Brought to you by the reinvented two thousand twelve camera. It's ready. Are you get in touch with technology? With tech Stuff from how stuff works dot com. Hello again, everyone, Welcome to tech stuff. My name is Chris Poette and I am an editor at how stuff works dot com. Sitting across from me, as always, his senior writer, Jonathan return to cinder address unknown, no such number, no such zone. So today you're not phoning it in, You're mailing it in.
That's right. I have taken a step back. I'm going even I'm putting in even less effort than normal. Great that that will leave me to do my normal job of going uh huh with a whole lot of silence around it. Well, it will be a nice change. We actually have a request that came in through Twitter. So here's our tweet request from Luke. How did the epsilon email hack work? Well, Luke, we're gonna break it down
for you. Um Now, first, before we talk about how it worked, I guess we need to talk about what happened, right, Yes, So I can talk about this from a personal standpoint because I was one of the people affected. I can talk about this from five personal standpoints. Yeah, if I talk about it with my wife in mind, I think I probably close to the same number. I only received one email, but she apparently received several and you received five,
right right, So so okay, okay, okay. So when when you're signing up for an account with a service, a notification service, or you're buying something from someone and somebody somebody that that you know, somebody that you trust, uh, and you go and you you see the little thing where it says by accepting that clicking this box, you agree to the terms of service and the privacy policy. And sometimes you do and sometimes you don't click on
the links for those things and read through them. Uh, there's this one little piece of language you probably have seen if you've actually gone to look at those and that's that part where it says, I agree to have my data shared with our trusted business partners and uh, basically for the for the purpose of delivering services to you.
So if if you let's let's say you've you've you've decided to sign up for your local grocery stores rewards program and because you know you can get you know, twenty cents off this and fifty cents off that when you show your card, and lots and lots of people do it. Um some people don't because they feel like it's an invasion of privacy. Well, you know, maybe it is, maybe it isn't. In this case it is, but out
they were right. But so, so what happens is you've signed up for this deal, you get the little card to put in your little key fob to put on your your key chain so that they can scan it. And then what happens on the other side is the company says, well, you know what, this is a lot of work maintaining this giant database of people who are
our beloved customers. And you know, of course they are because they're spending money with it, and we have you know, our our business is not the maintaining of a database. Our business is blah blah blah. Absolutely and if you're doing blah blah blah, you you want somebody and you need somebody you trust that literally, they are a trusted business part. You want to find somebody who can maintain that.
And so what's going on here is they say, well, okay, hey, you guys over here, can you manage our marketing database for us? Send out the weekly flyer for us, you know, for the people who want that, uh, you know, keep track of the rewards points that they've earned when they shop with us. Can you do that? And they say, oh, absolutely, you can trust us. Yes, And and the whole point here is again, the company the in question is trying to let's just say that it's a for for the
basis of this discussion, let's say it's a retailer. So we're saying this is a major retailer of of consumer products, and that the major retailer, you know, their concentration is keeping inventor or a selling products, moving, moving the marketing. You know, they got a lot of demands on their attention. So it makes sense to to outsource this database management to another company and then the retailer can concentrate it's full focus on conducting business. What could possibly go wrong
with this? So let's say that you are the company that maintains databases. All right, So your customers are these major major corporations and financial institutions. Because some of these are banks. You know, there's some banks that and credit unions that, uh use this sort of stuff. Then there's you know, retailers, there's grocery stores, there's all sorts of companies.
