18 Apr 2022

Ran Cohen: So first of all, hi everyone and good to have you here with us. And we will do this event today on cybersecurity and the threats around cybersecurity these days. Obviously, it's a wide concept but we will speak about it from the business perspective. And these events are for us to share from the experience we have here in Bridger and with our Merchant, so let's get started. 

Florin Cimpoca: Perfect. So for those people who are just joining, maybe haven't attended one of these webinars before. This webinar is hosted by myself, Florin. I'm the head of customer success at Bridger pay. I'm joined by Ran Cohen, our Co-founder and CEO. And I actually was very happy to talk about this particular subject which is cybersecurity and we'll be putting special emphasis on the human error when it comes to cybersecurity because Ran oftentimes when you see movies and TV shows that depict hackers as these guys in basements drinking Red Bull and they're just typing away really rapidly at keyboards pressing Enter, high fiving each other very very hyped up that they've just managed to crack into the Pentagon. But in reality, we find that with businesses that's not the case. Most of the time a lot of cybersecurity attacks happen simply because of human error. And that's what we want to touch on this one. And we'll go through some of the most common human errors that occur when it comes to cybersecurity.

Florin Cimpoca: So let me load up the presentation and show everyone. Okay so, when we talk about human error in cybersecurity. I've posted here four major topics. Well, let's start with insecure networks. This is something that a lot of people don't really touch on a lot. And now these days when we're logging in from home to work, due to COVID restrictions maybe some people decide my internet's down. go downstairs no problem, I can start work. But the issue with that is most of the time the networks we connect to, we have no idea how well are they secure. They're referred to as insecure networks. And when we hear insecure network, we're thinking, well they need a morale booster. They're not very secure about themselves. But the truth is, a lot of things can get passed back and forth on these networks. Everything that you're doing, including cookies that you might be sending, might be captured, information stored data, a lot of information can be monitored on a network that you're not secure about that is not secure. And this is something that a lot of people might not be aware of when they are working from home or when they are working from logging in with their work computers or their work phones in from networks, which perhaps they shouldn't be logging in from. Then we have malware. Malware, it's self explanatory, you have viruses and a lot of things you can click on in links. And that can be done often through phishing attempts, which we also have there. And phishing attempts are super common in today's day and age. And I'm sure everybody has had experienced at least one time or another. I mean Ran, I'm sure you can share a few examples of times.

Ran Cohen:  Yeah. First of all, phishing has a few examples. But if we look at the broader scope of human error, we're speaking here about networks and viruses, anti-viruses and Phishing Protection. In the end, when you want to protect yourself as a business, it starts with the infrastructure or the technology that your entire website let's say is built on. The servers, the way that they are handled, the security behind them that the security protocols. As a PCI level one company, we are going for a very tough process on a yearly basis. And also on a quarterly basis where we are being tested and measured and monitored on many aspects related to security and infrastructure. And that's a very big call from what we needed to do here. But the infrastructure and technology is only one part of how you protect yourself. Also of course, building a safe network for people to use, even when they go to the coffee. So even if you go today to the coffee and you want to login to Bridger still will go through security protocols. So it's all a part of the infrastructure that you prepare and on the other side, there's the people factor. And there's the people that are responsible on the security of your networks, on the education of the employees of trying to test and trying to, it's like when you do a QA to a campaign, you want to QA yourself as well in your security.

Ran Cohen: So we have people in our team and in outsourcing, that's what they do. They try to hack us and they try to send us different mails of phishing, to see how we respond to it. And that's also happening from time to time. And that's something that any company or business that wants to be able to protect himself needs to do. It will keep you safer, not safe but safer. And so it's the people factor and the technology and when you go to the people of course, you have different roles, that different hacks that you need to place in order to really protect if it's from the data side, from the network side and the Devops. So we are very talented people with us in the team that are doing this worked for us and as a company that our product is being served in 100s and 1000s of websites. It's a product you want to protect and make sure it's very much safe, as much as you can.

