Voice authentication taking hold.
Mark Horne: It is quickly becoming one of the preferred authentication methods. I don't have to remember what was the four-digit PIN I set on my phone for that account versus what was my login and password versus my chip and PIN. Now I can use voice as that single authentication method across all those interactions.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We've got some good stories to share this week, and later in the show, my conversation with Mark Horne. He is chief marketing officer at Pindrop, and we're going to be talking about voice authentication.
Dave Bittner: All right, Joe. We've got - before we get to our stories here...
Joe Carrigan: Yep.
Dave Bittner: ...We've got some follow-up here. We've actually got two bits of follow-up.
Joe Carrigan: Indeed.
Dave Bittner: I'll tell you - why don't I do the first one, and then you can take the second one?
Joe Carrigan: OK.
Dave Bittner: So the first one comes from a listener named Nick (ph), who says, in the latest episode, "Business Phishing: Who's Biting the Bait?," neither of you were sure what the play was for the Catch of the Day.
Joe Carrigan: This was last episode.
Dave Bittner: Yeah, I remember that.
Joe Carrigan: Yep.
Dave Bittner: Nick says this was definitely a crypto scam. I only know this because I nearly fell for one of these, as much as I am ashamed to admit since I am very security-conscious.
Joe Carrigan: Don't be ashamed to admit it, Nick.
Dave Bittner: (Laughter) The security - or rather, the structure of the scam was identical to what was described. They are supposedly some young, beautiful woman from somewhere in Asia, currently living in some big U.S. city like New York. It starts off where they accidentally sent an SMS message to you by mistake. They make a lot of small talk with an occasional mention of how they're trading thousands of dollars in crypto, but they're not pushy about it. They'll eventually ask to move to another platform like WhatsApp or Telegram. If you happen to ask about their crypto, that's when they start to hook you in. They will tell you that they will share their trading methods that can make you thousands. They will first have you sign up for one of the major crypto trading platforms to perhaps make this appear legitimate.
Joe Carrigan: Really?
Dave Bittner: After you do that, they will suddenly tell you they are not using that platform anymore and direct you to some other, lesser-known platform to buy crypto.
Joe Carrigan: Aha.
Dave Bittner: Once you do that, they will tell you to transfer the crypto to another platform...
Joe Carrigan: (Laughter) I see.
Dave Bittner: ...Called 78 EX. This is supposedly where all the magic will happen.
Joe Carrigan: Right. I'll bet it's just their wallets.
Dave Bittner: But this is not a legitimate platform in the slightest. To install this app on iOS, you need to install a developer profile which will sideload the app.
Joe Carrigan: Really?
Dave Bittner: Well, that's about as red a flag as you can be, right?
Joe Carrigan: (Laughter) Right.
Dave Bittner: Actually, Nick says this is where the bells and whistles started going off. Yeah, yeah, yeah.
Joe Carrigan: This doesn't need to be this complex.
Dave Bittner: He says, after Googling this app, I found a lot of stories from people that had the same experience I did. This is where I stopped and immediately blocked this person. But from other stories I read, once you transfer any crypto to this platform, it's gone.
Joe Carrigan: Right.
Dave Bittner: You're not getting it back.
Joe Carrigan: Yeah, that makes sense. It doesn't need to be that complex.
Dave Bittner: Yeah.
Joe Carrigan: You don't need to have a sideloaded app. You just need to have a fake website where you let people create accounts and then give them wallet addresses that are - that you're in control of 'cause if you think of any of these big crypto exchanges - right? - they all manage their own wallets. You have to deposit crypto in them and trust that they're going to keep account of it.
Dave Bittner: Yeah.
Joe Carrigan: Right?
Dave Bittner: Yeah.
Joe Carrigan: If that trust is misplaced, there's nothing stopping, like, say, Coinbase from just saying, see you guys later, and taking their big...
Dave Bittner: (Laughter).
Joe Carrigan: ...You know, their big bags of money and heading off to Tahiti.
Dave Bittner: Right.
Joe Carrigan: I mean, the only thing that's stopping them, of course, is regulation and the fact that this is a business. And Coinbase is completely legitimate, but it is within their power to do that just like it's within the power of any bank to just abscond with all your money. But there's ramifications for things that happen like that, right?
Dave Bittner: Yeah. Yeah.
Joe Carrigan: These guys are obviously playing the long game. But if you wanted to set up Dave's Bank on the corner of - right out here in beautiful Maple Lawn...
Dave Bittner: Yeah.
Joe Carrigan: ...Which - it used to be called Scaggsville...
(LAUGHTER)
Joe Carrigan: ...As you like to point out. And you said Dave's Bank, and you could convince people to come in and deposit money. Then you could just take off with it.
Dave Bittner: Yeah.
Joe Carrigan: I mean, yeah, you're committing a crime, but...
Dave Bittner: (Laughter) It may come to that.
Joe Carrigan: Right.
Dave Bittner: Maybe - that may be my retirement plans. Yeah (laughter).
Joe Carrigan: One day you and I will have to talk about what my retirement plan is.
Dave Bittner: (Laughter) OK.
Joe Carrigan: It's pretty funny.
Dave Bittner: All right. So thanks to Nick for writing in and providing that clarification for us. We got another listener who wrote in. Joe, why don't you read us this one?
