500,000 Monzo banking customers told to change their PINs

Well you know but I would be guilty of this I bet if someone said if you know if I was talking to a dude online and he said that he had a tash I would right away picture Thom Selleck in his prime and not Hitler or anyone else with a mustache. Oh lord right, yes, you just would so I would picture what I would want to see.

Three men and a little Führer you wouldn't want to mix up the cast would you. Smashing Security, episode 140. Love, pins, and a Chan. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 140. My name is Graham Cluley.

And I'm Carole Theriault.

Hello, Carole.

Hello, Mr. Cluley.

How are you doing? All right?

Awesome.

Awesome? Well, we'll be the judge of that. We are joined this week. You are awesome, Carole. Sorry. That seemed a bit mean, didn't it?

No, I live to be judged by you.

I think maybe it's time for me to be the Penelope in our relationship. I should be nice to you for an episode.

That won't last. And can you hear the dulcet tones of Maria Varmazis?

Varmazis. No extra R. Varmazis.

There you go. Hello, Maria.

Hi.

Good, good. Great to have you back on the show, as always.

Thank you.

You've been a bit busy, haven't you? You did a little bit of work for Darknet Diaries. I did. You popped up in a recent episode of that.

I did. It was so much fun. I'm so glad I got to be a part of that. And hopefully I'll be writing another one soon. So keep your ears out.

Awesome. Very cool indeed.

What have we got coming up on this week's show? A huge thank you to this week's sponsors, LastPass and Recorded Future. Their support helps us give you this show for free. Now on today's show, Graham reveals how an online bank mismanaged customer PIN codes. Maria chats all things 8chan. That sounds fun. And I'll be looking into how to avoid the nasty sharks lurking in the online dating pool. All this and heaps more coming up on this episode of Smashing Security.

Now I want to send you guys back through time, through the mists of time, all the way back to 2011 when there was a chap called Daniel Amitay. And he released some research that he conducted in conjunction with an iOS app, which he had released for Apple iPhones.

So this is like a bonafide app, like that went on the iPhone?

Yes, it was a legitimate app in the iOS app store called Big Brother Camera Security. And what it would do is you would run the app and you'd put your phone down somewhere like you did normal life. The different thing was that if someone else tried to pick up the phone and unlock it, they would enter a PIN code or passcode. It would take their photograph. And obviously, if they got the number wrong, it wouldn't let them in.

Yeah. And who was it, pray tell? Oh, I see Graham's big face on my screen trying to get into my phone, that type of thing.

I don't know why you're saying my face is particularly big.

Well, I'm imagining because your eyes are quite small. You'd be holding your phone quite close to your face. And then it would be...

Okay, well, there's two things here. First of all, you said my face is very big. And now you're saying my eyes are very small. Could it be that my eyes appear small because of my big face or my face appears big because of my small eyes? I don't know. I'm not an expert. Maybe one or the other is perfectly in proportion, Carole. Maybe just leave you a little less personal on the podcast.

All right. Sorry. Sorry for hurting your feelings.

Well, I do have feelings, you see.

Just being honest.

Okay. All right. And what Daniel did was he also surreptitiously without telling his users which annoyed Apple a bit to be honest, he would anonymously collect those passcodes and he was keeping a record of them. And so he collected 204,508 PINs.

Don't say it. I try not to say PIN numbers. Don't say it.

Because someone pedantic will be in touch about that if I did.

So this was no bueno. You're not supposed to do that. That's not cool.

But how does he know whether the PINs are correct or not?

Well, he doesn't at all, of course. So someone just puts in 2468 and he's like, got another PIN. What he knows is whether that PIN is the right PIN for his app. He doesn't know if it's the right PIN for the phone, but people would enter the PIN assuming it was, for instance, their phone. And I'm sure many people would have used the same PIN for the app as they would have used for the phone, because that's just human nature.

And who's going to try and memorize two PINs now? We can't even get them to use unique passwords. You think they're going to have a separate unique PIN? Which screen am I on? Let me do the different PIN.

So what I found interesting eight years ago was he released his figures as to the most common passcodes or PINs which were being used. And he found the number one passcode. Can you guess it for people?

0000.

