The Cyber Security Expert That Got Hacked - A True story by Scott Schober

What made you write Hacked Again?

As a small business owner and security expert, I was naive in thinking I was immune to a cyber hack. After all, I regularly presented at security events, wrote on the subject frequently and taught others how to steer clear from online attacks. After my business was hacked again and again I found myself sharing my story with colleagues in hopes that they could protect themselves. The more I shared tips and lessons, the more people kept asking me to recommend a book with all that information. Since I couldn’t find one book that both told my story and contained all the security knowledge I had gleaned since my hacking, I decided to just write the book myself.

What new knowledge did you gain whilst writing Hacked Again?

Writing a book is far more challenging then I had ever dreamed and gave me great respect for writers of all kinds. After nearly two years of writing, I began the editing process. I quickly learned the importance of trusting my story and voice enough to stick to the central thesis. I could’ve added so many more chapters and details but if I got distracted so would my readers.

Furthermore, I was able to rapidly discern what content resonated with readers and what they tended to bypass by sharing sample chapters through blogs, discussion topics, and live presentations. This immediate feedback proved to be invaluable, complemented by the insights I received from my brother, who is not only a talented writer but also a reliable sounding board.

Besides the great feeling of achievement in actually seeing my book listed on Amazon and Barnes & Noble, I was able to connect with thousands of more individuals around the globe with my story. Many of these individuals I would never otherwise met if not for my book. So many have called, emailed and tweeted their thoughts, criticisms, and accolades. Many continue to ask about my next book so I began working on a followup entitled ‘Hacked Again- Lessons Learned’ which should be released by the end of the year. Some of the greatest benefits in writing a book are all of the unexpected opportunities. Since the book, I have become an increasingly in demand subject matter expert & keynote speaker on cybersecurity topics of my choosing.

Hacked Again can be purchased via Scott's website or on Amazon. Below is the first chapter of the book. 

Chapter 1- Cash in the Mattress

For small businesses to be competitive, they need to align with a strong bank. This allows a company to borrow capital, pay bills, and maintain a trusted source to safely hold valuable funds as their business grows. My parents, Gary and Eileen Schober, opened Berkeley Varitronics Systems’s (BVS) bank account back in 1973 at United Jersey Bank in Edison, New Jersey, when I was only four years old.

BVS was one of the very first corporate accounts opened at United Jersey Bank. Back then, it was not uncommon to walk into a bank where everyone knew everyone else and were on a first-name basis. This provided a level of comfort in knowing who was watching your money. There was an implied level of trust when
you saw those familiar faces, and you felt secure.

BVS continued to grow, and United Jersey Bank grew as well. United Jersey eventually bought out its rival, Summit Bank out of Summit, New Jersey, but kept the Summit name. In the early 2000s, Summit Bank was acquired by Fleet Boston and kept the name Fleet Bank in New Jersey. By 2005, Fleet Bank was acquired by Bank of America (BoA) in a large transaction. Needless to say, the friendly local bank that BVS trusted for decades has changed significantly: it’s now a goliath of a bank, not at all reminiscent of the early days of personalized small business banking.
In 2012, BVS continued to expand its wireless security offerings to security professionals, and I began getting numerous requests for advice about the tools I would recommend to counter wireless threats, as well as general questions on how to keep small businesses safe.

As soon as our solutions and advice began to get out into the mainstream, we also found ourselves a target for hackers.
Sharing and helping has always been fundamental in my upbringing. Hackers might appreciate advice and scripts from fellow hackers, but I can assure you that they do not appreciate anyone who makes their hacking more difficult by providing advice on protecting businesses from hacks. I was about to find this out the hard way.

It was late in 2012 when I logged onto BVS’s Bank of America (BoA) account and noticed multiple unfamiliar transactions. Since we had several debit cards corporate officers used for travel and trade-show expenses, I figured the charges were legitimate, albeit unknown to me. Upon closer inspection, though, I found many charges originated in states where no trade shows were scheduled. Something was not adding up. My eyes began to scan down the screen, seeing transaction after transaction of numerous unfamiliar debits from our account. Disbelief was followed quickly by disgust, and I blurted out the only thing I could see in front of me and the last thing I wanted to hear:
“We’ve been hacked.”

I immediately called our local BoA Edison branch that we have dealt with for decades and reported the breach. They did not seem as upset as I was and told me there was nothing the branch could do. They suggested I call their fraud department to report the breach. I quickly dialed BoA fraud department and was asked numerous questions to validate my credentials before I was assured they would take care of the breach and get our money back. My mind raced, wondering what could have happened. Even though under $10,000 was stolen, it was still a painful ordeal I never wanted to endure again. The process involved writing several letters to the bank and credit-card issuer, along with providing copies of invoices for our legitimate transactions so the
fraudulent ones would stick out like a sore thumb.

Trying to prove a transaction is unauthorized is futile, as no documentation ever exists to show what you did not do. This process, although lengthy and distracting, provided a valuable lesson to me as a small business owner: It is essential to maintain copies of all banking and customer invoices so that if you ever do suffer a breach, you can quickly work toward resolving it with well-organized documents to back your case. In the end, we jumped through all of the bank’s hoops, and after three long months, we received one hundred percent of the stolen funds back.

During those three months, we could not use our company debit cards and waited until they issued new cards. For credit card transactions during that down time, I used my personal card for purchases and was reimbursed from BVS. This proved to be a bad idea, as my personal credit card also became compromised.

I realized I was not just the typical consumer being targeted, but that the hackers were now targeting both my company and me as a cybersecurity expert.
This was personal.

Before I go further, I want to quickly clarify some terms:

Almost all credit card users have experienced what the banks and card issuers call fraud, which is why they have fraud departments. But what you may not realize is that all of these fraud claims and thefts are the result of hacks perpetrated by hackers. These might not be the images of hackers we have come to know through popular movies and TV of the evil criminals sitting in front of terminals all day writing code in some dank basement. Hackers don’t actually even need a computer, just some basic social skills and the audacity to use someone else’s money or identity to steal for themselves. Social engineering is an effective tactic hackers employ that involves tricking individuals to break normal security procedures. When someone uses your credit card to make an unauthorized purchase at a retail store or a website, they are socially engineering the situation to fool the store into believing they are you. Some might see it more as a con game or simple theft, but make no mistake: these thieves are manipulating people and policies in order to control the technology behind it all. That is the essence of hacking.

During the investigation of the BVS hack, we discovered our debit card was compromised (meaning a hacker stole our debit card information as we purchased items online) on a website we did not normally frequent.

Unauthorized debits appeared all over our bank statement.
The hacker took our credit card credentials and sold them on the dark web, along with thousands of other victims’ compromised credentials. The dark web is the term for a portion of World Wide Web content that is not indexed by standard search engines and is generally attributed to hacking and illegal cyberactivities.

Cyberhackers can search forums in the dark web for particular individuals they want to target, and it seemed likely my name was on their list.
I relentlessly pushed the bank’s fraud department to explain what we could have done differently to prevent the breach. They emphasized that we should only deal with companies we know and have worked with in the past. The irony of this statement from BoA was not lost on me. Here we are dealing with a bank that we used to know intimately, and through numerous name changes, buyouts, and mergers became a veritable stranger to BVS for all intents and purposes. Now they are telling me to only deal with people and companies I know and trust. I can understand why many people have lost their faith in banks altogether and store their hardearned cash under their mattresses.

Realizing the pain of moving all our company assets  to a different bank, we reluctantly agreed to the bank’s recommendations and trudged through the process of getting new cards issued and new passwords. It was back to business as usual—or so I thought.