Joe Carrigan: All right. This one comes from Michael (ph), who writes, hi, Dave and Joe. I have a bit of feedback I'd like to share about Episode 194, "The Dark Side of Business Email Attacks," as well as a bit of insight. In this episode, Joe speaks about mystery shoppers and how companies don't really do this anymore. Maybe the practice has reduced with the number of online stores available now, but companies definitely still do this. We have a family friend who facilitates training of retail staff that asked my wife if she would like to be a mystery shopper - no gift cards involved. I promise. The interesting part is that these mystery shoppers are given a set of directives, things they need to do and then rate. One of these directives is to be a difficult customer and to see how staff respond and manage the situation. So my wife is telling me all this, and as she's doing that, I'm thinking this sounds an awful lot like a customer service equivalent of a penetration test or vulnerability scanning. These mystery shoppers go out and look for weaknesses in how customer-facing staff engage, respond and manage customer interaction. And that information is reported back to management. And in the case of this family friend, they can highlight the gaps and recommend training and improvements. I just found it somewhat enlightening that if you look hard enough, you can make these connections between cyber/information security practice and something completely different. That's an interesting observation.
Dave Bittner: Yeah.
Joe Carrigan: I completely agree. There's a lot of things that go on that - in the cyber world that have real-world equivalents. And this - I think that's a valid comparison - that a mystery shopper is essentially a vulnerability scan of your customer-facing organization.
Dave Bittner: Yeah.
Joe Carrigan: I'm glad to hear they're still doing it. Perhaps I'm wrong about how frequent it happens.
Dave Bittner: All right. Well, our thanks to Michael for sending that in - very interesting stuff indeed. We would love to hear from you. If you have a comment for us or something you'd like us to consider for the show, you can email us. It's hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe, let's dig into our stories this week. Why don't you start things off for us?
Joe Carrigan: Dave, who are some of your favorite actors?
Dave Bittner: Oh, gosh. Let's see. I like Emma Thompson a lot.
Joe Carrigan: I like Emma Thompson, too.
Dave Bittner: The great Meryl Streep, of course.
Joe Carrigan: Oh, magnificent.
Dave Bittner: Morgan Freeman has never disappointed me...
Joe Carrigan: Morgan Freeman. I love his voice.
Dave Bittner: ...All the way back to Easy Reader on "The Electric Company" (laughter).
Joe Carrigan: On the "Electric Company." I remember Morgan Freeman on "The Electric Company" when I was a kid.
Dave Bittner: That's right. Yeah, yeah.
Joe Carrigan: (Laughter).
Dave Bittner: So I - you know, I think it's a solid list.
Joe Carrigan: Yeah. My solid - my top three are - and you and I and Rick Howard have had this conversation, and Rick says it's a weird top three to have.
Dave Bittner: OK.
Joe Carrigan: But my top three are Kathy Bates...
Dave Bittner: Yeah, good.
Joe Carrigan: ...Morgan Freeman...
Dave Bittner: Yeah, oh yeah.
Joe Carrigan: ...And Brad Pitt.
Dave Bittner: OK.
Joe Carrigan: Right?
Dave Bittner: Yeah, solid. Yep.
Joe Carrigan: I like - and I have my reasons for them but mainly because these three actors have done a lot of transition between comedy and drama.
Dave Bittner: OK.
Joe Carrigan: And I think drama is easy to do, and comedy's very hard to do.
Dave Bittner: OK.
Joe Carrigan: So if somebody can make the transition between the two - and Brad Pitt's comedy is all, like, dark comedies, you know, like "Lock" - or not "Lock, Stock and Two Smoking Barrels." What's the - "Snatch," which is a fantastic movie...
Dave Bittner: OK.
Joe Carrigan: ...And then "Burn After Reading," which is a great movie as well. But they're dark comedies.
Dave Bittner: OK.
Joe Carrigan: But if I had to pick another actor who kind of does this bridging the gap - he doesn't - hasn't bridged a lot of comedy gaps lately.
Dave Bittner: Yeah.
Joe Carrigan: Right? But he's still one of my favorite actors - is Keanu Reeves.
Dave Bittner: OK.
Joe Carrigan: OK, 'cause if you think about all the way back to "Bill and Ted" - right? - and then all the way up to, like, "The Matrix" and the trilogies and all the other things - "The Matrix" trilogy - all the other things he's done - you know, "47 Ronin" - I really like him.
Dave Bittner: Yeah.
Joe Carrigan: He's really good. He's a great action movie star as well. I'd like to see him do more comedy. I'd like to see him branch out into that. But - oh, I also love his comic book, "BRZRKR," which is not for kids, by the way. But...
Dave Bittner: (Laughter).
Joe Carrigan: It's a great storyline.
Dave Bittner: OK.
Joe Carrigan: But I do all this gushing about Keanu Reeves because KTLA out in Southern California has a story about a woman named Pamela Landers...
Dave Bittner: OK.
Joe Carrigan: ...Who was targeted by a romance scammer pretending to be Keanu Reeves.
Dave Bittner: Oh.
Joe Carrigan: And it started with a text message. And there's some interesting things that go on in the video along with the article. Yeah, there's an article, but the video is actually better to watch.
Dave Bittner: OK.
Joe Carrigan: The first thing that's important to note is that these scammers took weeks to prep Miss Landers, OK? After they had been impersonating Keanu Reeves for this period of time, they begin the conversation. And they ask, well, what's your net worth? I don't know if this was a red flag to Miss Landers, but she told them it was - she was worth about $400,000...
Dave Bittner: OK.
Joe Carrigan: ...Which may or may not be accurate. I don't know.
Dave Bittner: So at this point, does she, in some part of her brain, believe that she's really interacting with Keanu Reeves?
Joe Carrigan: I think by this point - it doesn't really say in the article, but my impression is - or from the story. But my impression is that once he starts asking about her net worth, she starts having red flags go off.
Dave Bittner: But there was a point in this where she thought maybe she was...
Joe Carrigan: Yes.
Dave Bittner: ...Interacting with Keanu Reeves.
Joe Carrigan: That's correct.
