Factually! with Adam Conover - Why You’re Not Safe from Hackers with Rachel Tobac
Episode Date: September 25, 2024Last year alone, 880,000 people fell victim to cybercrime, losing a staggering $12.5 billion. While cybercrime might seem like an unstoppable epidemic, much of it is actually preventable. The... problem isn't that computers or software are too weak—it's that people are too easily fooled. This week, Adam talks with Rachel Tobac, an ethical hacker and CEO of SocialProof Security, to debunk common myths about hacking and share simple steps people can take to minimize their risk of becoming targets.SUPPORT THE SHOW ON PATREON: https://www.patreon.com/adamconoverSEE ADAM ON TOUR: https://www.adamconover.net/tourdates/SUBSCRIBE to and RATE Factually! on:» Apple Podcasts: https://podcasts.apple.com/us/podcast/factually-with-adam-conover/id1463460577» Spotify: https://open.spotify.com/show/0fK8WJw4ffMc2NWydBlDyJAbout Headgum: Headgum is an LA & NY-based podcast network creating premium podcasts with the funniest, most engaging voices in comedy to achieve one goal: Making our audience and ourselves laugh. Listen to our shows at https://www.headgum.com.» SUBSCRIBE to Headgum: https://www.youtube.com/c/HeadGum?sub_confirmation=1» FOLLOW us on Twitter: http://twitter.com/headgum» FOLLOW us on Instagram: https://instagram.com/headgum/» FOLLOW us on TikTok: https://www.tiktok.com/@headgum» Advertise on Factually! via Gumball.fmSee Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.
Transcript
Discussion (0)
This is a HeadGum Podcast.
You know, folks, we're in the middle of election season, and if you're anything like me, you've
likely been pulling your hair out and lamenting, why does it feel like American democracy is
unraveling before my eyes?
Well, the answer is that it's the fault of our electoral system and its winner-take-all
ideology.
But is that really the best we can do in 2024?
Spoiler, it's not. For the answer on why,
I highly recommend The Future of Our Former Democracy,
the new podcast from more equitable democracy
and large media.
Hosts George Chung and Colin Cole
dive into the fascinating history of Northern Ireland,
exploring how they reformed their political system
to overcome deep divides
and ensure more equitable representation.
Each episode takes a closer look
at why the US could learn from Ireland's journey
and how a system like theirs might help us break free
from the chaos of our own elections.
If you're curious about how another country's experience
can offer fresh ideas for our political future,
check out their debut episode.
So don't miss out, follow the future
of our former democracy on Apple podcasts,
Spotify, or wherever you get your podcasts. And hey, tell the madam sent ya. You know, listeners
have factually know that I take health seriously. When people ask me for advice on diet, exercise,
or achieving a target body weight, my first recommendation is always to consult a doctor.
And that is why I'm happy to recommend today's sponsor, Mochi Health.
Mochi offers safe and affordable weight loss programs
that also treat that process with intelligence,
care, and respect.
And Mochi provides you that support
by connecting you with real doctors
who can offer you real medical advice
and prescribe science-backed medications
like GLP-1s if you and they decide
that that is what is right for you.
Plus you will work hand in hand with registered dieticians
to achieve sustainable results.
Whether or not you have insurance,
Mochi is affordable, accessible,
and offers the peace of mind that comes with using
FDA approved science backed medications
under the guidance of real doctors.
So if you are ready for a sustainable,
supportive weight loss journey,
visit joinmochi.com and use code FACTUALLY
to receive 40% off.
That's code FACTUALLY at joinmochi.com.
I don't know the truth.
I don't know the way.
I don't know what to think.
I don't know what to say.
Yeah, but that's all right. I think I don't know what to say.
Yeah, but that's all right.
That's okay.
I don't know anything.
Hello and welcome to Factually.
I'm Adam Conover.
Thank you so much for joining me on the show again.
On the show this week, we're talking about hacking.
You know, it's easy to imagine that hackers, real hackers, are doing something
super high tech. And the movies of the 90s literally trained me to think this. You know,
hackers were people who looked like they were in the matrix, who banged out code to their
keyboard until the screen changed from red to green and went boop, boop, boop, boop,
and then they said, we're in. Now, this is obviously not how hacking actually works.
What hackers actually do is they find the weakest point
in any system and exploit it.
And the weakest point is probably not some snippet of code
streaming down a screen in some 1997 hacker dungeon.
The weakest point in a system is probably you,
or at the very least, another human,
not a piece of technology.
You know, there's a famous case
that the tech reporter, Matt Honan,
wrote about and wired about a decade ago.
Hackers fished partial credit card info
from an Amazon tech support customer service representative.
And then they used that information
to contact an Apple tech support representative,
and that person gave them his iCloud account
and the keys to the kingdom.
It wasn't a matter of computer engineering that let them in,
it was social engineering figuring out what to say to the actual humans who controlled his accounts.
And that is bad news, because it means that you are vulnerable to being hacked.
880,000 people were the victims of cybercrime last year, to the tune of $12.5 billion.
And that is not something you can fix
with just better encryption or yet another high-tech device.
Those things can help, but the real problem is people.
And there is no way to make people perfect, clearly.
I mean, just look at us.
So what do we do?
Well, we have an incredible guest on the show
to talk to you about that today.
But before we get into it,
I wanna remind you that if you wanna support this show
and all the conversations we bring you every week,
you can do so on Patreon.
Head to patreon.com slash Adam Conover to chip in
and get every episode of this show ad free.
And big reminder, my new standup special, Unmedicated, is out now on Dropout.
Head to dropout.tv to subscribe and watch it.
It's a brand new hour of standup comedy.
Some of the most personal comedy I've ever done.
I would love for you to see it.
Dropout.tv to watch.
And if you want to see me do standup on the road,
I got brand new material.
I'm touring all around North America.
Coming up soon, I'm heading to Baltimore, Maryland,
Portland, Oregon, Seattle, Washington, Denver, Colorado,
Austin, Texas, Batavia, Illinois, San Francisco, California,
Toronto, Ontario, Chicago, Illinois, Boston, Massachusetts,
and Providence, Rhode Island.
Please come see me, AdamConover.net,
for tickets and tour dates.
And now, let's talk about hacking.
To talk about the threats that we all face
and how to protect ourselves against them,
we have the perfect guest on the show today.
Rachel Tobak is an ethical hacker
and the CEO of Social Proof Security.
She is an absolute expert in the field.
I cannot wait for you to hear this conversation.
Please welcome Rachel Tobak.
Rachel, thank you so much for coming on the show
and welcome. I'm excited to be here, Adam. Okay, so you so much for coming on the show and welcome.
I'm excited to be here, Adam.
Okay, so let's say I'm a hacker.
I'm looking at the big juicy accounts
of semi-famous comedian, Adam Conover.
I wanna post some spam.
I wanna sell people some crypto.
This guy's got a TikTok, he's got a YouTube,
he's got a Twitter.
How do I hack him?
Please give my listeners instructions on how to hack me.
Okay, yeah, I got you covered.
All right, so if you're a hacker and you're listening to this,
you wanna hack Adam, here's what you're gonna do.
Number one, you're gonna look up
what Adam's contact details are.
So the very first thing you're gonna do
is you're gonna go to a data brokerage site or Google,
and you're gonna type in Adam's name,
and then the words phone number or email address
so that you figure out how you're gonna contact Adam
in the first place.
Because sure, you could DM Adam, right?
But you may or may not answer those.
So you're much more likely to answer an email, phone call, or a text message.
We know that in the hacking space.
Right now, we're seeing a huge increase in phone calls and texts, by the way.
So that's probably the most likely way to be successful.
Then you're going to look up what Adam's interests
or dislikes are.
So what is Adam like?
Adam, you like Diet Coke or do you like Dr. Pepper?
Right, we gotta know.
I like Diet Dr. Pepper.
That's what I like too.
A lot of people are talking about
how this is the best diet soda.
I've had it recently on Labor Day weekend.
I had some, it was good.
And they could listen to this podcast.
They know I like Diet Dr. Pepper.
And it's not an endorsement, but I have enjoyed it.
I am also a Diet Dr. Pepper enjoyer myself.
So I would probably pretend to be
from the Diet Dr. Pepper overarching brand
and knowing these details.
I haven't done any research, right?
This is just from hacking you in these in the last 30 seconds.
I pretend to be from their brand.
I'd say, hey, we heard you on the last podcast.
We're emailing you because we'd love to be a sponsor.