Oh, that was number two, actually. The number one was 1234.

People came a bit smarter than that.

Wow. Yeah, okay. Number three was 2580. Can you guess why it's 2580?

Straight down the middle.

Absolutely. Just straight down the middle. Then it was 1111 and then 5555. And then an odd one, 5683. Do you know why so many people use 5683?

I'm looking at my phone right now. I can guess. Go on.

So if you're right-handed and you have your phone in your right hand, these are all numbers you can hit easily with your thumb. Not quite. Okay, you need to look at the letters. There are letters written on the numbers on many people's phones. And 5683 can spell love. And so that was the sixth most common. Are you hoping

That people have it as hate? It's nice. Well,

You know I'm talking about hand later. Now, there were some other interesting findings in his research. One was that all of the numbers between 1,990 and 2,000 were in the top 50. And if you included 1980 to 1989, that was all in the top 100 as well.

Oh.

Which is a bit of a problem. So it wasn't a hack. These weren't accessible to the outside world, but their own engineers could access people's pins. And they

Had to divulge this information because it was a PII leak. Well, potentially very damaging, right? Because they are not to know whether they've got a rogue apple amongst their staff. Apple cart? Yeah, I'm trying to think what is it. They don't know if they have a rogue employee. They don't know if they've got a bad guy, right? Who's going to actually try and use that information in some way.

Yeah. I mean, maybe it was for research purposes. They were trying to say these top 20 pins, we're not going to let people use them in our app.

It would be nice to think that, wouldn't it? But it sounds like instead it was just being stored in an internal log. And the numbers were being collected if people had chosen via the banking app to... There's a button for, say, remind me what my card number is or cancel a standing order. And it was if people did that, then their pin was collected and stored in this file. But it wasn't meant to be as accessible by anything like as wide a number of staff inside the company. But I am actually quite impressed by the response. I think they've been quite rapid and they've been quite transparent. And I wonder how often this might happen inside other financial institutions. And because there's nothing externally seen, they don't even know that any of the engineers ever realized they had access to this data. As far as they know, they've seen no evidence that anyone accessed it. But they still came clean. They said what happened. They fixed the problem really quickly. And I suspect in many banks they wouldn't be like

That. Why would you be singing the same tune if Apple had done this?

I don't know if Apple would have responded the same way. But I think if they respond quickly and transparently and share proper information about what occurred, then that's going to be quite comforting. You turn what's potentially a bit of a disaster into something which actually increases your confidence in the firm instead.

I think it's still worrying, though, that banks can make these mistakes. You want them to have all the fail-safes in place to try and protect information. And it's a lot of both your financials, your money, and all your personal information.

Absolutely. And they're obviously, apparently they checked the 500,000 accounts. They didn't see any evidence of any fraudulent activity based on the PIN number. They've informed people via email. And some people complained that they got this email rather than an in-app notification because they found the email itself just a little bit unusual. They thought, could this be a scam? But it basically said to them, go to an ATM to change your PIN, which is going to be a nuisance for people. And people don't want to do that. If they've already got the convenience of a banking app and just purely everything being conducted by an app, the fact that you have to go to an ATM to change your PIN is going to be a nuisance. And I wonder what PIN those customers will choose and whether they will be unique. Because, like I said, we're always talking about the need not to reuse passwords. But how many of us are reusing PIN numbers? And if I put my hand on my heart, I think I've got more than one card. I don't. Well, you're just better than that. No, no, no.

I'm just, you know, I'm not saying, you know, I'm cool, but I actually, I never have.

I think I do. I know I have some different pin numbers. Oh, I just said it.

You did. You should be doing shots. You

Should be doing shots every time you can't say it. Drunken, smashing security. I've smashed security. Smashed security. There you go. That's the after dark version. I'll have a swig of tea instead. How about that? Well, get that changed there. Chop, chop, dude. I am going to have to change it, aren't I? And the other thing is, isn't it weird that we have all these ATM numbers, these PINs we use at ATMs, which are only four digits and have no funny characters and no letters. It seems so quaint now. It does. Yeah, but it does have inherent two-factor in that you need to have the PIN and the card to make it work.