Dave Bittner: OK. So they were convincing enough in that that she...
Joe Carrigan: They were convincing enough in that. And that's...
Dave Bittner: OK.
Joe Carrigan: ...Where I'm going to go eventually with this.
Dave Bittner: OK.
Joe Carrigan: Reading ahead, Dave.
Dave Bittner: Sorry (laughter).
Joe Carrigan: That's all right. But one of the reasons is she's an accountant.
Dave Bittner: Yeah.
Joe Carrigan: Right? And when this guy asks for money, she immediately thinks, what does Keanu Reeves, who's worth more than $300 million, need with my money? And, you know, my $400,000 is four orders of magnitude less than his money.
Dave Bittner: OK.
Joe Carrigan: Why would he need that?
Dave Bittner: Right.
Joe Carrigan: Right? So that is the big stop right there.
Dave Bittner: Yeah.
Joe Carrigan: Now, I will say this. Miss Landers is steeped in the world of finance, being an accountant.
Dave Bittner: Right.
Joe Carrigan: Right? So this makes absolute sense to her that - or this is the - this makes no sense to her is what I'm trying to say.
Dave Bittner: OK.
Joe Carrigan: And I don't know why I said it the other way, but I did. And because of her career, this stood out as something that's completely wrong and just off-the-wall crazy.
Dave Bittner: Yeah.
Joe Carrigan: But if she wasn't an accountant, she may have been susceptible to this kind of thing. Miss Landers turned out to be a pretty big - a pretty bad target because of that. And then at some point in time, she's in the interview saying, people don't fall in love like this, right? It just doesn't happen. People generally meet. Nobody falls in love over text. Maybe one person does, but two people generally don't, which is another bit - good bit of awareness on her part. So she did not fall victim to the scam, but she was targeted by somebody pretending to be Keanu Reeves. Now, in the interview, the reporter is talking to her and says, it's nice to be courted. And this is important. This is what I thought was the most salient point here. She goes, oh, it was wonderful. Right?
Dave Bittner: Yeah.
Joe Carrigan: That's the part of this that makes everything work - is that she was being courted. And she openly admits and says now it was the most wonderful part of the experience, even going so far as to say, looking back through the texts, she still remembers how she felt about it and how much she liked it.
Dave Bittner: Yeah.
Joe Carrigan: And another thing she says is that if you have any kind of emptiness inside of you, these guys are going to find it, and they're going to exploit it. So first off, I want to express my gratitude to Pamela Landers for coming forward with the story.
Dave Bittner: Yeah.
Joe Carrigan: You know, they're - they make the point in this story all the time that people are scammed in romance scams, and they don't come forward because they're too embarrassed.
Dave Bittner: Right.
Joe Carrigan: Now, Mrs. Landers wasn't scammed. But still, coming forward and saying these things - that, yes, it was wonderful when they were paying attention to me - that is key. And then saying that these guys are going to find your vulnerabilities and exploit them...
Dave Bittner: Yeah.
Joe Carrigan: ...That is key as well. Those are two key points, right? It's wonderful, and they're going to exploit you. KTLA said that they could not get in touch with Keanu Reeves, but...
Dave Bittner: (Laughter).
Joe Carrigan: ...Which - surprise, right?
Dave Bittner: Keanu Reeves could not be reached for comment (laughter).
Joe Carrigan: Yeah, exactly. You know, I tried to reach Keanu Reeves for this. He didn't respond to me, either.
Dave Bittner: Oh, well, there you go.
Joe Carrigan: Right. But his publicist did release a statement that says, Keanu Reeves does not participate in any form of social media, nor has he ever done so in the past, nor plan to do so in the future. If anyone tries to contact you via social media claiming to be him, it is a fraud.
Dave Bittner: (Laughter) Right.
Joe Carrigan: That's just one more reason to admire Keanu Reeves.
Dave Bittner: Yeah.
Joe Carrigan: I wish I could be more like him.
Dave Bittner: (Laughter).
Joe Carrigan: You know, every now and then, I have these scams that may work on me, Dave.
Dave Bittner: Yeah.
Joe Carrigan: This one might work on me because I'm a big fan of Keanu Reeves.
Dave Bittner: Oh, I see. Yeah - a little romance scam from Keanu Reeves.
Joe Carrigan: Right.
Dave Bittner: Interesting - good to know (laughter).
Joe Carrigan: Well, actually, I would be like, Keanu Reeves, I love your comic book - right? - and then...
Dave Bittner: OK.
Joe Carrigan: ...'Cause that's, you know, it's...
Dave Bittner: Right - a bromance between...
Joe Carrigan: Right. Exactly.
Dave Bittner: ...You and Keanu. Yeah.
Joe Carrigan: Yeah. You remember the time that I said Kevin Smith replied to one of my tweets or liked one of my tweets...
Dave Bittner: Yeah.
Joe Carrigan: ...And how much I was like, oh, Kevin Smith liked my tweet?
Dave Bittner: Yeah, that's a good point.
Joe Carrigan: Yeah, I was on fire about that.
Dave Bittner: It feels great.
Joe Carrigan: It does.
Dave Bittner: Yeah. And that's what happened to Miss Landers.
Joe Carrigan: That's right.
Dave Bittner: Do you remember the Landers sisters back in the '70s? I think it was Audrey and Judy Landers. They were regulars on "The Love Boat," I think.
Joe Carrigan: Oh.
Dave Bittner: They were kind of...
Joe Carrigan: I think I vaguely remember. They were blonde girls...
Dave Bittner: Yeah, yeah, yeah.
Joe Carrigan: Blonde women. Yeah.
Dave Bittner: And, you know, quite attractive, quite shapely in a '70s exploitative kind of way.