There's travel companies, travel agencies, that kind of thing. Um, so you have all these databases, well, that means that you are also a beautiful target for people who want to get as much information about as many people in one strike as possible. That's right. If you're one of these companies, trust is and and that of customer confidence
for your customers is of paramount importance. You. This is when you go and you you're you're trying to get a new client, and you go to this big, big company and you put down the portfolio of all the other companies that you're helping, and go, look at all the people who trust us. You should trust us to do business with us, and we will totally manage this
affiliate marketing program you've got going. Right, So then what happens if say someone is able to infiltrate that system and steal information, Well, then you've got a breach of trust and you have the potential to lose a lot of clients really quickly because you have demonstrated that you did you were not as secure as uh you had uh made out to be. Because ultimately, this is going
to affect the customers of your customers. Right, So if you're the big database company, your customers are these giant companies, like like these retailers and financial institutions. Their customers are all angry because their information has been stolen by a hacker. Now, your your average customer is probably gonna blame the retailer
or the financial institution. They're not you know, they're not looking beyond that because they get an email from uh, you know, major retailer number one, and the email says, hey, guess what. Turns out system was hacked and your name and email address have been compromised. So someone has that information now. Uh. In a course of course, that could
be a lot worse. It could have more of your personal identification information there, like say a social Security number or birth date, or credit card information, that kind of thing. But name and email are bad enough as it is, and we'll get into why it's bad a little bit later in the podcast. Well, you're likely to blame if you're the victim of this. So the person, the customer who's a actim of this is likely to blame the
actual retailer or financial institution. Um. That's why a lot of this information, like a lot of these companies have said no, no, no, no, no, it's not our fault. It's this this company that we trusted to hold all this information for us. They're the ones who slipped up. And it's interesting how they slipped up. You know. Ultimately, we're supposed to answer the question how did this hack work? It worked on a very basic, simple level. Let's talk
about a little bit about how hackers get into systems. Right. Well, you know, I've I've seen war games. Yeah, you know, I know that all you have to do is, you know, dial up a machine and and you know type until there. That is a way of doing it is called the brute force method. It's when you are trying to brute force a system by just going through a sequence of passwords until one of them works. Not terribly efficient, takes a lot of time. A lot of systems protect against
it by having a shut off. So if you try to access it certain number of times with an incorrect password, you get back a message saying you've attempted to access this unsuccessfully too many times. Uh, access to this account has been shut down for fifteen minutes, and you weren't able to try and log in again until fifteen minutes later.
That makes that attack even less efficient, right, because now now you're gonna have fifteen minute breaks between every five attempts you try to get in, right, and then there are some companies that completely lock you out. You know, you know three ties, you've exceeded your limit. You're going to have to call somebody to get your password reset. Um, that's more of a consumer thing, I would say, rather
than the other. But I mean, you know that that kind of technique is likely to cut down on the efficiency and ability of hackers to make their way into a system using a brute force method. Yeah, and you've probably seen movies where people have sat down at a computer and either they're running some weird decryptive decrypt program which is making the letters of the past word appear one by one, or they're typing in some sequence of numbers or words or whatever and they magically get in.
The truth is that about ten minutes or last? Yeah? The truth this. First of all, if you do use that method, it takes a long time. And and second, they're way easier ways of hacking into a system, and it mainly deals with social engineering. In fact, I would argue that most of the really successful hackers are masters at social engineering. That's I would agree with you. Social social engineering is manipulating people, not machines you are. You
are targeting the user, You're not targeting the system. Because people are easily manipulatable, manipulate, manipulate, manipulate. You can make people do stuff easily. Yeah. UM, I think it's sort of funny because when we mentioned MAC virus is uh, we get a lot of people who say there are
no Mac viruses. Well, most of the Mac viruses that are out there require you to download a disk image, double click on the disk image and make create a disk install the program, go through the prompt where it says are you sure you want to install the program? Please enter your password. There are a lot of layer yes, but what it takes to overcome that is social engineering.
And that's true for any operating system that has a virus or something like that, UM in that style that a lot of these require an element of convincing uh the person to install the virus or the key logger. You know, in this case, if you're trying to break into a system, you might use a key logger, which is uh basically recording every time every key you press
on the keyboard in an attempt to discover logins and passwords. Um. And so if you want to install a trojan, if you want to install a key logger or something like that, in a lot of cases you have to fool the end user into believing that that software is safe enough to install on there. So you have to say, oh, well, you know, it's just uh, you know, little RSS feed reader, it's just anti virus. You wait, hey, we discovered a
virus on your your computer. You really need to download and install this free software, right, and then you click on it actually turns out to be malware. Although it's it's masked as anti virus software, right, They have to hide. That's the other part of this is once it's on there, you can't discover it and go, oh no, look I installed something terrible on my system. I need to run my antivirus software. It's got to go no, no, I'm
still honestly, just this pro little program. I'm fine. Yeah. So, so social engineering can take many different forms, Like it can be as simple as walking through the front door of a company and chatting up a receptionist and just getting enough information where it gives you a guideline as to what could be a password into the system using