Go ahead and click here to let us know your availability to chat.
And that would be a hacking link.
Well, so you they would pretend to be diet Dr. Pepper.
Probably. Yeah.
I mean, I just hacked you in the last 30 seconds by figuring out your interests.
Right. Wait, you did? Oh, yeah. OK.
Don't check your email. Don't even pick up your phone.
OK, OK. OK. So they're going to pretend to be diet Dr.
Pepper and they're going to seduce me with money, which works.
Yeah. They're going to say, hey, Adam, we'd love to give you X number of dollars
to have you give another plug for diet Dr. Pepper during your next break.
Maybe you lift one up.
Maybe you're taking a sip or two during a funny chat that you have with somebody.
And boom, there you go.
And so that's the way that we hack people.
We figure out what do they like, what do they dislike,
and we pretend to be those things to you.
Ah, and that works really well
if you're targeting a specific person,
which like people with a lot of followers,
such as myself, I'm not trying to brag,
but it is the world that I live in,
we are used to being specifically targeted.
Does the average person need to worry
about that kind of attack that gets to know them very well?
Yeah, so we call that your threat model.
Your threat model is the likelihood of receiving an attack.
And your threat model changes
based on who you are and what you do.
If you've got a lot of followers, let's say you're like Adam, you've got you know millions
of followers across platforms, your threat model is automatically high. If
you are somebody who maybe has 40,000 followers for your dog's Instagram, your
threat model is also high. People like to hack those and then of course push
crypto scams. If you're a person who has a private Instagram, you've got no Twitch
account, you don got no Twitch account,
you don't have hundreds of thousands
or millions of followers,
and maybe you've got a couple of personal pictures,
you got a cat you post about your dinners,
but it's private, it's less likely
that you're gonna be on an attacker's radar.
Unless you're up on Twitter or some other platform
talking about your cryptocurrency,
then an attacker is gonna be real curious about you,
like, hmm, they're bragging about having a lot of money,
or they're flashing their Rolex every day.
They wanna go after somebody they believe
is going to be a juicy target.
They're not just gonna go after random Joe Schmoes.
So what do the attackers do after they trick on me,
they trick me, they get me to click on the link
to the Diet Dr Pepper endorsement form?
What's the next step?
Yeah, they'd probably try to get you to download malware. So if you have some sort of vulnerability
on your machine, let's say it's been a while since you've updated your operating system or your
version. A lot of people do that, right? You get that little thing that pops up in the upper right
hand corner. Hey, we're going to reset you overnight. You're like, I don't have time for
this right now. You push it off for a little bit later. Well, little bit later is now two months ago.
And now the attacker has kind of reversed
with those changes to the vulnerabilities are,
and they're able to craft malware for your machine.
So if you're a normal human being, like most people,
you've put that off, you've gotten known vulnerabilities
in your browser or your operating system.
The problem is those update dialogues,
it's that seductive little button that says not now.
Who can resist not now?
It's gonna happen later.
But I wanna update now, not now, not now, later.
When is it a good time?
It's never now.
Always gonna be later, it's never gonna be now.
I know, it's tough because we wanna give people options.
We wanna give people an out.
But of course, that means that people always take the out.
Yeah, but that's like saying, you know,
hey, we updated the locks on your front door or, you know,
I mean, the thing that OS updates have most often
is security fixes almost.
That's right. Yeah.
And so a lot of times,
if you look in your upper right-hand corner of your browser,
it says you have to update that too.
And people also not now that because they're like,
I got 72 tabs open.
I don't want to refresh all this stuff.
Now I got to re-log in. I got to get my credentials, tabs open. I don't want to refresh all this stuff. Now I got to re-log in.
I got to get my credentials, et cetera.
I don't want to deal with it.
And so I just put it off till later.
Well, unfortunately, if you have a high threat model
because you're in the public eye, you're a celebrity,
you're an activist, or you're being harassed by folks online,
well, you have a likelihood that you're going to receive
some sort of attack, whether it's over text, email,
phone call, in person, something like that.
Now I can imagine that, you know,
hey, I'm too smart to fall for a fake Dr. Pepper
who tells me to, Dr. Pepper is telling me
to download an application.
I'm like, I don't think Dr. Pepper needs me
to download software.
I do feel that I would be too intelligent for such a thing.
Maybe some of our listeners do as well. Is that a dangerous way to think
that you're too smart to get scammed?
I think it is, unfortunately.
Now the thing is you are smart, Adam.
And so there is a likelihood.
Thank you.
You're welcome.
There is a likelihood that you would catch
a lot of these attacks,
but an attacker who is persistent,
we call this an advanced persistent threat,
E.P.T. in case you want to drop that fun knowledge to someone other times, Dr. Pepper, those types of attackers, they're
going to try 10 times. You're going to catch them nine times. You're not going to catch them that
one time. Right? And so they're going to also be smart because remember these criminals do this for
a living. They know what they're doing. They know how to trick people. So they might pretend to be
Dr. Pepper and they might say, Hey So they might pretend to be Dr. Pepper.
And they might say, hey, we want you to do the sponsorship deal.
Go ahead and give us your availability.
It looks like a link to sign up to give availability.
And boom, you're hacked there.
They're not going to ask you to download an app,
because that's just too much work.
So they want to make it easy for you.
Another thing they might do is they might give you a call,
or they might call somebody that has your data.
So like an agent, an assistant, something like that,
and try to get to you from there.
So yeah, all the people in the room with you right now
should be sweating too.
It's not just you, it's the people around you, right?
And so a lot of times when I'm hacking an executive
or somebody with a really high threat model,
I'm not actually targeting the executive directly, I'm hacking an executive or somebody with a really high threat model, I'm not actually targeting the executive directly,
I'm targeting their executive assistant.
I'm targeting the person who's setting up their calendar.
Right, the person who is probably a little bit younger,
probably not that feeling threatened themselves
because they're a little bit more anonymous
than maybe the person who's being hacked, right?
So maybe their guard is down a little bit,
it's not their own information
and they're used to fielding incoming
and maybe they get yelled at if they let an opportunity
go by like, what, you let Dr. Pepper go?
And so they tend to be perhaps a little bit more
easy entryway.
That's exactly right.
And you have to really think about
what is the relationship we have
to the people that we work with.
If we set up a relationship where people are like,
oh, I'm really nervous if I don't get back to Dr. Pepper within 30 seconds, this person's gonna be mad. is the relationship we have to the people that we work with? If we set up a relationship where people are like,
oh, I'm really nervous if I don't get back to Dr. Pepper
within 30 seconds, this person's going to be mad.
Well, they are in an increased position
to get attacked and tricked because their guard is already
very stressed out and they feel like they have to respond
to things immediately.
And those are the types of folks that are the easiest
to hack, which just goes to show that under capitalism,
a lot of people are going to get easily tricked because we have this pressure
responding immediately.
So setting up natural opportunities for people to verify identity,
including you and your whole team makes,
makes the relationship safer for everybody and more comfortable.
And I'm sure that that's what you do.
I've also seen, I mean, hopefully I don't,
I don't think I have anybody who I work with right now
who's able to get scammed on my behalf.
Hopefully I do have a good relationship
with anybody in the future who normally
I'm the stupid person.
I'm in charge of making my own mistakes.
But I've also noticed that even just the garden variety
spam emails that try to scam you have gotten a lot smarter.
I remember the first time I got an email that told me we have successfully charged you for, you know, a year of Norton LifeLock or whatever.
I don't know why it's Norton LifeLock. It's particular.
It always is.
And they said we charged you for this and it's $500.
And if the charge is erroneous, please call us.
And I remember the first time I got one,
I had never seen one like that before.
And I believed it for a second.
And then I looked a little closer and I was like,
this is from a weird email address, et cetera.
Like it had one of the normal tells.
But I was like, this is very clever
because if you are frightened by that,
it makes you, it like triggers your loss aversion.
Oh no, I'm gonna lose money.
And instead of being the recipient of the scam,
you are gonna be then active and call the number
and say, no, no, no, no, no.
I'm gonna get to the bottom of this
because you don't think you're getting scammed.
You think you are stopping a scam.
You think a sleazy company billed you by accident
and now you have to call and yell at them
and it puts you in a completely different frame of mind.
And I'm sure you tell me,
but I'm sure as soon as you call this number,
the first thing they say is,
okay, just give me your credit card number
so I can refund the charges or whatever it is, right?
That's exactly right.
So when we're hacking,
there are two scenarios that we tend to set up.
