I had the privilege of interviewing Luke Wilson, Vice President of Intelligence at 4iQ. He has over 15 years of experience working in US federal law enforcement, for the US Department of Defense, and the US intelligence community.
Below you’ll find an audio recording of the interview, and Wilson’s answers to my questions about identity theft, Internet security, and keeping kids safe online.
Questions and Answers About Identity Theft and Internet Security
Below are my questions, and summaries of Wilson’s answers. You’ll get more by listening to the interview, but I thought this summary would be helpful.
1. Let’s go back in time. What piqued your interest in cybersecurity in the first place?
While working for the government, Wilson saw how criminal activity (such as financial crime) often involved cybercrime, because criminals used digital technology as part of their crimes.
While at the FBI Counterterrorism Division (CTD), Wilson observed that at some point everything became a cyber issue, because of digital technologies used for travel or recruiting.
2. How has your career path given you cybersecurity expertise?
Wilson started with the Department of Defense (DOD) as a special agent for Air Force Office of Special Investigations (AFOSI). There he looked at various criminal activities and threats to the Department of Defense. He also worked in counter-terrorism. He says that starting 10-15 years ago, more of these activities were occuring online.
Next, Wilson went to the FBI Counterterrorism Division (CTD). He points out that travel and communication are mostly done online, and even many physical transactions (such as depositing money at a bank) leaves a digital footprint.
After that, Wilson was liaison for Department of Defense and Pacific Command (PACOM), looking at trans-national organized crime. Here too he dealt with digital footprints.
Next Wilson went back to the FBI, dealing with nation-state cyber actors. He says these groups are very good at hiding who they are, and they use different tools and platforms to hide their tracks.
3. What are the biggest challenges or threats consumers face related to cybersecurity or digital privacy?
According to Wilson, the biggest challenge is that “you have no idea who is holding your data.” He explains that the company you’re giving your data to may share it with third parties.
Another challenge, says Wilson, is that you don’t know where your login credentials (username and password) are stored by organizations.
Wilson says that another challenge is that you don’t know that your data has become available to those who shouldn’t have it until it’s too late; you often don’t find out until a criminal uses your data or steals your identity.
4. What can people do about those challenges and threats?
Several times during the interview, Wilson recommended using an identity theft monitoring service.
Be vigilant about your passwords, advises Wilson. Don’t use the same password for multiple accounts. If you do that, and one account is breached, hackers can use that password to get into your other accounts. This is known as credential stuffing. He recommends that you make each password unique.
Wilson also recommends that you encrypt your passwords. A password manager can do this.
5. How can parents protect their kids online, and help their kids protect themselves?
Because the threats to kids and adults are similar, Wilson advises that your entire family practice good cyber hygiene.
Wilson recommends that you monitor your kids, to know what sites they’re going to. He says you need to understand that kids click links without thinking carefully first. He points out that you can use apps for monitoring, and/or look at your router logs, or configure your router to block sites.
The earlier you can educate kids about online safety, the better, says Wilson.
6. Let’s zoom in on identity theft. What are the most effective ways people can protect their identities?
Use an identity theft monitoring service, advises Wilson.
Be vigilant, Wilson says, about who you’re giving access to your info.
Be aware of scams that request personal info, which often spike during tax season, says Wilson.
Wilson recommends that you not send sensitive info by email or text.
7. What are the biggest mistakes people make when using social media, which increase the risk of identity theft?
Posting photos that reveal your location, for example, a family photo that shows your address, is a mistake, says Wilson.
Don’t reveal that you’re traveling by posting about it, advises Wilson. Doing so tells criminals that it’s a good time to target your financial accounts, since you’re probably not closely watching your accounts while travelling. In addition to these dangers, says Wilson, high-net-worth individuals should be cautious of the threat of physical harm to themselves and their loved ones that can result from revealing their location or travel plans.
8. How much does a credit freeze help to reduce the risk of identity theft?
“I don’t know how effective it is,” says Wilson. “It’s more of a pain for you than it is for the cybercriminals, because they’ll find ways around it.” He explains that criminals can steal your identity or hurt you in other ways without getting access to your credit.
9. Is there anything people should do with their postal mail to reduce the risk of identity theft?
If you’ll be away from home, stop your mail, recommends Wilson.
I don’t think there’s a very large threat that way for identity theft.
Wilson explains that your address is already available online, without someone needing access to your mail to get it.
10. What steps should parents take to protect their kids’ identities?
Use an identity theft monitoring service for your kids, advises Wilson.
He also recommends that you pay attention to the sites your kids visit, that you block sites as necessary, and educate your kids about online safety.
Wilson has seen identity theft happen to kids under 18. He says identity thieves can combine identity data from multiple sources to create a complete identity profile; for example, combining personal data from video games and data from the Equifax breach.