Joe Carrigan: Right. Yeah.
Dave Bittner: But, you know, like, if they needed a damsel in distress for "Knight Rider" or "B.J. and the Bear" - right...
Joe Carrigan: (Laughter).
Dave Bittner: ...You could always count on the Landers sisters to show up and have some sort of romantic intrigue with the lead male in the - you know, that was the part they played back then. Anyway...
Joe Carrigan: Yes.
Dave Bittner: Yeah, that's what Landers made me think of. And now we'll get back on track.
(LAUGHTER)
Joe Carrigan: Now all I'm thinking about is an orangutan in "B.J. and the Bear."
Dave Bittner: It was a little chimpanzee.
Joe Carrigan: Was it a chimp?
Dave Bittner: Yeah.
Joe Carrigan: Oh, the orangutan was in "Every Which Way but Loose," right?
Dave Bittner: That's right.
Joe Carrigan: Yeah.
Dave Bittner: That's right. That's right. All right - well, interesting story. We will have a link to that in the show notes. My story this week comes from the folks over at Netskope. They just released some research. They are a edge computing, security and zero-trust organization.
Joe Carrigan: All right.
Dave Bittner: And they released some research that was tracking phishing downloads. And they have tracked phishing downloads having a sharp increase. They said 450% over the past year.
Joe Carrigan: Really?
Dave Bittner: Yeah. And what they're saying is that the attackers are using SEO techniques - search engine optimization - to improve the ranking of their malicious files, particularly .PDF files.
Joe Carrigan: Really?
Dave Bittner: So if you go looking for particular types of files - and they said - in this article, they talked about, like, shareware. Of course, we all - we know that if you're looking for, like, pirated software, you know, like, that's...
Joe Carrigan: Right.
Dave Bittner: ...Always...
Joe Carrigan: That's going to have malware in it.
Dave Bittner: I count on it, yeah.
Joe Carrigan: Yeah. It's...
Dave Bittner: Yeah.
Joe Carrigan: ...Like, the oldest vector in the book.
Dave Bittner: Yeah.
Joe Carrigan: You know?
Dave Bittner: Yeah. The other thing they talked about was how the malware folks or the folks who are doing the phishing are becoming more and more targeted, that the servers tend to be in the region where the people they're targeting are. So if you're in North America, the downloads are going to come from a North American server.
Joe Carrigan: Right.
Dave Bittner: Just - it draws less attention to it.
Joe Carrigan: It does. It seems less suspicious to any automated filtering systems...
Dave Bittner: Yeah.
Joe Carrigan: ...And to you as the victim, the target.
Dave Bittner: Yeah. There's a couple key points here I thought were highlight - worth highlighting. They said Trojans continue to prove effective. They said Trojans account for 77% of all cloud and web malware downloads as attackers use social engineering techniques to gain an initial foothold and to deliver a variety of next-stage payloads.
Joe Carrigan: You know, Dave, I'm kind of a stickler for vocabulary...
Dave Bittner: Yeah.
Joe Carrigan: ...And especially in malware.
Dave Bittner: Yeah.
Joe Carrigan: And the old Trojan term...
Dave Bittner: Yeah.
Joe Carrigan: ...I'll say...
Dave Bittner: Trojan horse.
Joe Carrigan: ...Right...
Dave Bittner: Yeah.
Joe Carrigan: ...Is based on the Trojan horse...
Dave Bittner: Right.
Joe Carrigan: ...Theory of you have a piece of software that you believed to be beneficial, but it is actually malicious.
Dave Bittner: Right.
Joe Carrigan: And that has always had some kind of a social engineering component to it.
Dave Bittner: Yeah.
Joe Carrigan: You know, somebody says, here, try this. And they run it - you run it, and it works. I've always been leery of calling these things viruses because they're not viruses...
Dave Bittner: Oh.
Joe Carrigan: ...They're Trojans, you know? And I like the term malware. That gives us a nice broad term to cover all these different...
Dave Bittner: Yeah.
Joe Carrigan: ...Topics.
Dave Bittner: Yeah.
Joe Carrigan: But I like - I mean, these - I think this Trojan is - this word Trojan here is being used aptly. I think this is probably correct. These people probably believe that they're downloading something.
Dave Bittner: Right.
Joe Carrigan: I would qualify a malicious PDF kind of like a Trojan horse kind of thing.
Dave Bittner: Yeah.
Joe Carrigan: You think you're getting something but there's actually some JavaScript or some other malicious exploit in the background or malicious code. Yeah.
Dave Bittner: Yeah.
Joe Carrigan: I'm sorry. I - did I derail you there?
Dave Bittner: No, no, no. It's...
Joe Carrigan: OK.
Dave Bittner: ...Fine. It's a good point. A couple of other points they make here - they say cloud and web are an attacker's perfect pair. They say 47% of malware downloads originate from cloud apps, compared to 53% from traditional websites.
Joe Carrigan: Yeah.
Dave Bittner: This makes sense.
Joe Carrigan: ...That's going to continue to shift in that direction of being more cloud app...
Dave Bittner: Right.
Joe Carrigan: ...I think.
Dave Bittner: They say popular cloud storage apps continue to be the source of most cloud malware downloads.
Joe Carrigan: Right.
Dave Bittner: Again, makes total sense. If...
Joe Carrigan: Right.
Dave Bittner: ...I can host my file on Dropbox or AWS or whatever.
Joe Carrigan: OneDrive - SkyDrive - what's it called now? - Microsoft Drive, whatever it is.
Dave Bittner: Yeah...
Joe Carrigan: Google Drive.
Dave Bittner: ...Well, yeah, 'cause those servers are less likely to be flagged...
Joe Carrigan: Right.