They all boil down to these two.
Either I'm helping you or you're helping me.
That's it.
I'm helping you or you're helping me.
So that scenario that you just mentioned
of Norton, quote unquote, of course the attacker,
saying, hey, we charge you 500 bucks.
If this seems wrong, give us a call.
They are helping you, right?
They're trying to show that they are helping you and you're saying,
nope, thank you for the support. Thank you for letting me know we got this wrong. Let's
correct it immediately. And so oftentimes we'll pretend to be from your bank. So let's say you
use Wells Bargo or Chase. I don't actually know. I haven't hacked you out. I'm not going to because
you haven't given me your consent and I'm an ethical hacker. But let's say you use one of those.
going to because you haven't given me your consent and I'm an ethical hacker. But let's say you use one of those. You would get a phone call and they would pick the I'm helping Adam scenario. They say,
hey, we're with loss prevention. We see there's a charge in Illinois for 500 bucks at Best Buy. Is
this you? And you say, no, that's not me. And they say, okay, well, to verify your identity, go ahead
and read that code off that we just texted you. Well, what's happening there? What's happening is
they already got your password that's reused from another data breach. off that we just texted you. Well, what's happening there? What's happening is they already got your password
that's reused from another data breach.
They're logging in as you.
And that code that they just said to verify your identity
to help you is to steal your multifactor authentication
code.
And this is one of the number one reasons why people
lose access to their bank account and funds.
And once it's gone, it's gone.
They're logging in simultaneously
and the code was actually sent to your phone
because it's a two factor authentication code
and they're asking you to read it back.
Which is why so many of those messages now come
and say, no one will ask you for this code
or whatever over the phone.
I also have to say one of the reasons this is so successful
is we do sometimes receive phone calls like this.
I remember just a couple years ago, I got a call from,
hey, this is fraud prevention services.
We detected a thing and yada yada.
And I was like, well, how do I know you're actually
from my bank?
Because it was an incoming call.
And they were like, well, we are from your bank
or we're not, we're fraud protection services. We're a different company. And I was like, well, we are from your bank, or we're not, we're Fraud Protection Services,
we're a different company.
And I was like, well, can I call my bank back?
And like, you know, can we hang up?
Can I call the bank?
And they said, no,
because we're not actually the bank
we're this different company.
And it was legit, but I had already had my sort of,
you know, antenna up because I'd received an incoming call
knowing that like that's a reason to be suspicious
because I didn't initiate it myself.
And so like how much are these you know are the companies that we're interacting with
to blame for not having good security practices themselves?
Yeah, this is really interesting.
A lot of the times the reason why people are so easily hacked is because the real interactions they have with the real companies are so hackery.
Yeah. You got a real call that sounded just like a scam.
How could this possibly be real?
And then it ends up being real.
I always just tell people call whoever it is back at the known trusted number.
So for your bank, it'd be the number on the back of your credit card.
That's what I tried to do.
But it was a different.
That's what I was saying.
It was like wild. Yeah, that your credit card. That's what I tried to do, but it was a different, that's what I was saying.
It was like not- That's wild.
Yeah, that's my memory. That's wild, but that's real.
It was a couple of years ago, but that was my memory.
Maybe that was me calling you, Adam.
We don't know.
Folks, our partner for this week's episode is Delete Me.
It's a service I have been using for ages
and I am so excited to tell you about it.
How much of your personal info
do you think is floating around online?
Maybe you've got a public social media profile
or an email out there, but that's it, right?
Wrong.
There is actually a mountain of your personal data
being bought, sold and traded by data brokers.
Stuff you never meant to be public,
like your home address, phone number,
and even the names of your relatives.
Anyone with an internet connection and some bad intent
can dig up everything they need
to make your life miserable.
Recently, we've seen an uptick in online harassment,
identity theft, and even real life stalking,
all because of this easily accessible information.
You know, a couple of years back,
I became a target of harassment
for people who found my details online.
So I signed up for Delete Me,
and honestly, it is one of the best choices I've ever made.
Their team of experts works tirelessly
to hunt down our information, remove it, and keep it gone.
You, your family, and your loved ones
deserve to feel safe from this kind of invasion of privacy.
So do yourself a favor, check out Delete Me,
not just for your security,
but for your friends and family too.
And guess what? You can get 20% off your DeleteMe plan when you go to joindeleteeme.com slash Adam
and use promo code Adam at checkout. That's joindeleteeme.com slash Adam, promo code Adam.
So in video games, there's this thing called min-maxing. I'll spare you the technical definition,
but it's all about putting your effort in the right place to get the optimal results.
Well, you know, I found that kind of thinking helpful
in real life too.
I used to think of shopping for groceries,
picking up dog treats,
researching products that are gluten-free for my partner,
and being mindful of taking care of my health
as separate, discrete tasks.
But when I realized that I could get all of these done
just by shopping at Thrive Market,
it felt like I'd found a way to game the system.
Now I do all of my grocery essential shopping
with Thrive Market.
I get my jovial gluten-free pasta for my partner,
shameless pet's dog treats for my dog,
all the health conscious goodies I like to enjoy for myself,
and I have them delivered straight to my doorstep.
And as a Thrive Market member,
I save money on every single grocery order.
On average, I save over 30% every time.
They even have a deals page that changes daily and always has some of my favorite brands.
Best of all, when you join Thrive Market, you are also helping a family in need with
their one-for-one membership matching program.
You join, they give.
So join in on the savings with Thrive Market today and get 30% off your first order plus
a free $60 gift,
go to thrivemarket.com slash factually for 30% off your first order plus a free $60 gift.
That's T H R I V E market.com slash factually.
Also in terms of these companies, they're like like how common is it for the customer service
person to get socially engineered in this manner, you know, to get your information
from not from you, not from your assistant, but from the company itself.
Yeah.
So I think what you're referring to is the customer service agent picks up the phone,
right?
And I say, hi, this is Adam.
I need to change my email address and phone number on the account.
I'm trying to take over your account by calling them, right?
Well, it's so easy to do.
I can very easily do what we call spoofing,
make my caller ID look like it's calling
from a number that it's not.
All I need is an app available on the app store.
It costs less than a dollar per call.
And I can go ahead and show your phone number,
which again, I can find on Google
or through a data brokerage site,
which is why I recommend taking those details down. And I can pretend to be you, I can call them in a
lot of times, think about how they verify your identity. Think about the last time you called
support, what did they ask you? Mother's made a name, date of birth, address you grew up on,
last four digits of social. And unfortunately, a lot of that stuff is available on data brokerage sites,
or it's available in a breach.
And so I can verify through what we call
knowledge-based authentication, KBA,
the answers to questions like,
mothers made a name, last four digits of social,
to get into your account.
This is why I recommend that it's really important
that all the details that you can take down
off the internet do so,
because it makes it way more obnoxious
for me to target you as an attacker.
Yeah, I mean, when I see those questions on a site
where it's, you know, it's some bit of personal information,
they all seem totally flawed to me.
Like, there's mother's maiden name, or address,
or first job you had,
that could all be publicly available information.
Then there's like childhood,
there's like preference-based ones,
like childhood best friend
or what's your favorite brand of whatever,
which could be available,
but also it could change over time.
And then there's some just have like completely bizarre,
I remember like,
I remember, I believe it was united.com.
I was creating an account there once
and their questions were like,
what is your favorite sea creature?
And then it was multiple choice.
And it was like, there were a hundred different sea creatures.
So it was like sea urchin, abalone, dolphin.
And I ended up choosing like favorite sea creature,
abalone.
I would say it, I would say it.
I don't give a shit about my United account,
that's not my main airline,
and I'm not gonna tell you which one is.
But it was also like, who is your,
what is your favorite, oh no, I'm sorry,
it was, what is your favorite thing to read?
And then the choices were like books, newspapers,
magazines, or websites.
And I was like, how would I even remember what I put?
Like websites is the weirdest answer to that,
that oh, I enjoy reading websites.
But that's a bizarre, like what security professional
designed this quiz?
It was like a bad Buzzfeed quiz.
I love a good website myself.
I love reading websites, but I just don't think
I would put that as one of the questions.
Yeah, that's a problem, right? KBA, knowledge-based authentication, is just inherently easy to crack because there's a few options. You can sometimes guess them right, or you can figure that out.
There's someone's Facebook, Instagram, LinkedIn. A lot of times people are putting quotes up on
their Instagram and it's from a specific book. And of course, I know that's their favorite book,
and I can answer that security question, right?
