Crime, Cyber Security, and the Difference between a “Daddy” and a “Father”

Crime, Cyber Security, and the Difference between a “Daddy” and a “Father”

One of my favourite films is Catch Me If You Can, so I noticed on YouTube an interview the focus of the film: Frank Abagnale:

I had assume it was going to be about a life of crime and how different his life had been from the movie, but I couldn’t have been more wrong. His presentation is beautiful and full of humility and honestly, with classic Cyber Security advice dotted around. He was a person who was offered three Presidential pardons, but refused them, as he recons that his crimes were unpardonable. He served time in three prisons for his crimes, but came out a better person, and ended up working with the FBI.

So I’m going to dip in, and pick out a few quotes, but please watch the whole presentation.

So I walked up the stand in between my parents. I remember distinctly that the judge never looked at me. He never acknowledged. I was standing there. He simply read from his papers and said that my parents were getting a divorce. And because I was 16 years of age, I would need to tell the court which parent I chose to live with. I started to cry. So I turned and ran out of the courtroom. Judge called for a 10-minute recess. But by the time my parents got outside, I was gone.

He never for one minute excuses his crime, but he does show that one moment of his life caused him to crack.

My friends in school used to say that once a week, when we dressed in a suit for mass, I looked more like a teacher. So I decided to lie about my age. In New York, we had a driver’s license at 16. Back then, it didn’t have a photo on it, just an IBM card. So I altered one digit of my date of birth. I was actually born in April of 1948. But I dropped the four, converted it to a three. And that made me 26 years old.

This change of age allowed him to be paid him a higher hourly rate, and more work. It was the way that he handled himself and the confidence he showed which the allowed him to push the barriers for the beginnings of his frauds:

You talk to somebody behind the desk, and they OK your check. Oh, well, my checks are good. But if I walked in there, they wouldn’t touch my check. You walk in there, they don’t bat an eye. Whatever it was, it was very easy to do. So consequently, when the money ran out, I kept writing those checks. Of course, the checks started to bounce. Police started looking for me as a runaway. So I thought maybe it was a good time to start thinking about leaving New York City.

And so it was on his travels to New York that chose to be a pilot:

I could pose as a pilot. I could travel all over the world for free. I probably could get just about anybody anywhere to cash a check for me. So I walked up the street a little further to 42nd and Park I went to crossover. I heard a huge helicopter. So I looked up, and there was New York Airways landing on the roof of the Pan Am building. Pan Am, the nation’s flag carrier, the airline that flew around the world– I thought, what a perfect airline to use.

So he called up the airline and told them he had lost his uniform, and so the airline told him to get himself off to a nearby store:

He came back and said, my supervisor says you need to go down to the Well-Built Uniform Company on Fifth Avenue. They’re our supplier. I’ll call them and let them know you’re on the way. Well, that’s exactly what I wanted to know. So I went down to the Well-Built Uniform Company.

And from there we learnt all about the etiquette of the airline industry, and travelled in the bucket seat for free. A grand tail of social engineering.

Everybody had an airline ID card, a plastic laminated card much like a driver’s license today. Yet without the ID card, the uniform was worthless. I went back to Manhattan pretty discouraged thinking where would I come up with a Pan American Airlines corporate ID? There were three or four pages of companies who made convention badges, metal badges, plastic badges, police badges, fire badges. Started to call around. And finally, one company said, listen, most of those airline IDs manufactured by Polaroid, 3M company. You need to call one of them. Finally got the 3M company on the phone in Manhattan.

And so he made his way to the ID card manfacturer and pointed to a Pan Am card and said that he would like to buy a batch of them, and they even took his picture on one a sample:

Took my picture, and made the card. I was going down the elevator studying the card. It had a blue border across the top, about a half inch in Pan Am’s color blue, but not a single thing on the card said Pan-Am– no logo, no insignia, no company name. This was a plastic card like a credit card. So you couldn’t type on it, couldn’t write on it, couldn’t print on it.

As you should know if you have watched the movie, he found a toy plane and steamed off the log, and applied it to the card, and it completed his masquerade. For the next two years, he eventually boarded 260 flights to 26 countries, and was in the bucket seat for every one. In all the time, he never actually flew with Pan Am, and he thought he would get noticed.

He then continued his exploits and onto posing as doctor and as a legal professional, but was caught in France, where he severed his time in horrible circumstances. After that he was extradited to Sweden, where he served time, and then onto the USA, where he again served time.

You can watch the movie, and find out more. But it was the next part of his talk that really showed Frank as a humble person. He beamed about his kids, and of the true love of the foundation of his life: his wife. And then, he shows his inner feels on the difference between a “Daddy” and a “Father”:

That I was… I was one of those few children that got to grow up in the world with a daddy. Now, the world is full of fathers. But there are very few men worthy of being called daddy by their child. I had a daddy loved his children more than he loved life itself.

A few tears for that one? As a grandpa, I did have to shed a tear for this, and the things he said just after this. And:

And to those men in the audience, both young and old, I would remind you what it truly is to actually be a man. It has absolutely nothing to do with money, achievements, skills, accomplishments, degrees, professions, positions. A real man loves his wife. A real man is faithful to his wife. And real men, next to God and his country, put his wife and his children as the most important thing in his life.