Dave Bittner: ...As being problematic because chances are they're legit stuff...
Joe Carrigan: Right.
Dave Bittner: ...That you need to get to them.
Joe Carrigan: When you go to Dropbox, you know you're going to Dropbox.
Dave Bittner: Right. Right. Other interesting note here - they said Microsoft Office malware files have declined to pre-Emotet levels.
Joe Carrigan: Really?
Dave Bittner: Yeah. So they said EXC and DLL files account for nearly half of all malware downloads as attackers continue to target Microsoft Windows...
Joe Carrigan: Right.
Dave Bittner: ...While malicious Microsoft Office files are on the decline. And they say that's probably due to the last years of proactive warnings and security controls that are looking for this very thing...
Joe Carrigan: Right.
Dave Bittner: ...From some of the big vendors, like Google and Microsoft.
Joe Carrigan: You know, Dave, if - as I think back on my career - and...
Dave Bittner: Yeah.
Joe Carrigan: ...I don't do a lot of programming in Microsoft environments, right?
Dave Bittner: Right.
Joe Carrigan: Like, I don't do - I mean, I do. But, I mean, I don't do Office programming.
Dave Bittner: Yeah.
Joe Carrigan: I've never written a macro professionally, right?
Dave Bittner: OK.
Joe Carrigan: I've never had the need to do it.
Dave Bittner: Sure.
Joe Carrigan: But by the same token, I have very, very, very rarely found an Office - a legitimate Office file from Excel or from Word that ever required macros - very rarely. In fact, I can only think of one spreadsheet that had a macro on it that I had to enable macros for in the entire time - in my entire career.
Dave Bittner: Yeah.
Joe Carrigan: So when I think of these - this macro vector, which - it requires a lot of social engineering as well because people have to say, hey, you got to turn on macros to see what's going on...
Dave Bittner: Right.
Joe Carrigan: ...That just lets the malicious code execute.
Dave Bittner: Yeah.
Joe Carrigan: I'm always skeptical of that. I'm always - immediately, that's a huge red flag for me because I know that this, again, is also a very old means of putting malicious code on your computer.
Dave Bittner: Yeah. And I wonder, you know, are there particular industry verticals that rely on macros...
Joe Carrigan: There may be.
Dave Bittner: ...For their day-to-day. If you're an accountant or if you're a - I don't know, you know, some kind of engineer or an architect or - you know, I'm sure there are...
Joe Carrigan: Yeah.
Dave Bittner: ...Business types where macros are just part of everyday use of these tools...
Joe Carrigan: Yep. And maybe - and you're...
Dave Bittner: ...I just don't happen to be one of them (laughter).
Joe Carrigan: ...Yeah. I don't happen to be one of them. I - you know, maybe our listeners - you know, we have listeners who write in all the time. Maybe...
Dave Bittner: Right.
Joe Carrigan: ...Our listeners will write in and tell us a use case or a story about a use case where they needed to use a macro for a document.
Dave Bittner: Yeah. Yeah. And I guess the point is that if you are one of those folks, you need to be extra vigilant because that's an extra vulnerability...
Joe Carrigan: It is.
Dave Bittner: ...That they have there.
Joe Carrigan: Yep.
Dave Bittner: So hopefully, they're aware of that and can put in the proper mitigations to take care of themselves. All right. Well, again, that is from the folks over at Netskope. We will have a link to that in the show notes.
Dave Bittner: Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, we have two Catch of the Days today because they're short.
Dave Bittner: OK.
Joe Carrigan: And the first one comes from Peter, who writes, I already have enough free Dyson vacuums, so I'll let you guys have this one. You're welcome.
Dave Bittner: All right.
Joe Carrigan: That from email address, though - am I right? Ha-ha. And he - and the from is - it's - the email says, from - Dyson vacuum. And then it's, like, account.uhcgotrs__03 at some domain...
Dave Bittner: Yeah.
Joe Carrigan: ...Right? Obviously not anybody at Dyson...
Dave Bittner: Yeah (laughter).
Joe Carrigan: Right? And then it says - the email has one sentence - congrats, you've been selected. And that's just one big link in the middle of the email, right?
Dave Bittner: That's it?
Joe Carrigan: That's it.
Dave Bittner: (Laughter).
Joe Carrigan: That's the email. And if you...
Dave Bittner: OK.
Joe Carrigan: ...Hover over the link, it goes to an S3 bucket on Amazon Cloud Services - Amazon Web Services.
Dave Bittner: OK. I didn't click on this link because I was afraid it might be associated with Peter's email. So Peter, you're welcome back here. The - I'm sure that this is some kind of scam where they just collect your information, maybe say, OK, all you have to do is pay for shipping, and you never get your Dyson's.
Dave Bittner: No.
Joe Carrigan: Your Dyson.
Dave Bittner: No. I guess people are lured in by premium product, which...
Joe Carrigan: That's correct.
Dave Bittner: ...Dyson certainly is.
Joe Carrigan: Yep.
Dave Bittner: Yeah. All right. What's the other one?
Joe Carrigan: The other one I found on the internet somewhere. I can't remember where I found this, probably read it. But it's a - some kind of either text message chat or Facebook Messenger, some kind of messaging application.
Dave Bittner: Yeah.
Joe Carrigan: And why don't you go ahead and read this, Dave.
Dave Bittner: It says, (reading) this is Vladimir Putin, president of Russia. Some people kidnapped me and put my duplicate in Russia. I didn't start the war, he did. I escaped and now hiding in your country. Can you send me 3,000 RS so I can go back to Russia and stop this war? This is real me. I can send selfie.
(LAUGHTER)
Joe Carrigan: And then he sends a picture...