So it's just, it's one of those things
where I recommend people move towards MFA,
multi-factor authentication,
like a code to your email or phone,
rather than KBA, like mother's maiden name,
email address, your most recent address that you lived at,
which I can easily find for you online.
And is multi-factor authentication really that powerfully secure?
Because a lot of times, you know, it seems very rote.
You hit the thing, it sends to your text.
Like, at this point, Mac OS does it all for me.
You know, it just automatically fills the thing in.
Like, it sort of seems like the edges have been so smoothed off of that experience
that, I don't know,
it doesn't give me the same halo of security
that it used to.
What do you think?
Yes, so we know that SMS-based multifactor authentication,
like that code that comes to your text message,
we know that that prevents the majority of attacks.
So unless you've got somebody who's really gunning for you
and they wanna do what we call a simswa, where they somebody who's really gunning for you, and they want
to do what we call a sim swap, where they contact your telco pretending to be you, gain
access to your phone number, and in turn gain access to those codes, it's going to be hard
for that to be hacked. So about 75% of attacks are going to be blocked through your SMS two
factor. That's pretty good. Now it's not the best of the best. I'll keep telling you more.
The best of the best is going through like
app-based multi-factor authentication
or something like a FIDO2 solution.
I'll get there in a second because it's a little technical.
So something like your app-based solution will be like,
you've probably seen Duo or Google Authenticator
or Microsoft Authenticator, where you go to an app
and you get a code and you have to type that in.
That's gonna be a little bit harder to hack
because I can't just contact your telephone provider,
pretend I'm you, and then siphon out
all of those codes of my own.
I actually have to trick you
into providing the codes for me,
which is something that I can do,
but it's a little more, it's a little harder to do
because I have to actually trick a person like you
who might be a little bit more savvy
than somebody who doesn't exactly know what I'm trying to do
with the sim swap.
Then from there, I could go towards something like your FIDO2 solution, which is almost
impossible to hack.
A FIDO2 solution is something like a hardware security key or a passkey.
This is something that is really, really hard for me to steal.
I have to be with you in person, basically stealing from you, robbing you. That's not how most cybercriminals
are. They don't want to punch you in the face and steal your keys with a Yuba key on it.
They want to hack from far away from another nation, or they want to be in Florida while you're
in LA. They don't want to do that. They don don't wanna do actual battery. So we have to recognize that that threat is way, way lower
and in turn much safer if you use something
like a FIDO security key.
What does FIDO stand for?
I think it stands for Physical Identification Over Two Factor.
Physical, well, it's an F.
Let me actually get the, I'm gonna look it up for you
because I don't actually know it
and I don't wanna make something up.
FIDO two stands for what?
Here we go.
Fast identity online.
Oh, okay. That sucks.
Okay.
That's, I'm sorry.
What?
Fast identity online.
Is it 1998?
Like, what is this?
Maybe that's when it was created.
Fast identity, oh wow, it's online.
Wow, very, very high tech.
Let's come up with something better.
So FIDO stands for,
now that I know it's fast identity online too.
Well, here's my problem with these solutions though,
is like I use that form of two factor,
the one time password that is made by an application that I have.
I use one password. I've been using it for years.
It's very effective, but it's difficult to get the the one time password set up.
Like I log into I create an account on a new service and it says,
OK, create a one time password.
Open your Google authenticator.
They always tell me to use Google Authenticator.
I have never used Google Authenticator.
I don't even know how to get Google Authenticator.
I don't use Google products.
So I have to know that when they say Google Authenticator,
it means one password.
And then it usually wants me to like scan a QR code,
but not with my phone.
It's like, I open one password and one password
can scan the QR code in a separate window
and then it creates it and then it wants me to test it out.
And this is something I can do because I've been, you know,
using computers at a sort of high, relatively high level
since I was like 15 years old.
I would not, you know, ask my grandmother to do this, right?
Or frankly, a lot of my friends.
And so that's, this is a lot to ask of people to get this, to get the best form of security, right? Or frankly, a lot of my friends. And so that's, there's a lot to ask of people
to get this, to get the best form of security, right?
Let alone having a hardware key.
Like I know that that is the best form of security.
I haven't even looked into how to do that.
Yeah, it does take a level of digital literacy
to be able to accomplish, especially what you're doing
where you don't use the standard kind of Google Authenticator,
Microsoft or Duo, and you're moving towards something
in one password, where some people are like,
I don't know how to get there because it's not the thing
that the app is telling me to do.
Yeah.
So when you've got folks who don't feel comfortable
with the digital tools that are being requested of them,
I just recommend people use the tool
that's gonna protect most people,
especially if their threat model isn't high.
So if you've got a friend who's like,
listen, I don't have time for any of that.
I just want to try and be as secure as I can
without extra work.
SMS two factor for the majority of the population,
your grandma, your friend who does van life
and goes on the internet once a week,
when they get access in a coffee shop,
they don't need to worry about all this.
Just do SMS two factor.
I am all about harm reduction.
So making sure that people have access to the tools and digital literacy that
matches their digital literacy, as opposed to telling everyone that a one size
fits all solution makes sense.
Cause it doesn't.
I would not recommend your grandma get at you the key.
I don't.
I recommend that most people who have high threat models do have a digital
literacy to support it.
But this is a problem though, because I've read that, you know, SMS two factor covers a lot of people,
but it is not the most secure option,
but there is this literacy problem.
And so now there are other solutions as well for logging in,
which have made the entire logging in process
feel more chaotic because now there's so many different
ways to do it.
There's logging in via like Apple ID kind of thing.
Like you go and-
Pass keys.
Pass keys, okay.
Oh, is that a form of pass key
when it says log in via your Apple ID?
Well, so the thing is,
I don't know exactly what it is you're seeing.
So I don't wanna tell you it's a pass key when it's not.
When it's not a pass key.
Sometimes you're gonna see something
that allows you to log in
with another form of authentication.
And right now they are seeing that there's a big increase in pass
keys being used on consumer grade sites.
So I think what you're referring to as a passkey and that's great.
That is a FIDO2 solution.
It's much harder to hack.
So that's great.
But I don't know if that's what you're referring to.
That could also be someone trying to steal your password and your Apple ID.
Oh, wait, Hold on a second.
I go to a website and it says create an account and it's like,
you can either log, you can either create,
you can put in a username or password or you can just click with your Apple ID.
It'll do like, you know, you'll do touch ID on your Mac or face ID on your iPhone.
That's a passkey.
Okay.
Okay.
We like that, Adam. Don't think you're getting hacked with that. Okay, good. Got it. Okay. That's a passkey. Okay. Yes. We like that, Adam. Don't think you're getting hacked with that.
Okay, good.
Got it.
Okay, that's good to know.
So that is more effective than these other solutions,
that form of login.
It is.
It's much harder to hack.
And so most people,
if they have a long random unique password
to secure their Apple ID
and they've got multi-factor authentication on there
and it's hard to gain access to that.
It's going to be really cool because it ties it to your device, the device you already
trust.
It feels natural to show your face ID.
It's something you already understand and don't have to really think about.
Right?
So it's like a lot easier for people to get a higher standard of security without having
to think about what are you talking about?
What app I have to download? Where I have to scan? But it's still, okay, it still has this problem
where we've created this immense usability
and security problem for people,
because I think about it going, all right,
if I log, I start logging in everything with my Apple ID.
Well, that's fine.
Now my Apple ID is the linchpin
for all these other accounts.
And so now that password becomes even more important.
And so now I have to trust that Apple is going to do a good job, not allow their customer
service to be socially engineered, not have a big data breach.
And you know what?
Apple, I would say, I don't trust any company, but out of all of the companies, their privacy
records a little, you know, it's better than fucking Google, right?
Apple's pretty solid.
I think you can definitely trust that, yeah.
I mean, Apple is bigger than most countries.
So like, if you're gonna trust somebody,
you might as well trust Apple,
except that it means that Apple is more and more
of an attack, whatever target.
And then also it makes my Apple ID password
all the more important to me, that I keep that safe.
And so then I keep, I don't have that memorized
because it's a random string of digits.
I have that in my one password,
which like I have to remember the password of that.
And then I have the little printed out like emergency kit
that they tell you to print out.
And I like keep it in a safe and secure place in my home.
And so there's like these levels of password
that are all stacked on top of each other.
And like this is a huge amount to ask of people
just for the privilege of interacting with the internet,
which is something that we all have to do now.