Yeah, well, these days they quite often don't ask you for a PIN to be entered at all, do they? I mean, here in the UK, I think it's under 30 quid you can pay. Yeah, in Canada, I think it's $50. I was like, oh. Oh, God, I don't know in the States. Well, at the current exchange rate, Maria, £30 is about equivalent to US$500. And we're going to be that way for a while. So that gives you an idea of how it compares.

The year Graham wishes he was born in.

Wouldn't it be interesting, by the way, if Monzo had released those 500,000 PINs? Oh, hilarious. I would have laughed so much. No, but they could have done it. If it's just numbers, right, they could have said this is the preponderance of PINs. And we could have compared it with Amitay's work back in 2011 to see if the world has actually moved on. I suspect many people are still using maybe unusually high preponderance of certain numbers, which are still being used as things.

Yeah, but there'll be different numbers, right? Because everyone's date of birth and all that has changed and probably moved up 10 years.

It's going to be a lot of 2000, 2005 or whatever. No, no, those are not millennials. Those are Gen Z.

After 2000, it's Gen Z?

Yes. Millennials came of age around the millennium, speaking as one. That means that Gen Zs are 19 now. That's right. That's right. I remember reading that.

Yeah, so young. To bring down our demographic. I've got arthritic knees and

A mortgage, but I'm super young. Don't put me in your old bucket.

Anyway, I think, you know, obviously it's not good that they've been hacked. It's good that they've apologized. It's good that they took action fairly quickly on this. So it's not necessarily the usual kind of disasters, which we talk about on the podcast. We're giving kudos for once! Kudos for once. I mean, obviously we don't want things like this to happen, but if they do happen, then clear up your mess quickly and say sorry for it and do what you can to fix it afterwards. Bravo.

Yeah, I agree. Yeah, fantastic. So there you are, a nice positive story because I worry that some of the other things we might be talking about today may be a little less uplifting. Maria, what are you bringing to the table today? God. All right, so I'm struggling with this story a lot because a number of people asked me slash us what we thought about this topic. And it's one that, frankly, I'm not really sure I want to talk about. What is it? We have to talk about 8chan. I don't know very much about this, so I am so glad you're talking about this. So educate me, Maria.

Okay. So I'll give a very, very high level. I really don't want to dive into it too much because it's really depressing.

It's a vile corner of the internet.

It's a vile corner of the Internet that is basically radicalizing a lot of white nationalists into mass killings. Some of the users of the site have gone on to do the mass shootings in New Zealand and the United States, and they posted manifestos there. So this is where they're being radicalized, basically. It was like, there were certain levels of the Internet where there were edgelords, like some dark parts of Reddit, and then they went to 4chan, and then 4chan wasn't edgy enough for them, and then they went to 8chan. It was like that kind of thing.

Actually, that was one of my questions. Were these guys not basically welcome on 4chan because 4chan said actually that breaks our rules now? And 8chan was created so that the more, you know, for lack of a better term, edgier, horrific stuff had a place to live.

Yeah. I mean, the granddaddy of them all is 2chan in Japan. And they became 4chan in the States. And then 4chan became 8chan. And there are like 16chan. And there's a 16chan now. Anyway, it's chans all the way down.

Hang on. I'm going to go and buy some domain names right now. So we need 32chan, 64, 128, 256, 512. And then you get a byte, Chan. So since this is a site where a lot of people are posting manifestos and being radicalized, there's been a push for a while from the greater public to get these sites offline. And Cloudflare has often found itself in a little bit of hot water around this, hasn't it? Because it has washed its hands over the years of all kinds of criminal websites.

Yeah, because they keep saying this is not our job to make that determination. Right. They're kind of approaching it from a utility. And actually, this is very much up for debate. Are they utility? Are they a critical infrastructure part of the Internet?

