talk to people. That is just how my brother is. When I called them and tried to get access to his accounts, I was amazed at just how close a relationship could have become a security breach had I been a bad actor. Basically, when I called the bank, they had heard about this fire and when I told them it was my brother’s home, they were very eager to help in any way. They did have their security protocols but since they knew my brother, I had them looking into how I could get access to his online accounts. At one point, I was told that when the teller who knew my brother came back from lunch, she would call me, and I could put my brother on the phone so he could give a verbal approval of my access. If that teller “felt comfortable” with the person on the other end of the line “was in fact my brother” then I could have the access. I was shocked but wanted the access. So, I kept my mouth shut. When the branch manager did call me back, they told me this would not work. NOT because it was a security risk, but because at that branch, they did not have the ability to record calls, and so there could be no record. So, they inadvertently avoided basically giving me accesses and probably breaking bank security protocol.

Financial/Crypto Currency Account

When it came to gaining access to my brother’s crypto currency account, the security was solid. Perhaps to solid. I had to jump through so many hoops (with very little customer service help but via email) that it literally took me over a month, and a physical trip to my brother in Dallas to finally gain access. My advice on these types of accounts is not so much about how to improve your security, but rather make sure you UNDERSTAND their policies and prepare for another party to be able to get access if needed. This account was one of the most important that we get into as it had a majority of his available funds, yet it took me almost a month to get access because their security is so tight and not really set up for an emergency like the one my brother was in. If you have money in a particular account, make sure you know their access policy and prepare for that. There were literally days I thought I might never get into this account for my brother. I don’t mean that figuratively.

CONCLUSIONS

  • FIRST AND FOREMOST – PROTECT YOUR EMAIL CREDENTIALS!!!

So many companies use email as the main way to verify a request for a new password. If a bad actor has this data, they can call every vendor, bank, credit card, or personal contacts and see if having those credentials can get them other more private credentials. What I found out with this experience is they can, and not with much more effort than requesting a new password and then locking you out. Having a managed IT provider in Chicago take a look at your email protection status is a great idea.

  • DON’T USE THE SAME PASSWORD OR PIN NUMBERS FOR MULTIPLE VENDORS

How was I able to “Guess” my brother’s cell pin? Easy. I know he is a Cubs fan and he had used a couple of Cubs player numbers as his 4-digit code. He had used the same code with another vendor I had earlier gained access to and so I had a good idea this would be the same and BAM- It was. If you MUST use similar passwords for convenience, use a password scheme that is easy to remember but would make each site unique. For instance:

  • The name of the service, followed by
  • Your birthday followed by
  • A dollar sign

So that your login to Amazon might be (if your b-day was March 25th) Amazon0325$. Then on your Life Insurance website it could be Insurance0325$, and so on. Pro tip on this idea, use tiers of difficulty in your password schemes so that lets say the sample above would be good for all less threatening websites, but use a more difficult scheme for your financial and banking sites. Things you FOR SURE do not want people to get into. For those you might do something like:

  • The service name, followed by
  • Your mom’s full birthday, followed by
  • Your dog’s name, followed by
  • Two #.

So that might look something like Banking062938Fido##. MUCH more challenging to crack by man or machine.

  • KNOW THE REQUIREMENTS FOR ACCESS FOR ANY VENDOR FINANCIAL OR OTHERWISE AND PLAN FOR EASY ACCESS FOR SOMEONE BESIDES YOU.

My brother (like many people) was not fully prepared for a month’s long hospital stay. Really it is mostly the financials that can get sort of tricky, and they are likely to be more sticklers regarding security compliance (although not always). Find out what they would ask for if YOU were not able to physically get access. In my brother’s case he lost his wallet in the fire. Had I known how important a copy of his driver’s license would have been in receiving access to his crypto account, I could have made a copy and kept it in a file in my home in case of emergency. Luckily, while he was in the hospital, access to this money was not all that important, but had he needed this money sooner than “eventually” it could have been a problem since it took over a month for me to gain access.

  • IF YOUR ORGANIZATION NEEDS OUTSIDE HELP WITH SECURITY DON’T HESITATE TO PLAN FOR THIS.

No matter if you have an IT staff internally, use a Managed Services Provider (MSP), or have a combination of both similar to Black Diamond’s Co-Managed Services, make sure you are consistently planning, executing and if need be, adjusting your defense against bad actors looking to cost your organization money.

My brother is still in recovery. His doing as well as can be expected, perhaps even better than expected, which is great. He is back to handling his own credit cards and bills and has changed a couple of security habits.

I am pretty sure he is grateful his brother is an IT and cyber security consultant and not a cybercriminal. If he is not, he should be! As far as my being mom’s favorite, I think my brother and I both realize that was my sister!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

9 + 20 =