Florin Cimpoca: I agree 100% and I believe any responsible company would hire people specifically dedicated to the cybersecurity aspect of everything that you just mentioned. But we're talking here about companies, major ones, like multi billion dollar companies that have had cybersecurity breaches in the last few years because of human error. And one that comes to mind and one that I've actually worked for was Electronic Arts. Electronic Arts got hacked recently. And the way the hackers managed to get into EA was through slack. One of the most secure channels of communication in the company, they were hacked for slack. And I can tell you from personal experience. I can't share information on this, but I can tell you from personal experience, EA are very secure in terms of everything with their product because any leakage of personal information. Imagine they're game developing company. So if a photo of an unfinished product gets released, people might not buy the product. So they're very very cautious about all of this. And yet they got hacked, simply because somebody bought online cookies from that were stolen from an employee. With those cookies, they managed to create an account in Slack and access EA slack group. And then they just requested the IT team to give them two factor authentication to log into their servers where they downloaded 780 gigabytes worth of data from EA. Imagine the impact that has on a business that is a multi billion dollar software that they develop.

Ran Cohen:  And that's when you know the impact of an attack that was not long ago, an attack on a 3d authenticate or company in the US. And we are still waiting to hear what the depth of the attack is. But you have today more and more companies that are handling data, and handling personal information. But you can also see the other trend from the other side. And we can see it from PCI to PCI and from B2B that the more and more aspect that comes in terms of data handling and security and phishing protocols. And those protocols are growing. It's not like that, it's the same every year. And they'll evolving according to what we see here. To hack you can hack everything. So guys by the way, we have a chat here. And if you have any questions for us, we'll be very much happy to answer.

Florin Cimpoca: Check out the polls in a bit. I wanted to finish this presentation here. Because we mentioned so far unsecure networks, malware, phishing, failure to update software is actually surprisingly common, where companies sometimes simply forget to update of important software. And obviously, the software updates happen guys, because you have companies like Microsoft, or constantly finding backdoors or issues with their products, and they're trying to fix them as soon as possible. So when you fail to update your Android or your Mac or your Microsoft software, your system becomes vulnerable to attacks and unfortunately, a lot of people seem to forget that this is a very very important thing that they need to do. And this goes back to how

Ran Cohen: By the way it's a bad user experience because every time I see this I say what they need to update on my mac now? why should had that update? It works right. And it's thing because you don't want really to go over this process and companies like Apple for example or windows, you need to actually make an action in order to update. It's a hassle. Other online software’s are running updates multiple times a day and is full monitoring processes to know that you have done the release well and everything is checked and everything is tested. So releases is painful when you're obviously speaking about very big platform and platforms that needs the clients to actually make an action in order to do it. Okay, let's move to the next one. 

Florin Cimpoca: Let's see here. Phishing. Going back to what I was discussing earlier, this is one of the most common ways in which a lot of companies get the data breaches. You have so many forms of communication from Skype, I gave an example earlier little slack, WhatsApp, Teams, Telegram. It doesn't matter what you're using, hackers will always try to exploit this vulnerability, but they'll always try to exploit human empathy through any means possible. And the reason why I want to focus a lot on fishing is because this is very similar to my experience to the Nigerian prince scam, which was very popular in the US and throughout the world. I'm sure a lot of people know what the Nigerian prince scam is. But very briefly, it was basically a bunch of emails sent to random people telling them that they are Nigerian prince, they have their money blocked in a bank and they need you to send them 10,000 or whatever amount of money so they can unlock that money. And once they get their money, they pay the bank fees, then those pay you back the 10,000 plus another 100,000 or something along those lines. 

Ran Cohen: All those blackmail scenario. If you take it down to more practicality, it happens every day. An email that our finance team is getting with me requesting them to transfer immediately. And also this email is let's say, in the evening. So we're not in the office or the finance is not there in the office and when it comes, or when you see it at night and I'm asking them to immediately transfer urgently to this account, this IBAN, and that those mails are coming and we saw them a lot once or twice. And there are many different cases, I have an old friend that fall in that trap. And it's a very risky world when you get an email that almost completely looks like I sent it or someone else. And that's something you want to protect yourself.