Like you cannot go through life
without having a couple dozen accounts in different places
just to pay your fucking utility bill.
So is this not like, you know,
too much to ask of people in a way?
I would say it's a lot to ask of people,
which is why security is so challenging
for your everyday person.
They just feel like it's unfair.
They feel confused.
They don't have an IT person in their house.
Most people don't to say, here's how to do it.
Here's how to set up your password manager.
They don't even know what a password manager is.
So the fact that you have a password manager,
you understand MFA,
you're already in that huge digital literacy position.
And a lot of people just don't have access
to that knowledge.
So yeah, I think we're gonna need some pretty intense PSAs,
which is something cool that I think SZA is doing.
SZA is-
SZA the R&B singer?
No.
She killed her boyfriend in a song.
That was, she's not a very secure individual, frankly.
SZA is not, she was talking about killing people.
She's not the person who is in charge
of talking about password manager PSAs.
Okay.
I'm talking about SZA, C-I-S-A,
like the Department of Homeland Security.
Okay, okay, okay, got it.
So I didn't know that they were making music, but that's fine, go on, please.
It's so funny that you say that
because they actually have been making music videos.
I'm not joking.
You can enter that in right here and it'll be a very good
not joking.
Okay, well, SZA and SZA should do like a collab.
They should like guest on each other's tracks
or something like that.
That's genius. It'll help people pronounce SZA correctly too. a collab, you know, they should like guest on each other's tracks or something like that, you know?
That's genius.
It'll help people pronounce SZA correctly too.
But I mean, PSA is like, that's, I don't know, isn't that kind of a half ass thing you do
when you've already made something that's too difficult to use?
You know what I mean?
Like that's how you cover your ass after you've already created a problem, you know?
It's one of those things that we can't blame the problem on any one entity.
Basically, the internet was started.
Everybody was using AOL.
It was kind of non-complex at that time, right?
We all understood it was a series of tubes.
We understood that.
That's how the internet worked.
Then from there, it was in your pocket with your iPhone, and now you have apps,
and you have the ability to log in with your face,
and it's just kind of gotten bloated over time.
So we can't blame any one organization, entity, company.
It's just expanded with the way that the internet expanded.
So we have to try and address it as best we can.
And unfortunately, as human beings,
the best we can is PSAs.
Well, it's also created a,
we rely on our accounts and on the internet
and on our devices to do so much now.
Like, you know, half the time that I pay for something,
I'm doing it with my phone.
I was at the airport and there's a trial program
to put your ID on your phone,
your California state driver's license.
And I can imagine a world where, you know,
10 years from now, the majority of business travelers,
like, I don't even bring my wallet.
I just like, you know, do my ID.
That's how I get through the TSA checkpoint is, you know,
I do it using Apple Pay, right?
And so we're loading more and more of our lives
into these devices,
which makes them bigger and bigger targets. And they get more and more of our lives into these devices, which makes them bigger and bigger targets,
and they get more and more complex as you say.
I think honestly what that tends towards
is it makes the large players even more powerful.
Like Apple's whole emphasis,
if you look at them over the last five, 10 years,
their emphasis has been on privacy and security.
They're the private option.
You can debate to what extent they are,
but they've clearly taken that approach
because they are responsible for so much.
They're like, okay, we need to like lock it all down.
You know, like that is our new approaches.
Everything is locked down.
Even if the feds get your iPhone,
they're not gonna be able to read what's on it.
That's how much we're encrypting everything.
Which is okay, that's good as a solution
to this immediate problem,
but then the overall result is that
this one company ends up massively powerful, right?
I am so locked into the Apple ecosystem
to keep all of my important shit safe
that now I'm sort of stuck with them, right?
Like the openness of the internet starts to break down
in the face of the security threats, you know?
Does that trajectory track to you?
I feel like a lot of people feel the same way.
You know, they feel locked into specific providers,
they feel locked in with specific tool sets
or something like Apple or a specific telco provider
who has a lot of control over our digital identity
and preventing fraud.
So yeah, I don't blame you.
I think that's a very normal feeling.
In terms of how much data the average person has out there,
I just saw some report that like a couple billion records
were leaked from a, what was it?
It was a major organization that had like tons
of people's social security numbers and et cetera.
You know the story I'm talking about?
Can you tell me the details
because I'm misremembering them?
Yeah, no worries.
We actually don't know a lot of the details.
So a lot of it is.
Yeah, a lot of it is questioned on the internet
because there's so many billion lines of data
that were leaked.
People are like, are these the social security numbers
of dead people?
What's happening here?
Are you breaking out address into a separate line?
And that's why there's like 10 records per alive person. I don't think we know every single thing
about this breach yet, but we do know that the social security numbers of many Americans,
if not most, were unfortunately found online. So it's scary, right? The tools that we use to
verify identity really shouldn't be used like that anymore. That's why I recommend even something like your last four digits of your social
or even your full social really shouldn't be used to verify identity.
It should be something like multifactor authentication instead.
Anything that you know is essentially KBA knowledge-based authentication
and easily hacked.
Yeah, it seems like we are living in a world now where so much data
is just loose out there.
Is it even worth worrying about the data?
I mean, if everyone's social security number
is already on the internet, right?
That's like, was 15 years ago,
that was like the one piece of data
you didn't want out there.
Your social security number,
oh, that's very, very frightening.
But like, now if someone asks me
for my social security number,
should I just be like, you know it already.
Like, whatever scammer, go get it yourself.
Why are you even asking me?
Yeah, there is some barrier to entry
where it can be hard to find some of these data breaches.
And to be clear, the dark web isn't super easy to search.
It's not like the regular clear net internet
where you can go on Google
and find somebody's email address or phone number, right?
It can be really cumbersome to try and find.
And also, this stuff gets taken down, it gets moved,
the feds try and take it down.
So it's tough to find, it is out there.
It doesn't mean that we should be nihilistic about it,
though, so I wouldn't go around anybody who's asking you
for your social security number,
handing it to them on a piece of paper.
But it sort of goes to show that at this point,
there's so much data that people have out there
that anybody can be a target of this kind of attack.
Like a dedicated person can find you
and find your information.
Yeah, I would say that with the right timing
and the right pretext,
which is who we're pretending to be,
anyone could be tricked,
including a security professional.
So it's one of those things where we just have to layer
a lot of different steps together to stay safe.
I'm sure we'll get into all of my takeaways,
but I'm not gonna get into them yet.
Have you ever been tricked?
People try, they try all the time.
They try to convince me over email,
they try to trick me over the phone.
I got a text the other day that was so annoying.
I mean, yeah, I mean,
everybody gets those types of phishing messages.
What's the most you've ever been tricked
or what's the most interesting trick
someone tried to pull on you?
People are always trying to get my address.
They're trying to figure out what my email address is.
They'll send me an email and it has like 45 different
email addresses in the send bar
because they're typing in every single email address
they think could potentially be my email address.
I'm like, just relax, just DM me on Twitter,
I'll answer you.
I'm like, just relax, just DM me on Twitter,
I'll answer you.
In terms of the industry of hacking, right?
In terms of the industry of hacking, right?
Like who is doing this and why?
I'm sure there's a lot of different reasons,
but like, you know, how large is this problem
and who's doing it?
There are so many different types of cyber criminals,
but the one that I find the most interesting,
and it's actually the most common right now
that we see in the news, is a lone wolf young person.
We're talking 17-year-old from Florida,
16-year-old from the UK.
The Twitter hacker, the Uber hacker was,
I think both were 17-year-old boys.
So we've got a lot of miners who are out there thinking,
hey, I'm not 18 yet, it's not gonna be that big of a deal,
it's not gonna stand my permanent record,
I'll go ahead and try and hack a company for clout.
And it's interesting because a lot of the times these,
people we think of nation state actors, right?
We're like, oh, was this North Korea doing this?
No, it was a 17 year old in Florida who was bored.
Who just wanted to get, make some, in Florida who was bored. They wanted to feel
cool. They wanted to talk to their friends on Telegram or on a forum and say, I did it.
It's really that simple. Honestly, sometimes we're lucky that it's those people who are actually the
ones that are successful and that are in the news. Because if it was not a 17-year-old from
Florida trying to gain access to the DMs of former president Barack Obama,
we'd probably have bigger problems on our hands.
But it's just a 17 year old who's bored, wants clout,
and tries to push a crypto scam and makes $150,000
and then goes to jail for the rest of his life.
I mean, I don't know what to tell you.
It's the same thing over and over again.
Wow.