It sounds very similar to the same stuff that Facebook and Google say. Like, look, we don't really have to monitor our news or what's said because we're not the gatekeepers of that data. Our job is just to make sure that sites are available. What's on those sites is none of our business. So were people hounding them beforehand? Yes. You know? Yes. Ever since

New Zealand. There's an organization I'm familiar with called Sleeping Giants, which basically is a very left-leaning political action group that puts pressure on businesses that support websites like this and puts pressure on their advertisers to also remove advertising. So I know for a long time, Cloudflare had been on their radar as something that they needed to drop support. I have to say, for some years, I've had a rather uneasy feeling about Cloudflare. And I haven't liked some of the websites which they've been helping to keep online, including websites which, for instance, were running DDoS booting operations. business for them, I guess. And

it did leave a rather unpleasant taste in the mouth. So this story is still developing right now as we're recording this. I'm sure it's going to keep developing. this a statement from the CDN or? This is a domain registrar for these guys. The people who've replaced two cows. Correct. So this is a statement from the CEO. And this is what he says. Freedom of speech and expression are fundamental rights in a free society. We enter into a slippery slope when we start to limit speech that makes us uncomfortable. The censorship we've seen across major social media platforms as of late has created a vacuum. Our services fill the ever-growing need for a neutral service provider that will not terminate accounts based on arbitrary reasoning or political pressure. Our philosophy is if the customer is not breaking the law, they are protected under our umbrella of services. It seems this is the same kind of thing that Cloudflare was saying, really. It's just different wording. Okay. Right. Yeah. We will evaluate this in the coming days. From what little we know so far, the chans are not lawless and do have moderation, especially in regards to DMCA, basically the content takedowns, and the content which is illegal in the United States. Ultimately, we believe that the best disinfectant for darkness, however, this must absolutely occur within the bounds of the law. That doesn't make sense how that was written. And I don't think you disinfect darkness. You turn the light bulb on. Is this lost something in the translation? No, but they're German. They're German. Well, we're not sure if they are. Not sure. That sounds very American to me. But what Cloudflare had been also saying is basically as long as they're following the letter of the law and they're not doing anything wrong, because posting a manifesto and saying you're going to kill a bunch of people is not illegal to say in the United States. Basically, as long as they're not hosting illegally ripped MP3s, we can't do anything about it. if you upload an MP3 of Britney Spears, then they'll deal with it. But if it's a manifesto for killing Hispanics, then it's

totally OK. Fair game, right? Fair game, right, because it's not breaking any laws. But also it's an international kind of operation, is it not? Like I'm guessing they're going to have servers everywhere. had said yesterday that only half of their customers are in the United States. So the rest of the world is their other half.

But I guess my point is on the legality of it, right? Do you follow the letter of law in the States or do you follow the letter of law of where information is posted on a server in whatever country that might be? Maybe weasley. I'm just saying in this because it doesn't apply just to the states.

See, I don't think the law should come into this. I think if you are running a company, you have the right to decide who you want to be your customers or not. You have the right to say, even though you haven't broken the law, we don't think we'd like you as a customer. We're quite happy with the customers that we do have. And that's what I would like to see companies like Cloudflare do rather than having to defend themselves legally or use these sort of arguments or get into the weeds of who they should have as customers or not, I think it should just be their decision to say, you know what? You're not really the right fit for us. So good

luck. Go and find someone else. Eventually, after four shootings.

And after years and years, Carole.

Yeah. And basically their angle was not, this is morally reprehensible. It was more like, they're more trouble than it's worth. Yeah. So what we're saying here is they had years of people saying, guys, you really shouldn't be doing this for these guys. And they just ignored it until now. It's just now this was the needle.

which are still supported by services like Cloudflare, which definitely are not for the general good of the internet. Right. No, they could just have a sort of, if you want to use us as a service, you have to agree to our terms of use. And there are certain types of sites they could say, which we don't want as customers. And if you turn out to be not operating inside those terms of use, then you will get kicked off. Collective services do that. I

100% agree. I like to have everything be transparent and you want to be honorable. That's how you gain my trust. Yeah, I think a lot of these companies that were created, especially in the early days of the internet, the idea was, again, thinking of yourself like a utility, that everything's fair game. And I think we're at a really important inflection point now where there has to be a decision that companies make. Do they really want to operate that way, knowing everything that comes with it? Every time she's on. Every time. Every time it's Facebook. Just got it in there. But yeah, we're I'm so curious to hear where that goes. I'm also a little afraid because I'm always trying to keep in the back of my mind that the worm can turn. Oh, I'm sure now that I've spoken out. As soon as he hears the show. He's like,

Maria said no. Maria said no.