Florin Cimpoca: Yeah, absolutely. And that's how when you think fishing. You need to first of all understand that a lot of these guys sometimes that for them, it's a numbers game and they'll send these emails out to maybe hundreds of people or maybe it will be a targeted attempt at your company, it is possible one or the other. Sometimes it can be sometimes it's not. And when it's not, usually phishing emails will look a lot like they'll try to create this urgency about like, one example you gave with you need to transfer the money right away. This is urgent that when it's coming from the CEO, you don't want to tell the CEO No, or the CFO. You don't want to go to your boss and be like, Yeah, I'll get to it when I get to it. And then it's also a matter of exploiting human empathy because I saw very interesting actually video. There's a hacker's convention in the US in Las Vegas called DEFCON. And I saw a very interesting video with a lady who managed to access somebody's phone accounts, his phone records and everything. And from that she also got access to a lot of other personal information. But simply by calling the phone company masking her phone number to resemble his and exploiting that humans empathy by playing the sound of a crying baby in the background and explaining to him that I'm sorry, my husband must have forgotten to put me on the plan. I need you to put me I have to do this today. My husband's going to be very upset with me. I can share that link if people want to see it. But basically, this woman managed to convince the phone operator on the spot to give her access to somebody's personal account, change his password. Imagine how much access you can have with somebody's phone details.

Ran Cohen: There's a company in Israel called checkpoint. And there was just an article not long ago and the guy was hacking an ultrasound machine while his wife was being checked. And he was playing with it and he actually hacked the ultrasound machine took all the data of all the women with all the different babies into his phone while his wife is being tested. It's a very talented guy. But it was just on the news in Israel. But that was just one case of them hacking and checkpoint as a story of hacking everything from Sony play stations to WhatsApp to iPhone. It became a hobby for them to show this openings in different companies and allowing them to walk on it.

Florin Cimpoca: Yeah, absolutely. That's why guys, whenever you check your emails, whenever you see something along the lines of Hi, this is so and so please urgently do this or you get a weird email always take a second to double check the email address does that look authentic to you? Maybe it has an extra one at the end. Maybe it's not your boss, maybe it's Ran Cohen spelled with I don't know he put a zero instead of the O maybe. You can find a lot of different inventive ways to mask and pretend you're somebody else.

Ran Cohen: I think any mail that, like you're saying is first of all, showing some kind of emergency could come from the CEO or the R&D or DevOps team, together with the signature and everything. But one thing won't be the same, because they copied but not fully. And you get always this phishing email with like 50% look and feel or 70% look and feel like it's for me, it's a bit fishy. And when we are examining these emails, we see that there is some kind of correlation between them because they don't have the complete look and feel of an email that comes from a company. Anything that is related to password needs to be double checked. Anything related to transfers, I would double check in other sources which are not the same as the one I got. So not return the email with a reply and go to another channel if it's Slack or WhatsApp or another channel, which is parallel to the one who got the request from which sounds weird. And try to figure out if it's a hacker or anything.

Florin Cimpoca:  Yeah, absolutely. Always double check guys. Sometimes in this line of business, it's always good to be a bit paranoid. I mean, even if it is something urgent trust me I think at the end of the day, your employer will appreciate you taking that extra step. And of course, in our line of business also not just informing your employer and double checking. But in our line of business, it has a lot to do with informing the businesses you work with. We've had cases with businesses where accounts of some of our clients got hacked and then they attempted to get information from us where we were like, wait one second, why do you need a password change? You have a link for that, my friend. Why do you need me to send you this? Why do you need? These are questions that every team should be instructed on. And the question you should be asking yourself is, how much time are you dedicating to training your employees to do this? And the software providers you're working with, how much time do they dedicate to this? Because if you're working with a software provider, doesn't take the time to do this. Like I gave the example earlier with the phone company, you work with a phone company and they just gave away your personal details. Would you ever work with that phone company again?