I mean, I understand when you're that age,
it's like that, you know, any lock looks like
it would be interesting to pick.
So a lot of them are just doing it for fun?
Or how much are we, how do we tell the difference
between somebody's doing it for fun
and an actual online crime ring of some sort?
Because that must exist as well.
Oh, 100%.
I mean, you've got your ransomware gangs, essentially.
You think about how crime works on the street, right?
You've got gangs, then you got lone wolves
who just wanna punch you in the face to take your phone.
There's all different types of criminals
and that exists online as well.
So yeah, your ransomware gangs,
oftentimes they're funded by nation states
and they're very capable.
And you don't know that they're in there
until they brag about it and tell you, that's the thing.
Ransomware gangs funded by nation states. Nation states such as, are there examples of this? Because you hear about it and tell you, that's the thing. Ransomware gangs funded by nation states.
Nation states such as, are there examples of this?
Because you hear about it, but it often seems
a little bit difficult to trace back to the source, right?
Yeah, attribution's really hard,
but sometimes they'll brag and say,
we're from Russia or we're from North Korea.
So we sometimes take them at face value.
But I remember, okay, this was like 10 years ago now,
but the Sony hack, where Sony Pictures was hacked
by a group that claimed to be associated with North Korea
and they were mad about the Seth Rogen movie
about Kim Jong-un, right?
But at the time, I saw a lot of skepticism
about whether this was actually North Korea
because they were writing a lot of like, you know,
we revere the great leader in like English, you know,
in a way that like you would think an American
would maybe like, you know,
just like pretend to be a North Korean.
And then also they were like releasing
all of Sony executive Amy Pascal's emails
with George Clooney, which like,
if you're North Korea, why do you give a shit?
You know, like it was, seems to be taken at face value that like, yes, of course're North Korea, why do you give a shit? You know, like it was, it seems to be taken at face value
that yes, of course, North Korea hacked Sony
because they were mad about a movie.
Until you thought about it, you're like, wait,
is that what happened or was somebody using that
as a cover to have fun or what?
I don't even remember how that story ended,
but it's like to the point
that attribution is difficult, right?
Attribution is one of the hardest problems
we have
in cybersecurity.
We can do our very best guess.
We can do as much forensics as we can.
And we, a lot of times get really close
to being a hundred percent sure, but still, I mean,
plausible deniability exists.
Someone pretending to be from North Korea is possible,
but yeah, it's a really hard problem to solve.
Or North Korea paying some group of people who are then, you know, but they're not North Koreans.
They're maybe they're freelancing a little bit.
Like it can be murky, like what actually happened.
That happens all the time.
I mean, we just have a new story that's going live
this past week about Russia paying some influencers
in the U.S. I think it was with Tenant Media
and they were paying them hundreds of thousands
or millions of dollars to kind of push
specific talking points.
So yeah, sometimes it's very hard to follow the money,
and people claim they didn't even know
that they were a part of this specific propaganda campaign.
Now, whether or not they knew or didn't know,
that's not for me to answer,
but I guess the feds will find out.
Yeah, very fascinating.
And you know, by the way,
we just did an episode a couple of weeks ago
about foreign influence
on American government and how big of an industry that is.
So of course you can imagine some of it's clandestine.
And then that's not even to talk about the stuff
that is actually happening secretly
like the espionage side of it,
which is probably even deeper.
Like I can only imagine what like, I don't know,
the CIA and the NSA are doing to their counterparts
and vice versa to try to like, you know, the CIA and the NSA are doing to their counterparts and vice versa
to try to like, you know, the real deep,
like actual spy shit.
But this also happens on a more trivial level, right?
Like you always read about hospitals being held ransom,
which is, you know, probably,
not a lot of people would think that, you know,
a local school district would need to be worried about,
you know, a ransomware attack,
or would need to have really high security, but those become targets as well, yes?
Yeah, absolutely.
Unfortunately, attackers have learned that those targets are softer, so they go after
a hospital or a school district or a therapist's office and threaten to release notes based
on those therapy clients.
They go after the places that they believe don't have enough security to secure
their actual infrastructure and have such sensitive data,
whether it's about students, their health,
their learning, or patients that they think
that the ransom will be paid.
And oftentimes, even when you pay the ransom,
they still release the data anyway.
That's a thing.
You don't have any sort of guarantee.
It's kind of like negotiating with a terrorist. That's the thing. You don't have any sort of guarantee. It's kind of like negotiating with a terrorist.
That's really wild.
Is this something that they have gotten any better at recently?
Or, I mean, have we succeeded in, you know,
making these places harder targets at all?
I wish I could say yes.
I mean, I'm an optimist at heart,
but I want to be honest with you.
No, we see ransomware increase year after year, typically.
So these attackers, they recognize
that they have some soft targets.
They try to go after them.
There's millions upon millions of these soft targets.
And so they don't really need to change their playbook
until people wise up and change their infrastructure.
So no, I mean, they're still quite successful
quite frequently.
[♪upbeat music playing.♪ Folks, today's episode is brought to you by Alma. No, I mean, they're still quite successful quite frequently.
Folks, today's episode is brought to you by Alma. Look, life is full of challenges.
Even the best of us can feel bogged down by anxiety,
relationship issues, or the weight of major life transitions.
And going it alone is not really a great strategy.
I cannot recommend it as someone who's tried
a little bit too much to do so.
What I can recommend is finding someone who truly understands what you're going through
to help you through your tough times.
And if you're thinking about getting some licensed expert help to navigate your own challenges,
I really recommend giving Alma a try.
Therapy can be an incredibly effective tool to help you get through your day to day.
But you know what?
I know from personal experience that it is so much more effective
when you find someone who feels like they are truly hearing
and understanding you.
Getting help is not just about having any therapist.
It's about finding the right therapist for you.
And that is exactly what Alma helps you do.
You can easily browse their directory
and filter to find a caring person who fits your needs
with preferences like gender, sexuality, faith, and more. Alma is also designed to filter to find a caring person who fits your needs with preferences like gender,
sexuality, faith, and more.
Alma is also designed to help you find a therapist
who accepts your insurance.
Over 95% of therapists at Alma take insurance,
including Aetna, Cigna, UnitedHealthcare, and others.
People who find in-network care through Alma
save an average of 77% on the cost of therapy.
And getting started is effortless
because you can browse the directory
without having to create an account
or share any payment information.
Plus, you can book a free 15 minute consultation call
with any therapist you're interested in.
It's a perfect way to see if they're the right fit for you
so you can find someone you really click with.
Alma can help you find the right therapist for you,
not just anyone.
So if you want to get started on your therapy journey,
visit helloalma.com slash factually to get started
and schedule a free consultation today.
That's helloalma.com slash factually.
Did you know that learning actually makes a sound?
It's true, listen.
That's the sound of you mastering a new language
with Babbel.
Learning a new language can be one of the toughest
yet most rewarding challenges out there.
So if you're ready to dive in,
make sure you're using the right tools to get the job done.
From minute one, Babbel is concerned
with helping you get out there
and put a new language into practice in the real world.
I mean, I've lived in LA for years
and a great deal of the population here speaks Spanish.
So starting Spanish with Babbel has been rewarding to me in ways I didn't even anticipate.
I'm excited to learn more to see what else it opens up for me, and that is just my experience.
But studies from Yale, Michigan State University, and others have shown that Babbel is effective.
One study even found that using Babbel for 15 hours
is equivalent to a full semester of a college language course.
And guess what?
Here's a special, limited time deal for Factually listeners.
Right now you can get up to 60% off your Babbel subscription,
but only for our listeners at babbel.com slash factually.
Get up to 60% off at babbel.com slash factually.
That's spelled B-A-B-B-E-L dot com slash factually.
Rules and restrictions may apply.
When we're talking about social engineering,
something that strikes me is that,
you know, I'm very critical of AI technology on this show
and the way that it's been marketed.
One of the things that it can do is, you know,
give people the ability to mimic a particular piece
of content, whether an image or a sound, pretty effectively.
If you look at, you know, the software that now allows
people to do vocal mimicry, things like that,
it makes me wonder how effective, you know,
that will be at scams in the future.
I remember a couple of years ago,
my grandmother who has now passed away,
so I won't embarrass her by telling this story,
but she was called by a scammer who pretended to be me,
said that I had gotten in an accident
and needed her to wire me some money
and had some details about me.
And look, she was in her late 80s, early 90s at this point.
I'm sure they didn't need anything high tech.
