Surviving in a Trustless Society
Steve Prentice
Published author, writer, storyteller, keynote speaker, emcee, university lecturer, musician. Key focus: people and technology. Degrees in media & psychology. Partner at The Bristall Company.
If I were to ask you to define the word “trust,” which of these two items might you include? That trust is based on emotion because it’s something you feel about someone, or that trust is knowledge, based on fact? In other words, you trust someone because you have observed their behavior?
When I ask that question to people in my audiences or classes, I often get a three-way tie. One third votes that trust is emotion based, one third says it’s fact based, and the last group suggest that it is both. And that’s the one I agree with. It’s a hybrid. The problem is, whichever way you look at trust, its presence is becoming far less welcome in our day to day lives and with good reason.
Trust. It’s something that takes a long time to earn and only seconds to lose. As a thinking, feeling human being, I will feel trust for you after I have observed behaviors that support that feeling. A tangible collection of acts that together build in me a willingness to believe you will continue in the same manner.
But there is also trust that is built into the system, something that is especially exploited by cybercriminals. It should be a well-known fact by now that a great deal of cybercrime uses humans as its weak point. Spam is based on people clicking on a link or downloading a document because the email purports to be from someone credible. There’s a certain degree of trust here, often paired with some naivete, or simply being too busy to think and to doubt. If the email said, “this is an email from a criminal gang, click here to download malware into your system,” the odds of it being successful drop to almost zero.
Similarly, when a person receives a text message on their phone supposedly from the tax authorities, announcing a refund or collecting on an outstanding account, it is easy for a lot of people, especially older people who grew up in the pre internet era, have no reason to doubt the message and to trust its validity by default.
This is also why robocalls still work so well. There is an implicit trust in the system, paired with a desire to be polite, that forces people to answer the phone regardless who is calling. Even those who answer the robocall just to demand a stop to the calls is trusting that people at the other end will honor that request. Spoiler alert: they won’t. They will simply re-sell your number to other gangs for a higher price now that you have proven it’s a live line with a willing victim at the end.
Gap It
There are just too many stories of people, who, every day click on the link, or even the unsubscribe link, to resolve the problem that the message puts forward. They have a trust in the coding of the message itself.
It is time to pull this back. Trust belongs where it always has been, as a bond between two people who know each other well, and who have been able to build that trust relationship over a period of time, and as a result of many interactions, each of which has helped build trust, essentially brick by brick.
Trust has no place in the connected world of the internet.
To this end, there is a two-word mantra that I like to teach to everyone who will listen, that hopefully will put an end to much of the cybercrime and victimization that comes from clicking too willingly on a link.
That phrase is Gap it.
Gap It simply means: if you receive a message on any device that alerts you to a problem such as:
…or any other message that strikes fear into you, the place a gap between that message and your actions. Do not click the link on the message to try to solve the problem, but instead, go in via a different route – your regular route, or the official route.
Whatever utility or authority is involved, if there is a genuine problem, they will be able to find it through your account number. The point here is to place a gap between this threatening letter and your reaction. Not everyone is aware that this threatening letter links back to a criminal organization staffed with people who are skilled in techniques of further persuasion.
Teach people to Gap It. If an email-based invoice appears in an employee’s email, teach them to follow through by using the connections they already have on file. Call the supplier company directly through the number you always use.
This technique is a critical thinking technique, but can also be trained into people as a conditioned response. The intent here is to break the habit of unthinking reaction and replace it with the habit of inserting a gap. In other words, “this message says there is trouble with my bank? OK, then I will call the bank directly with the number I already have on file.” In other words, put a gap between the fear stimulus and the fear response.
Social engineering
It is more important than ever to be extremely vigilant and to use the Gap It method consistently – because thieves – the organized ones anyway – are not stupid. They know that first line cyber defense works and they also know that employees, whether they work in an office or at home, are too busy to keep up to speed with online safety practices. So they abuse our natural desire to trust.
Some of the relatively newer approaches to this are social engineering and vishing using deepfakes.
Social engineering brings the confidence game online. We have likely all heard the old term confidence trickster – someone who wheedles their way into your world by building confidence and trust in their victims. Ponzi schemes are the same – building trust among investors by fraudulently demonstrating great returns. These are cons, and they exist in great detail now through techniques like social engineering or business email compromise.
Social engineering often involves a person who works to get to know someone on the inside of an organization. One of the most famous of these was the Twitter hack of 2020, in which the accounts of some high-profile people, including Elon Musk and Barack Obama were hacked, and for a brief time started sending out ads for bitcoin. This shocked the cyber world, because Twitter, being one of the titans of this world, was expected to be impenetrable. But it turns out they were a victim of a social engineering hack, allegedly done by a single individual, not an organized crime gang. Just someone who was able to make contact with an employee on the inside, and through a series of conversations, was able to get access to the network. That’s what it’s all about – trust.
Other criminals go the bureaucratic route, setting up invoices that look like they are from actual suppliers that companies deal with. Maybe FedEx or UPS, or an HVAC company that takes care of the heating and air conditioning.