you know, the receptionists information. That's totally possible. You could end up identifying someone who works for a company and then uh coincidentally meet up with this person in a bar just by you know, following them and going into a bar and applying them with drinks and slowly getting information out that way. There are a lot of different ways of doing it. Now, the way that this one worked was very much what Chris was saying. It was an email that came through that lured people who worked
for Epsilon. Epsilon is the company that's that database manager that we've been talking about, that's the trusted business partner. Yes, that's the company that that was handling all these databases for for hundreds of clients, and this affected millions of the final customers, which you know, people like me and Chris um. So it was a it was an email that was a phishing scam and uh what it did
was they it was targeting Epsilon employees in particular. And one of the scary things is that this was a known problem. Oh yes, this was something that return Path, which is a company that is used for services like
tracking email delivery. It. Return Path had an alert go out on November about phishing attacks that were aimed specifically at companies like Epsilon that manage these huge databases, and essentially that alert was, Hey, we're tracking a lot more phishing attempts for people who work for these companies, and we're guessing that the reason for this is they're trying
to get their hands on customer information like emails and names. UM. Just as an aside, so that people know, UM, when we talk about phishing, we're talking about the pH phishing, which is UH. This is the type of social engineering that doesn't necessarily involve software in your computer. In general,
a phishing attack is UM. If you've ever seen some account an email saying that your your account has been compromised and you need to UH send your user name and password, and you realize, hey, I've never had an account at that bank. UM, And wait if I if I click on this link, it takes me to some other completely different U r L. This is a social engineering technique saying you know, we need all the information
you're willing to supply us, please fill it out. We don't And and when you look at the r L and it's not the same U r L as the company that you're doing business with. They don't have access
to that information. So they try to create a website that looks just like the one that you're bank uses, or your other account holder uses or account provider uses, and lure or fool you into giving away your user name, your password, any other social security any information that you're willing to give because that those types of data are the kinds of things that people can use to falsify
records and steal your identity. Um so, I mean they when we talk about fishing, that's in a broad sense, they're they're trying to get important information from you by fooling you into just giving it up on your own. Yeah. There, And there are different techniques for that as well, Like if you get you can get a phishing attack where it's like Christmas saying it's from a bank that you don't even use. Those that I have no idea what
you're talking. That's like a shotgun approach. I get these all the time for Blizzard World of Warcraft accounts, and I don't play funny, but I don't play World of Warcraft. But apparently this is a thing. I didn't know it was a thing. I got an email that said that my account for Blizzard had been compromised, and I thought, huh, that's a heck of a thing. I don't have an account with Blizzard. I wonder how that happened. And uh.
And then I talked to Tracy Wilson, who is not only a head of our editorial department here, she's also a former World of Warcraft, let's say, enthusiast, and and she said, yeah, that's a thing. There's there's this spam attack. It's a phishing attack to try and get information from people. Uh. And now I notice if I look through my junk mail, I tend to get you know, my junk mail ends up filtering it all out, but I tend to get
a few of those each week. Now, well, that's kind of like the shotgun approach to fishing, but there's a more directed approach where if the attacker has just enough information about you to kind of tailor the phishing attack to be more likely to get a hit. We call that spear fishing. I as much as I dislike fishing, I like that term. Yeah. So spear fishing is where you have identified a particular vulnerability and you're going right
for it. Well, in this case, these these fishing attacks that were directed towards Epsilon employees directed the employees to a website where that contained a link that UH downloaded and auto ran some malware onto the victims computers. So that malware UH did several things. One it turned off the anti virus software on the user's computer, so now you're you're detective of on your machine has gone to sleep, right.
There was a trojan key logger called i Steeler also used on that which is specifically designed to help hackers steal passwords. And then there was another tool called cybergate, which is used to gain remote control of a system once it's been compromised. So you know, you guys have heard us talk about hackers doing this with bot nets before. That's that's exactly what this one was. It's just ahead
a very specific target. So once a couple of employees fell victim to this, despite the fact that there had been a warning in November of UH, and there's still conjecture over whether or not Epsilon employees ever knew about the alert. I mean, we don't know the information. Epillon has not been terribly chatty about it as of the
recording of this podcast. Um, anyway, the the system was compromised and hackers were able to access those databases with all those names and email addresses, including Chris's and mine and my lives and there we go. So we got four people just out of connected to this podcast who are affected. Um, they got all that information, and well, now the question is what can you do with that if you only have email addresses and names? Yeah, which
is so far that's what they're claiming. Everyone should probably keep an eye on their finances just in case if there's anything hinky going on, you can act on it immediately, because there's always the chance that maybe more information was stolen. Then we are led to believe right now, I'm going to take them at their word and say, all right, it's just the names and email addresses. Well, it's not in their best interest to lie at this point. No, it would just get them and even by if the
information is out there, there's no way they're getting it back. Right, So if it if it was a problem, the responsible thing to do is go ahead and say, look, this was a catastrophic failure and we need to react because the longer we wait, the more damage will be done. So i'm i'm I'm imagining that they're being and they're they're at least telling the truth as far as they under stand it. Right. If more information was stolen, they are not aware of it, so names and email addresses well.