I'm out of here. She's tremendous.

She's tremendous. Yeah. I appreciate that vote of confidence from the president.

Carole, what's your story for us this week?

Well, question first. Have either of you ever online dated?

Yes. Yes. Well, not me and Maria together. No, God, no. It's not how we get our guests, Carole.

Do any of you have a good story? That's how I met my husband.

Is that how you met your husband? That's how everyone's at least.

See, I didn't have a very good time. I did it for a very short time and it was really a disaster. Because I kept finding people I worked with tangentially. And some of them sported, in some instances, clothing and poses that if you found them quite enticing, maybe it would make your heart thump. But for me, seeing them, these people out of context in this way was incredibly shocking. I mean, I can never unsee it, right?

Okay, sidebar. I remember the photograph. It wasn't me. It was somebody else.

I think, yeah, it was leopard print curtains and someone crawling towards the camera. Oh, no. Like a tiger. Kind of tiger-like, kind of like going, you're delicious. And I had to go to work the next day and see this person and know.

And the great reveal is it was the CEO of the company.

And that wasn't even the worst.

Did the pay rise happen, Carole?

There was this other one where there was this guy, I think he was a pathologist or forensic pathologist or something. Ironically, after I talked to him, I realized he must be super suited to the job because his jokes were best served to those that are occupied by death.

He didn't have a photograph of himself on the site on the job, did he? Not on the job. That would obviously be.

Back certainly when I did online dating, it was brand spanking new, I think, back then. And today it's the norm. So stat time, what percentage of singles globally do you think have used online dating apps? Oh my goodness. In the last 30 days, in the last 30 day period?

70%.

Close to 100.

40, but still super high. That's global. That's global. That's low. And 75% of all online daters are apparently under the age of 30.

That doesn't surprise me.

No, it doesn't surprise me either. 65% apparently are men. 35% are women.

35% claim to be women.

That does mirror the experiences I've heard from my guy friends who are like, where are the women on these things?

I think there's been a lot of advancements in the pleasure aid technology sector, I think. So I don't think...

The pardon? What? Could you repeat that one? No.

Maybe, maybe less women are on these sites because they're worried about being duped by scammers and assholes alike, right? And they wouldn't be wrong because just Monday this week, the FBI issued a public service announcement warning of romance and confidence frauds once again. They say they've seen an increase of 70% in financial losses from 2017 to 2018. So up to $362 million last year. And they said they had 18,000 reports.

I am sure it's hugely underreported. It's way more than that.

Exactly. It's way more than that.

Can I tell you a little story related to this?

Absolutely.

Oh, yes, please.

Hang on, let me get my popcorn. Tell us your story, Maria. Well, I believe I can talk about this publicly. My brother works for the State Department. And he was actually stationed in Lagos, Nigeria for two years. Was your brother single at the time? Was he able to use this to his advantage, these heartbroken women? Because that's the kind of thing I'd do.

Was he fishing himself going...

For one thing, they're not all women. It's not all women. And two, that would be super uncomfortable. Yes, absolutely.

No, absolutely. I definitely wouldn't do that. My brother's a gentleman. So I'll take advantage of those.

Okay, so other than women, right, that we mentioned earlier.

What's so damn funny, Graham?

I'm just picturing myself in that situation. Anyway, let's go. No, I'm definitely... You in that situation. I definitely would have been honorable.

Graham is completely unethical. I think maybe the first time you'd laugh, but after like 20 times, you'd be like, this is really sad. And then after a hundred times, you'd be like, holy shit, this is really, really sad.

Horrendous, horrendous, yes. Horrendously sad, yes.

I'll put my serious face on you.

So I was going to ask you guys, I was going to ask you who are the most likely targeted victims other than women? Because that's a pretty broad statement. I would think other than women, men.

I know, right? Exactly. It's going to be more likely than pets, isn't it? So it's going to be men.

The FBI said elderly are very vulnerable here and widowers, right? Oh, bless them. Yes. And I think that makes sense because it's a good thing, Graham, actually, you're not on these sites anymore, you know, because you'd be ripe for the pickings with your, you know, advanced age, right? And we can't. Your seniority.