Ran Cohen: Places that got hacked, got a big confidence blow and I'm guessing it's so corresponding to the cells and an operation because a company that got hacked has a lot to bring back in terms of confidence to the users. It's not an easy process. We are moving to the next slide. We have the

Florin Cimpoca:  Yeah, this was just a very nice photo of just the way to show how easy it is to hack. Here are a few examples because you mentioned earlier it's funny that you mentioned earlier, getting an email from one of your guys from finance getting an email saying I need money transferred. All three of these companies you see here Sequoia, Leoni and Toyota. All three got massively hacked. And in the case of Toyota for example, it was exactly what you just described. Word by word, they got an email, it said you got to transfer money urgently, they transferred exactly $37.3 million. Sequoia had information of its investors leaked and Leoni same as with Toyota. They didn't get 37.3, they got 44 million lost. So again, we're going back to

Ran Cohen:  Just a few examples of many many different hacks . It is a big world. And it's hard process to really cover all corners and make sure but I think the people factor is very important. How you train them and how you educate them. Which processes you have within the company and what awareness have you alerted on these aspects. This is what helps you in the end, make sure that your people in the company will think twice, before they do something, will check as if something is not feeling for them 100% that will check again. And once you brought this awareness and made them think and help your people think in that way it helps you. But again, you need the full infrastructure of a team that is built to protect yourself. And it's like we said, it's an evolving world and this team and the capabilities and the way you secure yourself must also evolve.

Florin Cimpoca:  Yeah, absolutely.

Ran Cohen: See if there are any questions from the guys here. 

Florin Cimpoca:  I'm actually checking the polls. And everybody apparently came across cybersecurity threats, whether it was in a personal or work environment.

Ran Cohen: If you want to share with us anything from your experience of cybersecurity attacks or phishing attempts that you had will be happy to hear and discuss about.

Florin Cimpoca: One of the favorites that happened to me and I actually had a lot of fun with a guy who attempted this with me, I got a call from the UK. Now, because I work in Customer Success. Obviously, I have a lot of clients in a lot of different countries. So getting a call from the UK is nothing weird. But the guy was trying to convince me that he was working for Microsoft and that my computer was hacked. Now think to yourself, when would Microsoft have the time to dedicate support people to call each and individual person that might be getting hacked. So from the beginning, it was absurd. But anyway, the guy calls me and he tries to convince me that he's working for Microsoft. And I was on my break. So I was like let's humor the guy. So long story short, basically all the guy was trying to convince me was to go into and this is a very common scam by the way. He was trying to convince me to go to command prompt and input the F5 command, which is nothing more than it's basically a command that gives you information on file directories and so on.

Ran Cohen:  Yeah, but it's already weird. Why would someone ask you to...

Florin Cimpoca: This is why he asked me to input the F5, Command so he can convince me because when you input F5, command, what you get at the very end is a set of numbers and letters that are according to the hacker unique to your computer. And they're going to read that back to you to convince you that they know this unique number that is only for your computer. And that's how they can prove that they're working for Microsoft. Well in fact that is just a code which is the same for every single computer. And if you check of F5 Command scam, you'll see it's always the same number. It starts with 888DCA60. And then it continues anyway. So basically, he was trying to convince me to do this so that then I can download antivirus from him and obviously that would have given him access to my system and so on. Anyway, I had fun with a guy. I humored him for a while, we played around. Eventually I told them Listen man I'm at work. My computer's at home. It's turned off. Can we like stop this? I mean, I had fun with this and all but anyway, the guy who got very upset he told me find solve it yourself and he hung up the phone. So I don't think Microsoft employee would talk to you like that, I like to think that their support team would be nicer than that.

Ran Cohen: Okay, let's move to the next section.

Florin Cimpoca:  So, cybersecurity training awareness for your employees. These are the main things guys, you need to cover with your employees at all times, like we've discussed phishing calls, emails, chats, I think we've given you enough examples of that. We've spoken about insecure networks. We spoken about malware software updates, and this is the most important one in my experience, practical tests with employees. It never ever hurts to send suspicious emails to your employees and see whether or not they click on them.