Dave Bittner: Then he sends a selfie, sure enough.
Joe Carrigan: ...Of Vladimir Putin.
Dave Bittner: Well, I'm convinced.
Joe Carrigan: Yes.
Dave Bittner: (Laughter).
Joe Carrigan: The funny thing is, he's only actually asking for 3,000 rubles.
Dave Bittner: Yeah. Well, and it is...
Joe Carrigan: What is that?
Dave Bittner: It's probably - that's like 25 cents now, isn't it?
Joe Carrigan: (Laughter).
Dave Bittner: I mean, it's not much. So what do you got to lose (laughter)?
Joe Carrigan: I don't know, man. I think I might send this guy 3,000 rubles or the cash equivalent - the U.S. cash equivalent of 3,000 rubles.
Dave Bittner: Wow. All right. That's another good one.
Joe Carrigan: Right.
Dave Bittner: Well, again, thanks to everyone who sends in these Catch of the Days. We appreciate it. And, of course, we have a lot of fun with it. If you have one you would like us to consider for the show, you can send it to us. It's hackinghumans@thecyberwire.com. All right, Joe, I recently had the pleasure of speaking with Mark Horne. He is the chief marketing officer at an organization called Pindrop. And our conversation focuses on voice authentication. Here's my conversation with Mark Horne.
Mark Horne: We've been in the voice business for a while. And we really wanted to understand kind of perspectives of different folks to really understand, like, what's their perspective on voice and using it? And so there were a couple of really interesting kind of key points of it. Of those folks that we surveyed, 71% believed that it would be extremely helpful or very helpful to put voice-enabled parental controls on streaming services to protect kids. So if I think about, like, the use of voice, everyone said - nearly 50% of people said they use voice technology and on a daily basis. And one of the things they wanted to do is to add that layer of security. So as we started diving into it, a lot of it was around that. Another interesting data point, if we look at sort of access to things like our cars - right? - where does voice play in? Nearly 70% of those surveyed believe that securely unlocking their vehicle and starting it using only their voice would be extremely helpful in day-to-day lives. Fifty-four percent of all individuals surveyed believe that accessing their bank accounts at the ATM using only their voice would be extremely helpful. So as you start looking at it - right? - voice is one of those really critical factors that we all take with us and is always with us, right? It's not like we forget our car keys or we forget our pin code or passwords. Voice is one of those critical things that we can use to simplify our experiences and provide easier access. When we asked folks about authentication, over a third of them surveyed that they'd actually had their bank card stolen at some point in time. So if you think about losing information, losing your bank card, a card and pin, is one of those critical pieces. And so you can't really lose your voice. Fifty-five percent of the individuals we surveyed got stressed out by digital identity verification, right? They didn't like all the CAPTCHAs. All the multifactor authentication, like, became really challenging for a lot of folks. KBAs were - these knowledge-based authentication questions were one of the biggest kind of detractors from a positive experience. So there's just a couple of sort of really interesting things. When we asked about reputation, the concept of knowledge-based questions actually drove. Fifty-five percent of people said they felt frustrated because of it. Fifty-seven percent said annoyed. Very few people felt confident in the security when using some of that. So voice is a great technology to use. This survey showed that. And then when we look at where it creates challenges for people, it's around, you know, alternatives with KBAs.
Dave Bittner: Yeah. Let's dig into some of the details here. I mean, I suppose a question I have is, you know, what happens if you do lose your voice? If you have a cold or, you know, you've been out having a good time the night before and your throat is scratchy and sore, what happens then?
Mark Horne: Yeah, so great question, there. One of the things we've worked really hard at as a company - voice is our core business - lots of energy on research. And so, interestingly, if you think about, like, how your voice changes over time, your core voice is very similar. There are some nuances around it that change. Aging is one of those. And so the models that we built are actually able over time to discern, you know, whether you've had a tough night the night before. Does it work 100% of the time? No. But once you're in the 90-plus percent range, it works really well.
Dave Bittner: Can you walk me through how it would work? I mean, if you're using your voice to log into something, let's say, a bank ATM or something like that, what would be the interaction between the user and the device?
Mark Horne: Yeah. I love that question. So it happens in two parts, right? The first piece is what we call an enrollment process. And that's the first time you use it - right? - where you actually enroll your voice as part of it. And that's where, you know, you work through all of those - how do I take my voice - how do I CAPTCHA? And that just happens for us in a natural interaction, and someone validates - yup, this is Mark; we're going to enroll that voice.
Mark Horne: Once that happens, now every time I walk up to the ATM, as an example - that ATM could have a microphone in it, and I just begin to speak. And as soon as I start speaking, the system is listening for my voice and mapping my voice to the account, verifying that it's my voice and allowing me to go forward. So after you've done the quick enrollment, every time you come back - right? - it uses your voice, and you don't have to do anything else. So it becomes perfectly seamless. And for the ATM example, we believe that becomes touchless as well.
Dave Bittner: So you can ask for the things that you wanted to have done and not have to actually have any physical contact with the device.
Mark Horne: Correct.
Dave Bittner: Yeah. Do you find that folks are a bit skeptical of this? I mean, I think anyone who's been through a phone tree that isn't working as well as you would like it to - (laughter) I think it's one of those things where, you know, having a bad experience can really sour you to the technology overall.
Mark Horne: Yeah. And I think the technology has advanced significantly. One of the few potential positives that's come out of COVID is, for a lot of call centers, they've invested significantly in voice technology to create a better customer experience, right? And it started out of necessity. When they couldn't handle the call volumes, they really looked to provide voice technology to allow customers to self-serve. And self-service is terrific. You can do that through a phone tree. You can do that through natural voice. But it does require authentication. I really do have to validate this really is Mark before I allow a transaction to happen. So the authentication technology around voice is that critical unlock to enable people to do that. You can allow people through a voice-enabled IVR to do a lot of things when you have high confidence it really is the correct person who's authorized to perform those transactions.