They just sort of made their voice sound a little weird
because they were crying and had a detail or two that helped.
And she drove to a Western Union and wired them money.
And that, and you know, it was horrible.
It was very distressing to find out about.
She did you out of love for me, right?
She was embarrassed.
It luckily wasn't a life-changing amount of money.
It was a small time scam.
But, you know, that sort of thing,
I would imagine could be done even more effectively now
if you look at how much of my voice
is available out there, right?
Yeah.
That someone could do a voice print on if they wanted to.
So how much is that an issue of concern?
It is an issue of concern.
First of all, I'm sorry that you dealt with that
because that sucks.
I was on 60 minutes talking about that specific attack
last year and I did a voice clone demo using an AI tool
and hacked Sharon Alfonsi through her assistant
by pretending to be Sharon.
So all I need is about 1.5 to two minutes of your voice
and you've got hours upon hours out there
to create a good vocal clone.
So unfortunately we are seeing scammers
get a little more savvy with their AI tools.
They are uploading people's voices,
they're sounding quite distressed
in your actual cadence, tone, timbre,
as opposed to before just sounding hysterical.
Somebody's calling on your behalf
and it's a little harder to see if it's really that person.
Now, there's a lot of my voice out there,
but it's all me doing my podcast voice,
which is very shouty.
I really project.
And so I think if they tried to use this
on any of my relatives now, they'd be like,
the call would be like,
Mom, I need you to wire $500.
They'd be like, why is Adam sounding so up?
Like, he's really, he has a lot of energy when he's upset
What's your normal voice sound like I'm not gonna do that
I'm not gonna do that
It is very much. It is very much sort of the thing from sneakers right?
My passport my voice my passport. I mean that was
What are the better hacking movies ever made?
But yeah, I mean, in terms of like deep fakes,
you often hear people talk about them and,
oh, Trump uploaded a deep fake of Kamala or whatever.
Right.
I don't know.
That is what it is like.
Whether or not that's a big issue in the election,
that seems to me to be a smaller issue
than the pettier use of this kind of technology.
Is that, do you feel that way?
I think it's both, unfortunately.
We have a lot of folks who struggle
with their digital literacy around AI deepfakes
on social media.
So we're seeing deepfake pictures, videos, audio
that is trying to influence the election, such as
a robo call that sounds like it's coming from a candidate telling you that your election
or polling location has changed and to not vote that day, to vote a different day. Those
types of attacks are unfortunately quite effective because it really sounds like it's coming
from that candidate. People don't know better. Maybe they're older. Maybe they're not familiar
with these types of attacks and they believe it and they don't exercise
their right to vote.
Or they hear a candidate's video talking about
something that they've never said before,
and they think, well, I don't agree with that,
I'm not voting for them.
When in reality, that's fake, it's not real.
So the concept of fake news isn't new,
but it has evolved and become more believable,
and unfortunately people are falling for it.
Now it's less likely that you or I would,
folks in our age range and group
aren't falling for it as much,
but folks that are older than us,
we're definitely seeing fall for these deep fakes.
Yeah.
And I can imagine that would be even more effective
if it's a targeted thing on a particular person,
trying to like exploit information about that person
in order to get them to do a very specific thing
in order to drain their bank account.
100%.
I'm a pen tester, I'm a hacker.
So ethically I get asked to do this all the time
and I only do it when I sign a contract too,
not for any other reason,
but I have hacked many everyday regular people
as a part of their job, pretending to be from finance,
asking for wire transfers,
asking for, asking somebody in HR
to change billing details, stealing money.
It's easy to do, unfortunately,
in both people's personal life
and their professional life.
Tell me more about that as an ethical hacker.
How did you get into that and what does that work like?
Yeah, I got started at Defcon,
the world's largest hacker conference.
So about 30 to 40,000 hackers descend on Vegas
every August or July.
We go there, we'd learn the latest attack techniques
and I got started, I think like 10 years ago at this point,
where they put me in a glass booth
in front of an audience of 500 hackers.
And I had to hack a real company target live
in front of that audience within 20 minutes.
Wow.
I ended up getting second place in that competition three years in a row, which kind of jumpstarted
my career as a hacker.
And then organizations like the large tech companies, large law firms started contacting
me.
US Air Force asked me to hack them.
And from there, it's a little bit of social proof, which is why I named my company that,
where they kind of target,
they want to talk about how safe they are.
They want to talk about the fact
that they've actually pressure tested their systems
and they do that and it kind of just spreads from there.
I wish we had opened with that anecdote.
That's really cool.
What did you find from that corporation in 20 minutes?
Like what does hacking entail
and what is the audience looking at?
They're looking at, I assume,
a screen share of some kind on a monitor.
Yeah. So everything we try to not go too deep and actually touch infrastructure.
So what we do during the competition is demonstrate how elicitation works.
We've been joking and I've been doing elicitation with you all day.
The Dr. Pepper thing was part of it.
Me saying, what does your normal voice sound like?
And is an example, right?
Obviously, you're not going to fall for it.
You're extremely savvy.
But we try to...
I like being asked questions about myself,
and I feel like I fall for it very easily.
But it's just because I know you're a hacker.
And the average guest could get any kind of info out of me.
But please go on.
So we try to get people to tell us information
that would be useful.
So for instance, it's useful for me to know
which password manager you use, which multifactor
authentication tool you use, which websites you like to go to.
If I know those specific sites, I can craft my phishing attacks or my malware to work
on your specific machine.
So getting people to say, oh, I use the Apple ecosystem.
Well, now I know I have to use Mac based exploits.
I'm not going to be able to attack you on a Google based device or Android phone, right?
So it's helpful for me to understand
what type of operating systems, versions, tool sets you use.
And that's what we really seek
during the social engineering competitions at DEF CON.
We're trying to demonstrate how we would gather
that information to then trick somebody using
a phishing attack or malware.
This is a social engineering competition.
So you were getting information from people that you-
Yeah, just human hacking.
So I didn't actually touch their systems
with any code or malware, but demonstrating how I would.
Human hacking is a really good way to put it.
Human hacking, like is frankly a better phrase
than social engineering because it really makes it clear how vulnerable humans are.
Because let me tell you something,
our operating system never gets updated.
I'm exactly as stupid today as I was a year ago
and I'll be even stupider in a couple of years.
Don't tell me that, Adam.
You're gonna give me heart palpitations over here.
I'm gonna stay on after,
I'm gonna get your systems up to date.
I mean, for real, like, you know,
one of the things about people
that I think about all the time is, you know,
every problem in the world was caused by people
and people, you know, we don't change that much.
Like, you know, culture changes, civilization changes,
but you know, people are greedy, they are careless,
they are inattentive. They are, you know.
Tired.
Tired, yeah, absolutely.
And they always will be.
And you know, they'll never stop being that way
because they are human beings.
They're flesh and blood, you know.
And we will never be able to perfect ourselves.
And we'll always be the weakest link in the system, right?
I unfortunately always say that I have job security.
I wish that that wasn't the case.
I wish that we could get humans perfect. But humans aren't robots. We are fallible. We will
always make mistakes. I don't use the phrase weakest Lincoln security. I twist it a little bit
and say, you're the first line of defense. You're the first thing that could catch me.
You're the first thing that will report me. And I do get caught all the time. So once people know
what to look for, they understand how my persuasion techniques work,
how do I build rapport, how we make jokes, how we talk,
you know, all the ways we've been talking today,
they go, oh, I didn't realize that that rapport building
is actually soliciting information.
I'm giving the info that the attacker needs.
I didn't recognize that in the moment.
And then they're able to catch it later.
So yeah, I get caught all the time.
It's kind of empowering actually, it's exciting.
Well, this brings us to my final two questions.
The first one is, I just want to talk again about,
what blame the companies whose systems we interact with
have for this problem?
Because, we're fallible humans,
we will never not be fallible.
Yeah.
And yet we are forced to interact with
these extremely complex systems.
And, you know, the burden is on us to freeze our credit file,
to have, pick a good password, to use a password manager,
blah, blah, blah, blah, blah, blah.
We didn't ask to be working with all these
insecure systems, right?
And half the time, you know, I just went and re-froze
my credit files the other day,
but half of these companies have had their own data breaches.
Like the credit bureaus themselves have had data breaches.
The customer service people at these companies are hackable,
et cetera, et cetera.
And so, I mean, how much is this a problem where humans need to do better about being
secure on our hands, but how much is it the companies themselves that need to be held
responsible for creating, A, systems that require such great security, and B, for creating
security holes that are constantly being exploited.