But one of the problems that could come out of this is more spear fishing attacks. But now instead of attacking the Epsilon to get its data base, it's going to be attacking the ultimate consumer like me and Chris and my wife and Chris's wife. Um, we will be the targets for these attacks, and it'll be spear fishing because since they pulled this information out of the upsilons data base, they're going to see which companies we had
UH created accounts with. Yes. And this is also going to be tricky for spam filters to pick up on because one of the things they that spam filters traditionally look for is whether or not it seems to be personalized to you. I mean now that that spam filters are as sophisticated as they are, and of course we all know that even the best still let a few slip through on occasion. Um, and at least in a
lot of cases. Uh, you'll you're going to see you're gonna have to be careful when you receive email, especially from companies that you know their information was compromised by epsilon. Now again, i've got five to look at. Um, you can sort of keep an eye on that. And it's always a good idea to be a little skeptical, especially if they're asking for information. Now, a lot of companies have gotten really good about reminding people of this. Um. You know, they say, remember, we will never ask you
for your social security number. Don't give your your social security number over email, don't you know. If you have any questions, please call our customer service line. Don't fill up information in an email. And exactly that's the other thing email isn't isn't in general secure. So you you wouldn't want to send a friend somebody that you trust. You wouldn't want to send a friend your social security number over email. It's a bad idea. Um, that's why
I just tattooed on the bomb on their feet. So you should also not be Jonathan's friend. Yes, it's a painful experience, believe me, um, I hate that screaming. Also, again, be very careful looking at the and look at the U r L s that they're asking you to click on. If it doesn't look like something related to the company, don't do it. If you have any question at all, I mean, if you have that pausing and now it's
probably okay, don't have that pause right now. Get in contact with them, say are you really you know, you look at the number that you know is actually the number for that company and say, hey, I've got this email. This is this is a real message. Do you really want this information from me? And you know, if if they give you an email or phone number in that email, I wouldn't trust that anything. Most of these companies, these companies should all have the information they need already from you.
They should not be asking for it again. If they are asking for it again, that's indicative of one of two things. Either you're getting a phishing email and someone is trying to get your information so that they can they can take advantage of you, or the company that is doing your business shouldn't be doing your business because they have been uh irresponsible managing your data. So either way, it's either way. The answers. Do not give your data
over email. UM. And another thing to look for is in the u r L. Look for h T T P S if it's a secure system, and look at that little lock symbol. That's an indication that it's a trustworthy source. Again, this is just one factor to look don't don't just assume that if it's up there that means you're safe. Look for that. Also, look at the
u r L. Make sure that you r L makes sense. UM. And what I recommend is if you want, if if you get an email from a company and you think this may very well be a legitimate email, navigate to that company's website directly. Don't click on links in your email, don't. UM, you know, don't copy and paste it from email into your your l because it's the same thing as clicking
on a link. Really, go to your browser, type in that company's web address or go through Google and and you know, use the actual verified website to get to where you need to go, and then try to navigate to where that that email would indicate you need to go in order to complete whatever the transaction is. And that way, if you're going through the official channel, you
are less likely to fall victim to a scam. Uh, and we just have to kind of resolve that will do that and resign ourselves to the fact that, at least for those affected by this, we're going to probably see an uptick in spam email over the next forever
until we change email addresses. UM. There there's an old saying that says, it's not really saying, but people tell you to watch out for when you see those emails that that say, hey, we just found this out, forward it to all your friends, forward it to all your
friends is usually a flag that it's a hoax. And I mean not We're not talking about fishing or any of that stuff now, I mean or even even malware, just the stuff that you know, the hey this big company is is actually uh uh, you know, shipping kittens to people. Microsoft has this email tracker and if you send this email forward, you will get a package of eminem's or something like that. Just ridiculous. Anything that says forward to tell your friends, that's that's a flag. Well
here's a flag for you to UM. In the five emails emails that I got from these companies that said my address had been compromised, none of them said we need new information from you. So if somebody says your account has been compromised, send us new information. Here will send you a link. That's a huge clue right there. I don't go out on the limb and say that's that's a really big it's not a very big limb,
um in. That's a big indicator, like, yeah, it's definitely something is wrong, something is hinky, that's not not on the up and up. So you know, you can use that without even having a click on anything. Just think of that and say, okay, well, Jonathan and Chris told me. You know that if somebody's asking for information, when they tell me that my accounts compromised or they need me to update my account information on file, that's that's a time to question this and think critically and not do
it without being yeah please. And And here's the interesting thing is that probably as a result of this, I've seen this in a few reports. As a result of this, we're probably gonna see security firms recommending that companies use more of their uh anti intrusion software and hacker protection software. But ultimately that's not going to help at all for this kind of problem, because this is a people problem. Yes, this is a this is a a person, not a
computer error. It's a person making an error in judgment. It so, even even if you put the most sophisticated security system in place, if you have people who are
not practicing good security measures, that's an insecure system. Like it's just like if you you know, let's say that you've got a bank, right, You've got this bank, and you've got all these sophisticated locks on that front door, and you've got a laser system that goes across the floor at night, and you've you've got pressure sensitive tiles all along the front, and then you leave the back
door open. The whole all those systems in the front aren't gonna matter at all because someone just walks through the back door because they, you know, were chatting up the security guard and uh, you know, made the security guard went back for a smoke, and they just put a little wedge over there, so it kept the door open. And then there and there and they're dealing all your stuff.