Dave Bittner: To what degree do you envision this being, you know, a one-and-only authentication method? And to what degree would it be one of many, either a primary or a second factor for folks who wanted that extra layer?
Mark Horne: So I think it gets really interesting. I think as people are starting with it, we're starting it to be seen as a factor in a combination of uses, right? You're always going to have - as you deploy new technology, they're always going to have fallbacks. You're always - you know, they're always going to keep your mother's, brother's, dog's, uncle's name on file and ask you that...
Dave Bittner: (Laughter) Right.
Mark Horne: ...Question as a knowledge-based...
Dave Bittner: Right.
Mark Horne: ...Question in case something goes wrong. Where I think it gets really interesting is I look at the - at where customer experience goes in the future, and I think about all of the interactions I, as a consumer, might have with my financial institution. I might go to an ATM. I might go into a branch. I might go to a drive-thru. I might use a mobile device. I might use my laptop. I might call the call center. And when you step back and look at all of those different interaction points, voice is the single application that works across all of those from the lead factor. The ATM today is card and, you know, chip and PIN, right? The mobile app is probably your face because you've got Face ID turned on. Your laptop is username and password, right? When you call into the IVR, it's your account number and a different PIN. The one consistent, ubiquitous tool across all of those, because all of those interactions already have microphones in them, is your voice.
Mark Horne: And so as we start talking to folks, it is quickly becoming one of the preferred authentication methods, right? Whereas they're starting with voice to learn how it works, you quickly see them saying, hang on. I can create a way better experience by using a single authentication method. It makes my customer's life so much easier. I don't have to remember what was the four-digit PIN I set on my phone for that account versus what was my login and password versus my chip and PIN. Now I can use voice as that single authentication method across all those interactions.
Dave Bittner: You know, you mentioned earlier in our conversation about potentially using this for children, for being able to, you know, have parental controls and things like that. It strikes me that it could be a really good application there because kids aren't particularly good at remembering things like passwords or PINs.
Mark Horne: Well, I think it's twofold, right? One is kids aren't great at remembering that. And then secondly, kids probably shouldn't be doing certain things. So we did a - about 12 months ago, we launched a project with TiVo that allows you to use your voice to prevent people from watching certain content on streaming TVs - right? - as a perfect example. So now your voice unlocks particular movies that kids shouldn't watch, right? I've got two kids, and I tell you what. They know all the passwords, and they've figured out how to circumvent every protection scheme going. And so being able to lock that down with my voice is one great application. And then giving kids, you know, where they do have permission to do things - right? - that makes it much simpler as well.
Dave Bittner: What about, you know, edge case people like me, for whom there are hundreds of hours of high-quality recordings of my voice in the public domain? Is this something that we would have to have extra concern about?
Mark Horne: Well, if Pindrop didn't exist, yes. So...
Dave Bittner: (Laughter).
Mark Horne: And I say that sort of tongue-in-cheek. When the Anthony Bourdain movie came out, the folks from WIRED actually came to us and said, hey, can you help us find the synthetic audio that was in the movie, right? One of the misnomers about the movie is they actually created fake audio to fill in some of the gaps where they just didn't have content for it.
Mark Horne: We actually ran the entire two-hour movie through our analytics engines and found the 53 seconds. Not only did we find the 53 seconds that were synthetic audio, we were able to tell them what the technology was that was used for synthetic audio. We believe synthetic audio has really positive use cases. We've seen, you know, Val Kilmer, you know, "Top Gun" actor - right? - who lost his voice due to throat cancer, has actually created a synthetic voice to bring voice back. So I don't want to say, you know, deepfakes are always bad. They're great for filling in gaps in movies. They're great for people like Val Kilmer.
Mark Horne: But they can be used for fraud. And there are technologies, as we start to see commoditization of technology - like, you can create a deepfake of yourself and plenty of other people just based on the audio content that's available on the web. We've worked hard to develop that - the ability to detect deepfakes to prevent that from happening.
Dave Bittner: I see. Where do you suppose we're headed with this, then? I suppose that you and your colleagues are envisioning a future where this is much more mainstream than it is right now.
Mark Horne: Absolutely. Absolutely. Like, I actually envision a world where - as a consumer, right? - and I always start with that consumer - how do I make my daily experience better, right? As I think about all the interactions I have with technology throughout the day, where just using my voice would make it more natural, but they are transactions that require security. If I think about where the iPhone evolved, right? - when the iPhone first came out, they didn't have the concept of identity of who was using it. And your best two apps were that lighter app - right? - that you see everyone using at concerts now. And I think there was a drink a beer app.
Mark Horne: But once you were able to identify who the user was with high confidence, you started to see mobile banking apps come out - I think voice takes that to the next level. As we start to see refrigerators come out that have - that are smart and allow you to order stuff from Grubhub and Uber Eats and all of those applications, right? - you look at that and you say, OK, well, how do I provide a level of authentication so that just anyone can't show up and perform those transactions? So I do see it becoming much more ubiquitous across all of these different touchpoints as we unlock new opportunities for people to have much more - you know, to simplify people's lives and create better experiences, which ultimately creates brand preference. I think that's one of the things that came out of our survey, as well - is, like, how do you begin to look at brand preference? How do you make decisions based on better user experience, better overall brand experience, and how do you choose brands over another? So I do think we're going to see more people moving in this direction, and I think those people are going to win out because experience matters so much.
Dave Bittner: Joe, what do you think?