I won’t say they’re all very smart, but they’re very creative about how to monetize the data.
11. What should a person do if they suspect or know that their identity has been stolen?
Wilson recommends that you follow the steps outlined by the Consumer Financial Protection Bureau (CFPB), including filing an identity theft report with IdentityTheft.gov.
Wilson notes that you’ll need to take steps to prove that a thief, not you, is using your identity.
12. Most people don’t understand the terms Deep Web and Dark Web. How do you explain these to the average person?
Wilson explains that the Deep Web refers to websites that aren’t indexed by search engines like Google, so you need to know the exact address of a Deep Web site to visit it.
The Dark Web sits within the Deep Web, says WIlson. The Dark Web is several marketplaces that sell goods and services such as narcotics, stolen identities, and guns. Their addresses usually end in .onion (rather than .com, .org, etc.).
Think of it like an Amazon of just bad things.
I’ll drop in my definitions from the Defending Digital Glossary:
Deep Web: Websites and webpages that aren’t indexed by search engines, so you can’t get to them through Google or other search engines. You can get to them using a normal browser, as long as you know the website address or click a link to it. There are good and bad, legal and illegal sites in the Deep Web.
Dark Web (or Dark Net or Darknet): Websites that aren’t indexed by search engines, so you can’t get to them through Google or other search engines. They can’t be visited using a normal browser, and typically require a Tor browser to visit, and that you know the website address or click a link to it. The Dark Web is home to an underground trade in illegal goods and services (though not all Dark Web content is illegal).
13. How well is the US government handling current cyber threats? How well do you think it’s prepared to handle future cyber threats?
I think they’re handling cyber issues very well. It’s always a game of cat-and-mouse. You catch up to one issue, one problem, and then another one happens. And the criminals always have a leg up, because they’ll go where we won’t. … There’s laws, rules, and regulations that we [the government] have to abide by in order to catch these guys. … it takes us a little while to get through those, but then we eventually get through them and we start catching the guys. Then they change their MO [mode of operation] again and we have to go through that whole cycle before we catch them again.
There are think tanks and groups that focus on potential future threats, says Wilson.
Some threats cross lines between several government agencies and commercial organizations, says Wilson. He points out that the challenge is to figure out how the federal government can help an institution defend itself against a nation-state attack, and how the government will respond to such a situation.
14. Several governments have pushed back against end-to-end encryption, or requested backdoor access so they can monitor encrypted communication. What’s your opinion?
We’re always battling privacy and security, and that’s the main debate here.
Wilson advocates caution. “Would I want anyone to have full access to all my data and everything? No, I wouldn’t,” he says. But he points out that if there was another national crisis such as the September 11 attacks, he would want the government to have backdoor access to the phone of a suspect.
There’s a fine balance there, and I can see both sides of “hey, we need access to this as the government” but then also “as a private citizen, my information is private.”
Although Wilson doesn’t worry about the government monitoring him because he says he’s not doing anything wrong, he recognizes that other governments intrude into the private lives of their citizens.
Wilson thinks there should be some way for the government to get access to private communications when necessary. “I don’t think total anonymity is the key for everyone,” he says.
15. You’ve witnessed digital security and privacy trends over the last couple decades. Are you optimistic or pessimistic about the future?
“I think I’m pretty optimistic,” Wilson says. He points out that as new technology pops up, we need to figure out the privacy concerns involved.
16. The 4iQ website shares news and advice about data breaches and identity theft. How else do you recommend people stay informed of cybersecurity and privacy issues?
Wilson does a lot of reading about data breaches, including websites such as Data Breach Today. For consumers, he recommends an identity theft monitoring service that watches for your specific data, and notifies you of breaches.
17. Do you have any other warnings, advice, or encouragement you’d like to share before we conclude?
It’s the holidays, so this is where things gear up. … be very careful about where you spend your money … also … giving [your] information out. If it doesn’t seem right, then don’t do it. … Be very vigilant during the holidays about what kind of information, and what kind of digital footprint you’re leaving out there.
What You Should Do
- Consider signing up for an identity theft monitoring service for yourself and other members of your family, including children.
- Don’t use the same password for multiple accounts. Make each password unique.
- Use a password manager to securely store your passwords.
- Monitor your kids, to know what they’re doing online. You can use apps for monitoring, and/or look at your router logs, or configure your router to block sites.
- Educate your kids about online safety. The earlier, the better.
- Be careful about who you grant access to your info, especially during high-risk times such as holidays and tax season.
- Be aware of scams that request personal info.
- Don’t send sensitive info by email or text.
- Don’t post photos that reveal your location.
- Don’t reveal that you’re traveling by posting about it.
- If you suspect or know that your identity has been stolen, follow the steps outlined by the Consumer Financial Protection Bureau (CFPB), including filing an identity theft report with IdentityTheft.gov.