Everyone knows you can beat those laser systems by doing cart wheels and you know, sort of doing that weird dance over them and walking on your fingertips Yeah, that's that easy. That's what I tried to do and it doesn't work out so well for me. But that's you know, that was twenty pounds go. So it's sort of like the brute force attack. It doesn't quite work. Yeah, so what really needs to happen is not necessary. Yes, better security measures are good, right, I'm not I'm not saying
that companies shouldn't invest in that. They definitely should. But what they really also need to look at is educating the people who work for that company about these attacks and how to spot them and how to avoid them, because you know, it's that's where the weak spot is. It's not the technology, it's the people. And if the people are unaware of how these attacks can happen, uh, then we're gonna see this happen again and again and again.
Especially if you're clever enough, hacker, you you do have a reward at the end of that fishing scam, so that the person who has gone through and and downloaded the malware does not immediately say, huh, I wonder if that was actually a bad thing. I just did you know? If you have something there so that it feels like, oh no, what what I what it was asking me to do I actually did, and I accomplish something. If you have that reward in place as a hacker, you're
more likely to remain undetected. Now, granted, there's also the pressure that a person feels when they do something stupid to hide it immediately and not let anyone know about it, because you don't want to be the one to admit, hey, I just compromised our system. We need to be on the lookout. I wouldn't want to be that person. I would not want to be that person either, But ultimately it's better to be that person and say it than
to not say anything. And then you're talking about the potential of billions of dollars of revenue going up and smoke, maybe maybe even an incalculable amount of money going up and smoke because you don't know what the ultimate fallout is going to be from that mistake. Yeah, I am, Yeah, I was going to speculate, and I just don't well think of it this way. You've got five emails, Yes, that's a lot of emails, and looking at a list and this was not a comprehensive list that that I
saw online. A lot of companies rusted Epsilon to keep that information private. So and I hear that it affected a very tiny percentage of Epsilon's customers. But then, when you think Epsilon's customers aren't people like you and me, Epsilon's customers are corporations that also, in turn have access to potentially millions of people's email and identity. Uh, that two percent is still a big, big number in terms
of actual living human beings. I once left a cell phone provider because everyone else that I knew had bad customer service from them, and I hadn't yet, but I was just waiting for it. So I decided to go ahead and jump ship. And that may very well happen with people who were not affected, right Yeah, And you know, of course this could also usher us into the dark ages of abandoning the Internet for commerce and going back to brick and mortar stores. I cannot imagine that happening.
It's not gonna happen to me. No, it's way too convenient. I oh, I don't have to deal with people, it's uh. And they send stuff to me in pretty packages. It's like getting a present because you get to open the box and you wonder what's inside. It because you forgot because you were you were impulse shopping and it was three weeks ago. It's awesome. I have a problem. Ah Okay,
all right, let's wrap this up. Guys. If you have anything that you want to add to this discussion about the Epsilon email hack, or perhaps you two were affected and you want to maybe express your concern, or if you have any other questions for us, especially if it's something about computer security and what you can do to be more secure, let us know, because these are important topics that I think everyone needs to think about to some extent, and you know, even even people who limit
their online activity as much as possible need to be aware of it. So send us a message. You can find us on Twitter and Facebook are handled. There is text stuff h s W, or you can shoot us an email. That address is tech stuff at how stuff works dot com and Chris and I will talk to you again really soon. For moral on this and thousands of other topics, visit how stuff works dot com. To learn more about the podcast, click on the podcast icon in the upper right corner of our homepage. The how
Stuff Works iPhone app has arrived. Download it today on iTunes brought to you by the reinvented two thousand twelve camera. It's ready, are you