February 2025
This week’s episode of THE FINANCIAL COMMUTE features a special session recorded live from Morton Wealth’s 2024 Investor Symposium. Executive Vice President Eric Selter invites Carmine Cicalese, Senior Partner at Digital Privacy & Protection, LLC, to discuss protecting oneself from cybersecurity threats.
Here are some key takeaways from their conversation:
Watch previous episodes here:
Ep. 124 Beyond the Green: How Pro Golf Led Chris to Finance
Ep. 123 The Hidden Forces Driving Interest Rates & Market Volatility
Good afternoon. I hope everybody's having a very good time at the symposium. Yes. Just a quick shout out to the all the teams at Morton Wealth- they have just put on amazing job. They've done a great job that every year they do. And anyway, I thank them for it because it's been great. Okay, so put on your seatbelts because it's time to get afraid to be very, very afraid.
All right. Let me start by giving you some statistics before I introduce this gentleman next to me. More than half of all US citizens have experienced cybercrime. Someone's identity is stolen every 22 seconds. 1 million passwords are stolen each week. 2.5 million people have their health insurance stolen each year. Now, those of you that know if you've ever sent out a wire involving with Morton Wealth, you know how crazy we are that we have to verbally confirm, you have to verbally confirm.
That's because of all the hacking, everything that's going on. And just, you know, all of what I just said to you, that's the good news. The bad news is that I say that there's two kinds of people in this world, those that have been hacked, and those that are going to be.
So unfortunately, it's something that will probably ultimately happen. And I'm not trying to scare you. I am trying to scare you. Never mind. Hold on there, I really am. But the bottom line is, if you're not concerned, if you're not afraid, you're not paying attention. I mean, you really need to be. So we've got all the scams in the world.
I call it the phishing family. You've got the phishing for emails. You've got the smishing for the text. You've got now the vising- using your voice because what they do is they play on your human emotions. They'll call you up. We've got your grandchild. We've got this information.
If you don't pay us this much, we're going to do this and that. They have found out that they can get your voice by getting you to talk for about 15 seconds, and they can actually then using AI, they can duplicate your voice and possibly use it against you.
So that's why today we've got Carmine Cicalese from Digital Protection and Privacy. Now, I'm just going to give you the very basics, that he helped build our nation's cyber warfare capabilities during a distinguished career in the United States Army that spanned nearly three decades. His assignments included overseeing the formulation of the Army's cyber warfare strategy, including cyber warfare operations in Iraq and serving as an army representative at the National Security Agency.
He also developed cyber warfare courses for and taught for the National Defense University. He's pretty much the smartest guy in the room. Let's listen to what he has to say about this stuff. So deep basically works to create a personal, layered digital security structure, i.e. to let people not be able to get Ahold of your identity, not, you know, not know.
So, Carmine, I just provided a lot of fun examples. I'm going to assume that you've got some more stories that you're going to share with us because we don't certainly want them to walk away without a little fear in their heart.
What are some cyber risks that most people have but are often completely unaware of?
Well, first of all, thanks for having me. It's great to be here. I love coming this because I just like to sit back and, learn something about wealth management and, getting free financial advice. So, two big risks that people don't realize. Number one, if your money is stolen from your online bank or custodial account, you're likely not getting it back.
And why is that? And that's because when you open the account, you signed an agreement that basically said if you are even found indirectly liable, you will not be reimbursed. So let's be frank about the situation. Banks and custodians spend billions of dollars on cyber security and the bad guys know it. So they're going after the weak link.
And the weak link is US users and our accounts. So that really has a profound effect on how they're going to act. Cybercriminals are going to act. But you really shouldn't be surprised that businesses do this or that. The custodians do this. Because if you look at any other online business, Amazon, Venmo, Airbnb, they're all the same.
If something goes wrong, you can't sue them. They can sue you. The second thing that people don't realize is they operate with very poor cyber privacy, and that they leave their social media accounts unprotected. And this is just a target for burglars and predators. The FBI did a recent study and showed that four out of five burglaries occurred after the burglar basically cased the person's situation through their social media account.
They knew they're going to be out of town, or they knew that only elderly people would be there. And it's an easy target. Likewise, the FBI has also opened up a special division just for the teenage sextortion. And that's because proud parents and grandparents have social media accounts that are unprotected, and they're leaving all of these photos and videos of their children and grandchildren whom they're very proud of.
But they're out there for anybody else to download. Makes them very vulnerable.
So basically, then, what should people be doing in order to protect you and to protect because you've got cyber security. You got cyber privacy. You kind of give that example. What should people be doing to protect themselves along those lines?
So just to distinguish between the two. Cyber security is about protecting access to your account. Cyber privacy is about protecting access to your information and limiting who can get to it. So you know, things to consider in terms of protecting yourself is you'll want to do things like you want to have a virtual private network. And what that does is encrypt your signal so that someone else can't read what you're doing or see you inputting passwords.