They're never punished when they,
you know, when they leak all of our private data, are they?
Well, they get fines,
which are essentially a slap on the wrist.
But you know, I would say that you're right,
that we have to hold the companies
that we trust with our data to a higher standard.
And there are a lot of things that companies can do better.
So if a company is not using
multi- multifactor authentication
internally that matches their threat model, that's not good.
They need to do that because they're protecting our data.
We have to protect our data with MFA,
and they have to protect our data with MFA
for their internal credentials too.
If they're not using password managers,
and most enterprises aren't fully using password managers
across the board yet,
they have to make sure that they're doing that.
They've got to make sure that they get their employees' information off the internet.
They've got to remove their personal details, otherwise they're just going to get hacked
personally, which will probably affect their work life as well because they're reusing
passwords.
And so there's so many things that organizations have to do that mimic what we have to do in
our personal lives that we need to hold our organizations to a higher standard for.
So I think you're exactly right.
People have to take all of these actions and the workplaces that we are entrusting with
our data essentially have to do this as well.
I have a bunch of takeaways that are specific to organizations like making sure that your
customer service team knows how to verify identity appropriately
and has updated those protocols
and doesn't just ask,
hey, what address did you live on?
What's your date of birth?
Because that's not sufficient
to protect your privacy or your security.
I mean, how are we supposed to even be able to tell
which companies take our security seriously
and which ones don't?
Like again, I'm a little bit more tech savvy
than most people, so I can look at one company
and say, all right, this one has better practices.
But I look at something like, if the average person
is trying to decide whether to use Signal or Telegram,
right, both of which claim to be encrypted services,
but it has come out recently, my understanding is,
that Signal is, as far as I know, quite well encrypted.
Telegram never had encryption on by default.
Most communications were not encrypted,
and in fact, was harboring so much cybercrime
on their service that I believe the vice president
of the company or an extremely high-placed executive,
was the CEO, excuse me, the CEO was just arrested.
And this is one of the largest messaging apps in the world.
More people use Telegram than use Signal, I believe.
So how is the average person supposed to know,
hey, this one is safe,
whereas this one is a privacy and security nightmare.
They both claim that they're doing a good job,
only one of them is.
If you're looking for really good security information,
I recommend, and I know this is something
people disagree about,
I recommend you follow security people on Twitter.
We have been talking about the fact that Signal is end-to-end encrypted and Telegram is not
end-to-end encrypted for like four, five years at this point.
If you can follow those folks where they talk about it all the time that are actually providing
that analysis, I think it'll really help people.
We try to get this information out and I think I talked to the Washington Post or something about this specific issue recently, but it's not something
like you mentioned that the average consumer understands. And the average consumer isn't
going to go into the TNCs to see, wait, is it actually end-to-end encrypted or do I have to
enable that? Is it end-to-end encrypted just naturally? People don't understand that. They
don't understand opt-in versus opt-out. So yeah, you want to use a tool that's end-to-end encrypted just naturally? Yeah. People don't understand that. They don't understand opt-in versus opt-out.
So yeah, you want to use a tool that's end-to-end encrypted.
You want to have good safe practices
and you want it to be something on a default.
Signal has that.
Yeah.
And it, you know, it'll auto delete your messages
if you turn that on, which is really good.
If you're texting a drug dealer,
I don't know, whatever you might want.
There's a lot of, a legal one in California.
I don't know, whatever, cut that out or leave it in.
I don't give a shit.
We're at the end of the podcast and I'm getting loopy.
What are your, so for the average person though,
we talked about how we're all a part of this giant
security capitalism nightmare where our security
is always compromised
and yet we must interact with it.
So what are the best practices that we can take
to protect ourselves?
Give us a couple of concrete tips that people can use
here at the end of the podcast.
Absolutely.
Number one, use long, random, unique passwords
stored in a password manager.
There are a million good password managers out there.
Adam, you've talked about one password.
Bitwarden happens to be free
if you wanna get a free option.
That I highly recommend, good encrypted options.
And then you wanna make sure
that you have multi-factor authentication on.
That second step when you log in for every account.
You might think,
oh, I don't care if I lose my Instagram or not.
Well, your followers do.
Because if you lose your Instagram, they're going to push crypto scams.
They're going to try and scam your family and friends.
You're going to try and scam the people around you.
So it does matter.
Make sure you have a long, random unique password.
Multi-factor authentication is on.
Number three, I call this being politely paranoid.
This means verifying that people are who they say they are before taking a sensitive action.
Somebody says, hey, I got into a car accident.
I need you to send bail money to this location.
Say, no problem, I'm here to help you.
I messaged you.
I sent you a text.
I sent you an email.
I sent you a Facebook DM.
I sent you a WhatsApp message, whatever,
any other method of communication.
Go ahead and read that word out to me.
If they can't do that, you've got to be able to verify identity before sending passwords, What's that message, whatever, any other method of communication, go ahead and read that word out to me.
If they can't do that,
you've gotta be able to verify identity
before sending passwords, sensitive access,
wiring money, et cetera.
And number one.
That's a really great tip.
Also, a lot of these password managers now will let you,
if you ever wanna send a password,
they will let you send it in a secure way
using the password,
rather than just pasting it into your text app or whatever,
which I also think is helpful.
But verifying is really, really useful.
Or your signal.
That's another reason why you might use signal
if you don't have that password manager yet,
but you're trying to send secure end-to-end encrypted data.
And then the last one is,
take your sensitive details off the internet.
I call this delisting yourself.
A lot of people use that phrase.
Delisting yourself means taking your sensitive details,
like your address, your phone number, your email address,
off of the internet.
For most people, I can find multiple email addresses.
And when I type them into these data breach repository sites,
I'm able to find 13 to 14 breach passwords
that people reuse across their sites.
I don't even need to contact you to hack you.
I just find out what email address you use
and then I log in as you with a breach password.
And I recommend doing this.
You can pay to do it or you can do it for free.
If you do it for free,
you just click the three dots on the side of Google
or send a fax to the data brokerage site.
Most require a fax, which is really annoying.
Or you could pay a service.
Delete Me by a company called Abine
is one that I have used before,
so highly recommend that too.
Yeah, Delete Me has sponsored this show.
As people who listen to the show know,
I've used them for many years.
Excellent service, and they just automatically send opt-outs
to all the different data brokers
to get your data taken off as many as possible.
Works great.
Those are all really good tips.
And now you said that people should follow
security professionals on what we now call x.com
or other services.
You'll never call it x.
You'll never call it, I finally started typing in x.
Because the auto complete just stopped working
on Twitter entirely, because they started
referring us directly to x.
So where can people find you, I'm sorry Rachel,
on X or other platforms?
Are you on Threads or are you on Blue Sky?
Are you on Mastodon perhaps?
I'm on everything with the same handle,
at Rachel Tobak, no space.
Well isn't that a security hole
if you're using the same handle on every single one?
Now people find a one handle, they know all of them Rachel.
Well not if I've got a good long random unique password
stored on a password manager with multifactor authentication
and I use the lead me and.
Oh, good.
So now you just have to spend one week a year
updating all your fucking passwords
and doing all your security hygiene.
I know I'm still frustrated we have to do it,
but I'm really glad that you came on to tell us about how.
Rachel, thank you so much for coming on the show.
Thank you.
It was a pleasure having you.
It was so good to be here.
Thanks for chatting with me, Adam.
Well, thank you once again to Rachel Tobak
for coming on the show.
If you want to support the show,
head once again to patreon.com slash Adam Conover.
Five bucks a month gets you every episode of the show ad free.
For 15 bucks a month,
I will read your name in the credits of the show
and put it in the credits of every single one
of my video monologues to thank you
for helping support what I do.
This week I wanna thank Cam, Darren Kay,
Steven Volcano, Angelina Montoya, Matthew Reimer,
Ethan Barak Pelled, Gabriel Guerra, and Kerry Hill.
Thank you so much to all of you for supporting the show,
patreon.com slash Adam Conover, if you'd like to join them.
Once again, I am taking my new standup out on the road.
Head to adamconover.net for tickets and tour dates.
If you want to watch my brand new special, unmedicated,
dropout.tv, I hope you watch it.
I am so proud of it, dropout.tv, to watch it.
I want to thank my producers, Sam Rodman and Tony Wilson,
everybody here at HeadGum for making the show possible.
Thank you so much for watching
and we'll see you next time on Factually.
That was a HeadGum podcast.