Ran Cohen: Yeah and I think it's also important to know how to react. So you test your employees. That's something that not every company is doing. But when you test your employees, it's also very much important to know how to test them, how to react when they fail or when they succeed. So to speak about the success and to put those places where the employee really stopped the attack or was cautious enough to alert it. And the ones that are not to know how to explain them were what was the mistake and how they can avoid it again and obviously test them again at a later stage. But I think it's important very much to know how to handle it. It's people in the end, and they react to it differently. No one wants to be the reason of the hack. And you need to know how to explain that and communicate to them both in success and in failure modes.

Florin Cimpoca: Absolutely. So guys, this is what you need to focus on. You really need to focus on your employees because your company, it doesn't matter how well you encrypt your hard drives, it doesn't matter how well you do all of these things as one weak link can mean the difference between your company being happy and processing and everything going great and or losing clients data. I mean, we live in very uncertain times. And recently I was reading an article where anonymous are now threatening every company that is still processing that is still participating in Russia, that basically threatened all Western brands. I mean, you've got everybody from Burger King to Pizza Hut to Taco Bell to this to that. I mean.

Ran Cohen: So what Russian hackers?

Florin Cimpoca: No, no, Anonymous hackers are threatening western brands. Anonymous. And that's why I'm saying it's important.

Ran Cohen:  Yeah, there are many cases around the world, we hear it all the time. Hacking is obviously between countries and not only in companies. And but when you go to that level obviously we're speaking about different types of hacking, but the methods could be very much similar. And but yes, it's for different reasons. Let's read more questions.

Florin Cimpoca:  Alex. I just wanted to add that I think more scams could happen to private persons than companies. Some of them I heard the four were the so called Popular romance scam, and ID theft. But they are not actual anymore. They're not so actual anymore. 

Ran Cohen: First of all you have today, a lot of 3d verification and another way to authenticate those people today. So you have less scams around ID theft. But from the other side, it's much more easy to hack to a single person without knowledge, without education, without the full team to support it then to hack a company. Hacking a person and even hacking a lot of private people and getting from them smaller amounts can in the end sum up to a big one. So obviously, hacking private persons is easy.

Florin Cimpoca: Yeah. If you do a bit of research on that person, and you can do it Easily these days, thanks to Facebook, Instagram, LinkedIn, you can just send somebody a software update, because we mentioned that you send it by email, accept new terms and conditions, you don't notice that the link it's being sent from is not genuine. You click their malicious malware. There was a very famous case where somebody got access to the private camera on somebody's computer and took photos of them daily in their private lives and then obviously exploited them for money.

Ran Cohen:  Can be also or when you try to hack someone and to get his credit card. Credit cards have been stored in many different services that we're using, even in Netflix. You can have an email from Netflix asking you to re enter your credit card. That's enough for you to go into a screen that looks like Netflix, feels like Netflix, but has nothing to do with Netflix where you're just now re-entering your full card details. And it's not going to Netflix. So that card details are now going to be used to process I don't know, once dollar once in a while or few dollars, so you won't see it or you won't feel it. And that is becoming very common today to get emails that look like Google, look like Facebook, look like real companies have sent it to you. But it's not. And again, it's the little things that you need to look at if it's the footer and how they write the email exactly, how the email is being sent. The email address that you're getting it from. Those small things are the ones that you need to look at.

Florin Cimpoca: Yeah, Alex agrees. He said exactly and a lot of people should watch out for that. I agree, Alex, that's why we've covered this. But keep in mind that the Nigerian prince scam which I mentioned earlier, still makes about $700,000 a year according to a 2019 article I read. So $700,000 a year for something that's been around for decades now. And it's been in a ton of movies and everybody keeps making fun of the Nigerian prince scam. 