Good examples. You go to a hotel, or you're out at Starbucks and you're using your phone or your laptop. You really want an encrypted signal and something else that you want to do is you want to have a password manager that will help you keep track of all of these passwords. This way you don't have to remember all of them.
So this week in the meeting, sophisticated passwords make it hard to get in. That will also help you control multifactor authentication. You also want to have a private email. So this is different than your personal email. You think about your free Outlook or Yahoo account. And by the way, if you've ever seen Tim Cook, the CEO of Apple, testifying in front of Congress, and he says if the product is free, you are the product.
They're actually selling your data. And this is why you want a personal... a private email that's disconnected from that. You just want to use it for your private accounts, for your bank, for your brokerage, maybe your insurance. You're not using this to communicate with families, because when the bad guys break into your account, the first thing they're going to do is go see where do you do business.
And then if you go to those sites and you say reset password, where does the prompt go to? It goes to your email. So you don't want, you know, your bank or your brokerage accounts going to your personal email. And the last thing you want to do is you want to go into your devices and you want to lock down all of these settings.
You know, for example, an Apple device has over 60 security and privacy settings, a Windows device, 120. If you operate on social media, a Meta platform has over 80 prompts. LinkedIn over 110. And that's a lot out there. But those are the types of things that you want to do to protect yourself.
Could you give us an example, of how people have been victimized by poor cybersecurity?
Sure. I'll give a couple examples. You know, one example is a person was purchasing a $2.5 million home and, what happened is the person had a simple, not very complex password and to, their email account. So you've probably heard this before. And when it comes to passwords, you want to have uppercase lowercase numbers and a special character, right?
Anybody have one that's, eight characters long, right? ChatGPT can break it in one second. Sorry. So we recommend going at least to 20 characters. It's an easy number to remember. The password manager will do it for you.
And then also, you're also going to stay ahead of computing power because it's only going to get faster. So anyway, this person had a simple email or simple password on their email. And the bad guys were to break into it. Thanks to AI, thanks to AI, they can rapidly download and process all the emails and then amalgamate the keywords like house sale, wealth manager and figure out what's going on.
So from there, again, thanks to AI. Look at all of the emails they sent to their wealth manager, and they're able to produce a reasonable-looking facsimile of what that person or how that person communicates to the wealth manager. They send the wealth manager a file with a virus.
Wealth manager downloads the virus, and now the bad guys are behind the wealth manager, and they know there's going to be a house purchase and now they just sit and wait, and then they watch the traffic and they see when the, purchase is going to go through. And at the last moment they change the wiring instructions by, by 2.5 million.
I'll give you another example. And this is more towards cyber privacy. Doctor's family had a social media account. It was unprotected. Of course again they like to post pictures out there of their family, including their daughter. Bad guys downloaded videos of their daughter and then using something. Now they're called the deepfakes, where they can recreate your voice or image.
And then with playing the daughter's screaming voice in the background shouting for help, tell them they need to send a substantial amount of money or they're going to do physical harm to her.
What are you able to do for them? Besides, I know you guys include a VPN, but what are the things do you do in order to make that happen for people?
Sure. Sure. So I talked about those four things earlier the virtual private network, the password manager, the private email, and then going through all the settings. And that's what you do to establish your personal digital security structure. And in addition to that, we help you manage the risks. So we keep track of your, Social Security number and the like on the dark web, working with a company called Dark Owl.
We also provide education to you and your family about what are the cyber-threats. We also provide training on how to use all of these, commercial off-the-shelf software. And you can always call us at any time. 2407, to get assistance on that. And then we also do annual updates because these companies will update their operating systems.
Especially, you know, the browsers, the search engines and the like, because of all of those, devices, because of the customer experience will help you, set and collect your passwords. But the problem is, you don't want them scattered all over the place, and you don't necessarily want all of your security settings open, but through for customer experience and a like they're going to update those.
So if you want to go through once a year and again tighten down, all of those openings in privacy and security and make sure that you keep all of your passwords consolidated in the password manager.
Okay. Great things. So what I want to do now is I'm going to do a little bit of like the lightning round and I want to hit upon a number of items that I think that people can use to protect themselves and get your opinion on them.
So you already mentioned the password manager. Which service do you normally recommend?
So the password manager that we use is Keeper. And one of the reasons we use Keeper is they don't sell your data. That's the very key point. And a lot of these companies sell your data. I'll just also throw a cautionary out there about if you like again free things. Remember you're the product. So if you're going to get something for free you realize they're probably going to sell your data.