These by the way are the types of follow-on actions that result from a breach. When you as a consumer hear about a data breach at Home Depot, you might shrug your shoulders, and maybe change your account password. You might take comfort in the company’s offer of two years of credit monitoring and identity protection, and say, “that’s that. All good.”
But it’s not all good. Because in addition to the millions of accounts that the cybercriminals get away with from breaching this huge chain, they can also get access to emails, transaction records and other data that allows them access to names and purchase activity of another company they wish to target. They can then craft invoices, collection letters or other types of correspondence that have specific and correct names and purchase records included. These then get sent to a manager, who must hurry to deal with them. This is how corporate social engineering and business email compromise activities work. It’s a confidence game that often gets a leg up from another breach that is already forgotten about.
The rule, in business and in personal life has to be trust no one. ?In IT and cybersecurity, this is actually called Zero Trust, and it’s a practice of exactly that – trusting no one – but it, too, must be carefully monitored to ensure that oversights do not happen.
For individuals, there has to be a zero trust policy, even among friends and ?family members. This doesn’t mean that you stop trusting them as individuals, but that you definitely stop trusting all communications as being from them.
For example, if I was a friend or family member of yours, I could easily send you an email or text along the lines of, “About that thing we talked about, here’s a video that shows more about it,” or “Don’t worry about the money. All the details are here,” with a link to something that turns out to be malware. In this instance, because I am part of your life, it is quite possible that we recently had a conversation which would make this type of message seem a perfect fit. Even though the topic of the message is generic, your mind and memory will easily fill in the blanks and connect it back to an earlier conversation.
This is why when I talk to family members or friends, I will always make the subject line and or message body highly specific. With elder relatives who are more prone to be trusting and also to be less sophisticated with their technologies, I always address them using a nickname, and tell them to never respond to a message from me that does not have that nickname in it.
Trustless goes global with blockchain
On a global scale, zero trust is the reason for blockchain. Most people have heard about blockchain in the context of cryptocurrencies like bitcoin, and the two get bundled together as an inexplicable money thing. But the relationship between bitcoin and blockchain can be illustrated quite easily. Bitcoin (the cryptocurrency) is to blockchain the same way your car is to gasoline or electricity. The source of the power that makes your car go is essentially a generic product - electricity or gasoline, and is used for a wide range of other applications. The fact that your car uses this makes it just one of many things that are users of that product. The same goes for your computer. If your computer uses Microsoft Windows, or for a Mac, the Mac OS, or if you have a phone that works on iOS or Android, then your individual device is just one millions that use the operating system to function. You and I may do very different things on our devices, but we both use an operating system to make it work.
So blockchain is a global operating system that processes transactions. Bitcoin and other cryptocurrencies are products that operate using the blockchain system.
So if that’s clear, all I want to add to that is the way blockchain works is like a jury. In a court case, you want to have all twelve people?be unanimous in their decision. Otherwise the case fails. Twelve individual and impartial people all agreeing. Blockchain is like that too, but instead of twelve people, there are one hundred or a thousand computers, each of which must agree that a specific transaction took place, with no dissent. Each of these computers registers the transaction in its own version of a general ledger.
This is done to replace older versions of business transactions in which trust was central. I can fax over a signed document to you, and you must trust that the signature on the bottom of that document is really from me, and that the document is not forged. The same goes for my signature, and in a world full of contracts and digital paperwork and a global economy in which companies thousands of miles away from each other do business, there has to be a better way of authenticating transactions.
The blockchain approach seems to be it. Its purported neutral nature ensures what its designers call immutability, and the fact that it is not owned by any one company – in fact you own computer could conceivably take part on a blockchain jury, means that it is impartial.
The importance of 2FA
The overall point is that trust is a rare element that should only be used between people who have experienced each other’s actions over time. It most certainly cannot be used for any type of messaging, especially digital messages on phones and in email, even if – and I cannot stress this strongly enough – even if they look like they are from someone you know.
Every message that requires action must be gapped – approached from an independent angle like logging on to a supplier’s website completely independent of the link in an email. And every log in should also use independent authentication – 2FA.
2FA is about receiving a password to your phone in order to log in to a website. Some people find this to be an annoyance, but it serves as an independent factor of confirmation, since your phone is a unique device that is never far from you, and if it were lost it would be locked. 2FA by phone is essential, and should never be considered an option for later. Sure, the few seconds it takes to receive and then enter the passcode might seem like a mild annoyance, but I equate this to searching for or fumbling with your house keys. Really?not a big deal.
Experts will say, however, that as soon as you can, you should switch from a phone to some other type of 2FA device, since, as you might expect, the bad guys are always trying to deflect 2FA pincodes across to them, which is yet another reason why you should never click on those spam text message links. Access to your phone as a 2FA device is what they might be after.
Trust was never meant to be a global thing, nor a thing shared between strangers. It has become that way because convenience and speed have become primary motivators of our actions and consequently impediments to better judgment. It is better overall to enjoy the greater comfort of living in a trustless society, and share the warmth of real trust only with the very few individuals in your life who truly deserve it.
This is the transcript of the CoolTimeLife podcast episode 37 - Surviving in a Trustless Society. If you would like to listen to it or review other podcasts in this series, visit my podcast page at steveprentice.com/podcast.