Joe Carrigan: Interesting interview, Dave. Seventy-one percent would like voice-enabled parental controls on streaming services. I think this is a perfect use case for voice authentication.
Dave Bittner: Yeah.
Joe Carrigan: You know, 'cause if you're going to watch something that's adult in nature...
Dave Bittner: Right.
Joe Carrigan: ...You know, like - I don't know - maybe one of Keanu Reeves' new movies.
Dave Bittner: (Laughter) Or something from the '70s with the Landers sisters.
Joe Carrigan: Right.
(LAUGHTER)
Joe Carrigan: You don't want your kids watching that.
Dave Bittner: Right.
Joe Carrigan: Your device could say, hey, is this you? And you go, yeah, this is me. And then it authenticates you. But if your kid goes, yeah, it's me...
Dave Bittner: (Laughter).
Joe Carrigan: No...
Dave Bittner: Right. Exactly.
Joe Carrigan: ...Sorry, Billy.
Dave Bittner: Right.
Joe Carrigan: Sixty-eight percent think using their voice at an ATM would be helpful. I am not in that group, Dave.
Dave Bittner: How come?
Joe Carrigan: I don't know. I like the chip and pin solution that we have.
Dave Bittner: Yeah.
Joe Carrigan: I don't know why I don't like the solution. Maybe, you know - maybe if you - if somebody stole my ATM card, the first thing I'd do is cancel it. But let's say I don't know the - you know, I don't know how I feel about this one.
Dave Bittner: OK.
Joe Carrigan: I've made my case against biometrics for - too many times on this show.
Dave Bittner: (Laughter).
Joe Carrigan: So I'm not going to do it...
Dave Bittner: OK.
Joe Carrigan: ...Again. And I think I'm just going to have to acquiesce to this, that biometrics is the way we're going, right?
Dave Bittner: Yeah.
Joe Carrigan: I mean, I've got a fingerprint scanner on my phone. You've got face ID on your phone.
Dave Bittner: Yeah.
Joe Carrigan: It's just - voiceprint is nothing - you know, nothing different than that, even though it's immutable. And - OK, I said I wasn't going to do it. But...
Dave Bittner: (Laughter) You just can't help yourself.
Joe Carrigan: I can't help myself. Right.
Dave Bittner: OK.
Joe Carrigan: Mark makes a point about knowledge-based authentication. Knowledge-based authentication can be frustrating to use, and it can be very easy to answer the questions correctly if you, when you filled them out, answered them honestly. The case in point of this I always think of is when Sarah Palin was on the McCain-Palin ticket, and her Yahoo! Email was hacked not because she had a weak password but because Yahoo! used knowledge-based authentication for a password reset workflow.
Dave Bittner: Oh.
Joe Carrigan: And she had answered all those questions honestly, like, what high school did you go to? All the information that was necessary to do that was on Wikipedia.
Dave Bittner: Right. What foreign countries can you see from your house?
Joe Carrigan: (Laughter) Right.
Dave Bittner: Go ahead (laughter).
Joe Carrigan: I think that's a misquote, isn't it?
Dave Bittner: Yeah, it's a "Saturday Night Live" joke.
Joe Carrigan: Right. Tina Fey did an excellent Sarah Palin, by...
Dave Bittner: She did. She did, yeah.
Joe Carrigan: ...The way. I mean, they - I saw them on stage together, and they were indistinguishable. I couldn't tell who was who.
Dave Bittner: (Laughter) OK.
Joe Carrigan: I am reassured by what Mark says here that they're building these models that can track you over time, or they can match you over time as you age. That's good because I've noticed my voice has aged...
Dave Bittner: Yeah.
Joe Carrigan: ...Changed, rather, as I age.
Dave Bittner: Right.
Joe Carrigan: It's getting a little more gravelly lately.
Dave Bittner: It's not the years. It's the miles.
Joe Carrigan: Right. Exactly.
Dave Bittner: Yeah, yeah.
Joe Carrigan: And voice does work along most platforms we interact with - right? - we're pretty much always talking. And it's right. You can't lose your voice. I mean, it can't be stolen from you.
Dave Bittner: Right.
Joe Carrigan: You know, when we start talking about deepfakes, I think it's fairly easy to spot a voice - a deepfake voice with an algorithm that is analyzing your voice. So I'm not too concerned about that being used as a vector. I'm more concerned about the excellent question that you raised about guys like us who have tons of audio out there in recording.
Dave Bittner: Yeah.
Joe Carrigan: You know, it could be as simple as saying something - my father even mentioned this to me when I started doing these podcasts. Are you afraid of that? I'm like, yeah, I kind of am afraid of it. So maybe you and I don't use voice authentication as a way to authenticate ourselves.
Dave Bittner: Right. right.
Joe Carrigan: So it's not a good fit for us. But for somebody who doesn't spend every waking day doing a podcast...
Dave Bittner: Right (laughter).
Joe Carrigan: ...Like you do...
Dave Bittner: Right.
Joe Carrigan: ...Or come in here once a week and do a podcast, like I do...
Dave Bittner: Yeah, yeah.
Joe Carrigan: ...Yeah, maybe we don't do it.
Dave Bittner: You just have to be self-aware about what your own vulnerabilities are.
Joe Carrigan: Yeah, I think that's important.
Dave Bittner: You know, and it's different for everyone. So mine is not the same as yours is not the same as one of our listeners.
Joe Carrigan: Yeah, it's called risk model - or threat modeling. You have to do your own threat modeling.
Dave Bittner: Yeah. Yeah. All right. Well, again, our thanks to Mark Horne from Pindrop for joining us. Interesting conversation. And we appreciate him taking the time.
Dave Bittner: That is our show. We want to thank all of you for listening. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