Okay. And I didn't know that. I happen to use Keeper myself, but I didn't know the other ones sell your data, which is another scary thing into itself. Identity protection services. I've got that where, you know, I get notified of an account's open, etc.. What's your opinion on them?
I have an identity protection service. Because it was free to me, I was a victim of the Office of Personnel Management branch back in 2012, and that was attributed to the Chinese. They got everything on me. And because I had a security clearance, they had all of my financials, even had my fingerprints.
And you could be me and I wouldn't know it. Right. But, even though it's free, I wouldn't pay for it. And there are a few things to consider. Number one, they don't do anything to help your cybersecurity. Right? All they do is tell you after the fact that you had a breach. Kind of like a pregnancy test.
Congratulations. Number two, they don't do anything to help your cyber privacy. And some of them will actually even sell your data, so that's really not helpful. And number three is if they're offering some type of insurance service, understand that's an umbrella policy. So if you want to collect on that, you've got to go to all the other companies where you have some type of insurance and then have them, of course, all deny you.
And then you're going to go to arbitration. And if you lose arbitration, there's a very good chance that you're going to come back and charge you for the lawyer fees. And the last part to consider about there is just like any insurance policy, what's the diligence requirements? Because if you haven't met those diligence requirements, if it says use a password or use our password manager and you haven't set that up, you're not going to collect.
Okay. The next one I know that my credit, my Social Security number has been out there from so many breaches from so many different companies. So I froze my credit. That way, I figured I don't apply for credit that often. I'd rather it got frozen. What do you think about freezing your credit?
And frankly, I've done the same thing for the same reasons, but just kind of like, you know, I think we're both in a similar point of in our lives of where we're not applying for credit all the time. So it's not really hard to manage. If you're in a more fluid environment, it might not be worth it. But remember, consider this about, identity theft.
If it ruins your credit score or affects it, that's not fun. And it takes some extra effort, to get that restored. But if the bank makes a bad loan, you're not on the hook for it. Federal law changed all of that. So it's really on the banks to assure that they loaned to the real you based on that credit.
Okay. What about people that use dual factor authentication, multifactor authentication, authenticator apps? Do you think those are worthwhile?
Absolutely. Don't use multi-factor authentication at your own peril. I don't know why you wouldn't use that. As far as the authentication apps are, I consider them to be, generally better than using, getting a cell phone text. Because cell phones can be spoofed. But even, you know, just bear in mind that some of the Authenticators even have some vulnerabilities, and those have been breached as well.
But again, I definitely use them. I prefer to use the authenticator app or even a phone call to a landline if you still have it.
What about locking your digital household? You've got your thermostats, you got your Wi-Fi. How do you lock those things up?
A lot of hacks come in through there. So, don't forget all of these, smart home devices have a default password. The default password is in the manual, and the manual is found where? Online. So everybody has access to it. You have to reset the password. All right. And you have to use a sophisticated password.
Otherwise they get into your home. And that's very easy to monitor a lot of other things going on. I would just almost also offer along the same lines with regards to cyber privacy. If you get like a smart TV, before you accept enable voice mode, read the user license agreement on it. You might not want to do that afterwards.
Okay. All right. We've only got about a minute left, so I wanted to kind of sum this up. And also if you've got any, you know, last minute, you've already scared us enough. Thank you. Everybody needs to be a cyber security expert, even though you're not. And I guess the thing for me is have a healthy dose of skepticism.
When in doubt, don't do it. And if if you want to be able to, you know, protect your family, you're going to need to be able to start taking these steps. Is it a pain? Yes, it is, but you need to do it in order to protect yourself.
So it's like the founder of, your company, Mr. Hurley said to me, Kurt Cobain from Nirvana. Anybody know Kurt Cobain from Nirvana? Somebody knows them, right? Thank you. Just because you're paranoid doesn't mean they aren't after you.
Yeah. No, thanks for that. I just want to echo, you know, having a healthy dose of skepticism and having good cyber hygiene. At least know how to, you know, operate your system. Just a little bit more about digital privacy and protection. We are available only through your wealth manager. If you talk to your Morton Wealth manager, we have a landing page.
We've got information for you. If you want it, we can send you their information so that you can get right to them. Because you do have to go through a financial manager, there's no doubt.
Okay. So those of you that have been around as long as me for at least a few years, if you remember the old Hill Street Blues at the end... when the sergeant was sending them out in the morning.
What do you say to them? Let's be careful out there.
Information presented herein is for discussion and illustrative purposes only. The views and opinions expressed in the recording are those of the interviewees and may not necessarily reflect the views of Morton Wealth. Although the information contained in this report is from sources deemed to be reliable, Morton makes no representation as to the adequacy, accuracy or completeness of such information and it has accepted the information without further verification. You should consult with your attorney, finance professional or accountant before implementing any transactions and/or strategies concerning your finances