For him, although the film glamourised his world, deep down there was a root cause:

And like all children, they need their mother, and they need their father. All children need their mother and their father. All children are entitled to their mother and their father.

For me, a complete stranger, a judge, told me I had to choose one parent over the other. That was a choice a 16-year-old boy could not make. So I ran. How could I tell you my life was glamorous? I cried myself to sleep ’til I was 19 years old. I spent every birthday, Christmas, Mother’s Day, Father’s Day in a hotel room somewhere in the world where people didn’t speak my language.

And so, he is asked, have things become more difficult in the modern age:

Actually, it’s, sorry to say, but 4,000 times easier today than when I did it. Technology breeds crime. It always has, and it always will. And there will always be people willing to use technology in a self-serving way.

And with social engineering these days you can pretty much discover anything:

“Yes, sir. We bank with Bank of America. Our account number is 176853.” They tell you right on the phone. You can call any company and just tell them you’re going to wire them money. They’re going to tell you where they bank, on what street, their account number– what you need on the check. So I captured the bank’s logo, I put it on the check. I put the MICR line down on the bottom. And I hang up and call back “Intuit Corporation, can I help you?”

And for data breaches, he homes in on the human side to:

Hackers do not cause breaches. People do. And every breach comes down to that. So in the case of Equifax, they didn’t update their infrastructure. That didn’t fix the patches they should’ve put in place. They were very negligent in what they were doing. So the hacker waited for the door to open. So when you interview a hacker, the hacker will say to you, look, I can’t get into Chase Bank. The truth is they spend about a half a billion dollars a year on technology. Every 12 months, they spend a half a billion dollars of their profit on putting technology and software in their bank to keep me out.

However, they employ 200,000 people worldwide. All I have to do is wait for one of those people to do something they weren’t supposed to do or failed to do what they were supposed to do. And that’ll open the door for me to get in. When you steal credit card numbers like Home Depot, Target, TJ Maxx, that’s stealing credit cards and debit card information, that has a very short, short shelf life. So you have to get rid of it very, very quickly.

And then goes straight for identity theft:

But if I steal your name, your social security number, and your date of birth, you can’t change your name. You can’t change your social security number. You can’t change your date of birth. So those people warehouse that data for two to three years. So we won’t even see that surface for at least a couple of years before some of that will start to surface, the data that was stolen.

And he nails it with around the way that data breaches just start small, and the rocket up:

Whatever number they start with– I think it was 143 million, then it became 146 million. It was a million drivers licenses, now it’s 106 million drivers licenses…all breaches start with very low numbers before they let you know the actual true numbers. So it’s probably about 240 million pieces of information that were stolen.

And then he hits companies like Equifax hard by saying that they tried to gain from the data breach:

And if you really analyze Equifax, they were very unethical in what they did. They thought to themselves– first of all, they sold a bunch of stock knowing that it was going to come out. That was worse.

But then they sat there and said, how do we make a profit from this? It was our mistake, but how do we turn this around into a profit? So they sat there and said, what we’ll do is we’ll offer millions and millions of people one-year credit monitoring service for free. They’ll sign up. And in a year from now, we’ll simply say that data hasn’t really surfaced yet. You need to be enrolled automatically into our program, which is $20 a month. So they’re going to make millions and millions of dollars with automatic enrollment into their program.

Shocking!

And it’s passwords that Frank feels cause much of the problem:

I’ll just make a final comment to you having to deal with cyber now. I like to write about crimes in the future. So I always used to write to my class about what will we investigate five years from now. What will an agent be doing five years from now? And unfortunately, there’s good news, and there’s bad news. First of all, the good news, we will be doing away with passwords in the next 24 months. Passwords will leave the world. There will be no more passwords. There is a new technology called Trusona. That’s T-R-U-S-O-N-A. Stands for true persona.

Passwords are stagnant. They should have been gone long time ago. It’s why we have most of the problems that we have today.

And finally …

All I try to say to technology company, yeah, this is great. Now, can you take a little time to just say, how would someone use this technology in a negative, self-serving way so that we build the block to that before we ever give it to the public to use it? We’d save a lot of problems.

I lovely talk.

In Scotland, over many years I have been lucky enough to work alongside people with a heart-felt passion for their work, including people like Eammon Keanne, and who has supported so many things — our start-ups, our training, our research — for all the right reasons. I’ve also seen people like John Howie, Federico Charosky, Harry McLaren, Basil Mannouss (who now works for our Cyber Academy) and Jamie Graves giving beautiful talks — sometimes with no PowerPoint slides — and where they tell it from their heart. What is common with these people is that at the drop of a hat, they are willing to come in a talk to students on their careers and their motivation — on what they love and what don’t — without any benefit to them. Few students can leave their talks, without being completely inspired by them.

Too many in our industry give presentations that just scare people with no real understanding of the real problems that lie underneath, and which also lack a human element. Too many of our technical presentations just focus on the technology, but Frank talks from the heart, and shows that he is a caring and compassion human, and who has made mistakes, but who aims to do his best for this world.

This is an industry of people and not companies. It is people who do things, that change things, that drive things. It is people that actually care.

So, if you are a man, are you a “Daddy” or a “Father”?