Ran Cohen:  There's always people that would fall to a trap. But again, like Alex said you go to the people, not to the companies and it's becoming easier and very untraceable. When you have so many different regions, maybe they haven't heard about this incident yet. The next slide.

Florin Cimpoca: I'm checking here, I think we're reaching the end where it should be Q&A. So guys, we've been talking, it's almost 40 minutes now. We don't want to keep people here more than they need to be. So if anybody has any more questions, feel free to ask us. We've talked about from human error to we've touched also a bit on some of the systems you need to have in place. I think the main takeaway from here is besides who is working for you and how you train them, I think the another thing you should always keep in mind is who you're working with. Who do you trust with your personal data? How much do you really trust all of these companies, and you need to have that trust in these companies. Ultimately, we all trust Netflix. I mean, I have a Netflix account.

Ran Cohen: Also in the services you use as a company, you surround yourself with services and software's to run your business. And from the software that runs your websites and the infrastructure on the cloud that runs your website that you need to have protected with I don't know Cloudflare or others that help protect or mitigate attacks, attacks on the front. And from the other side. The human factor the fact that education right education to people will help you avoid those cases. Also, be proactive, check and test them and learn from mistakes and celebrate success. So people will understand and it will be a part of the DNA of the company. And Matt is asking us how often would you recommend businesses to conduct cybersecurity awareness training. But I think the training should be an ongoing process, should be part of the onboarding of a new employee, should be part of a regular training program that you do to your employees and the content that you provide to them. And I think the testing or test the employees is something that you should do throughout the year, awareness is something that you want to keep. You want to keep sharp and you want to make sure that they keep the awareness on the high level. And so that's also a part of what the teams that are designated to do that once you're big enough, allowing you to do and go through.

Florin Cimpoca: Look like with everything, the more exposure you have something, the more likely it is you'll be able to spot it. I worked with fake documents in one of my previous jobs. And by the end, I could spot a fake document, at a blink of an eye, the more you expose yourself to it, the more you start noticing the flaws, the more you start noticing the grammatical mistakes in official emails sent by a company. I mean, come on an official company won't be making grammatical mistakes, putting commas where they're not supposed to or these sorts of things you'll get them for somebody........

Ran Cohen:  You need to be very much aware. You're getting so many emails every day, so it's becoming a bit of like a binary blind in marketing. It's the same with email. And slowly you run too fast on that. And that's where mistakes are happening the most. So be aware and make sure that you give your team and the right education and like we said keep alerted. Okay, I see that we don't have any questions. So we say thank you to everyone. And we wish you a good evening. And let's see if we have any more questions.

Florin Cimpoca: Thank you guys. Nice to have a refresher on this. Thank you so much. No worries Diana. Guys, everyone. Thank you so much for attending this.

Ran Cohen:  Thank you Alex. Good to see you guys, the ones that are coming back to our events again. So for the new join. We hope to see you again, we have another event next week. So we'll be happy to see you soon.

Florin Cimpoca:  Yeah, just to cover that real quick. The next event is, one second. I apologize for this, but I do not actually have it in front of me. 

Ran Cohen: I think it's the differences between payment gateways and payment orchestration. 

Florin Cimpoca: Yes. That's correct. Differences between payment gateways and payment orchestration.

Ran Cohen: So happy to see you at our next event. And thank you for joining us tonight. And have a great rest of the evening.

Florin Cimpoca: Yep, have a good one, guys. Bye

BridgerPay is the world’s first payment operations platform, built to automate ALL payment flows with a Lego-like interface, empowering ANY business to scale their payments, insights, and revenue with a codeless, unified, and agnostic software.

Eleftherias street, 153 Limassol, 3042, Cyprus
Derech Menachem Begin 144, Tel Aviv-Yafo, 6492102, Israel
Start for Free
BridgerPay is not a PSP (payment service provider), or an acquiring service, and we do not provide any processing merchant accounts. Bridger is a SaaS (software-as-a-service) company that allows businesses to utilise one API to consume all payments from any method or provider that is connected within BridgerPay’s ecosystem.