Your wife is still very much with us, is she not?

No, I'd be a dead man for sure. Yeah. Now, there's a lot of complexities on online dating because on one hand, you want to provide enough information that you stand out from the billion of other people. Yes. They're looking for love. Because there've got to be so many tricks that people use on these online dating sites and their profiles and their photographs, even if they aren't a scammer. There are many people who are actually scamming in a different kind of way because they're using that picture of when they were slim and hot and had all their own hair or stood in front of a Lamborghini or a jet ski.

They may look like a stud, but they're actually 30 to 50 feral hogs. Yes, you never know.

Well, you know, but I would be guilty of this. I bet if someone said, you know, if I was talking to a dude online and he said that he had a tash, I would right away picture Thom Selleck in his pants. You totally would. Right? And not Hitler or anyone else with a mustache.

Oh, Lord. Right? Yes. Like, you just would.

So I would pick... Three men and a little Fuhrer. You wouldn't want to mix up the cast, would you?

How do you know it's not Charlie Chaplin? I'm just saying. Like, he'd be turning down Charlie Chaplin.

Okay, so I've pulled together a bit of vetted advice here, okay, to help us watch out for the sharks.

To all three of us who are not dating anymore. This is great.

I don't know if you know this. There's some listeners also here. Oh, wait. For goodness sake, Maria.

People are listening to this? I just thought it was us just bullshitting on a microphone. Now, if you guys are new to online dating or you know someone who's new to online dating, you want someone that really understands how the internet works to help you create your profile and set your online settings and have them give you a little turn. You may even want them to review your connections to make sure there isn't a whiff of something yuck about them. And don't, we said earlier, if you're widowed or divorced, just say that you're single on these sites. That's oddly specific. I'm wondering if there's a story there. There isn't. And obviously the big one: don't lend people money. But this is the one that everyone falls for.

Okay, Maria, you've got your dinger, ding ding. Have you got that tuned right? Okay, should I have a different noise myself?

I think we'll be able to tell the difference of your voices. Okay.

I'll have a "awooga." Okay, okay.

I just pulled out a few little snippets from the article just to see if there's anything that made you think, "Oh, that would make me sit up and think there's something fishy going on." So a 29-year-old Norwegian master's student living in London said she was swept off her feet on their first date, which included a private jet ride to Bulgaria. Oh, that's a ding-ding. Come on, really? Bulgaria?

Well, hang on. So she actually got a PJ flight to Bulgaria? That doesn't sound like a scam to me. That sounds wonderful.

He said he was an Israeli millionaire who called himself the Prince of Diamonds.

Rather than the Prince of Bel-Air, right?

My red flag is why Bulgaria? You have a private jet, you can go anywhere from London.

Hey, what's wrong with Bulgaria?

There's absolutely nothing. It's just not everybody's, most people's first pick would be the Riviera or somewhere. Not Bulgaria.

Point. Yeah, maybe it was because of his title, the Prince of Diamonds, because he told her that his job was as a diamond dealer and he worked for a company called LLD Diamonds that kept him traveling constantly so they had to date long distance. Ding ding ding.

Yeah, yeah, there you go. She said they sent each other love notes over text, video declarations and voice recordings. She said he would always allude to an element of danger in his job that kept him away, always on his private jet. So it's not she could find him on a commercial. Yep. Oh my goodness. 100,000 pounds.

Double it. In dollars.

So yeah, probably.

Wait, she's a grad student and she has this kind of money?

She took out lines of credit.

That's also a ding, ding, ding, ding, ding, ding, ding.

Because his initial gestures were grand because he got her a flight to Bulgaria, which probably cost what, 30 quid on EasyJet? The cheapest flight he could get.

You said it was a private jet. You didn't say it was EasyJet.

He doesn't have private plane. It does have no backs. He said, "Please take that off the internet." It was a paraglider, she was holding on. Okay, so what to do if you're a victim. What to do if you're a victim of a romance scam. And it's important to report these things. Okay, I know it's embarrassing, I get it, I get it, I get it. But think about it: some of these guys have done this to hundreds and hundreds of people. And if only one of those people reports it, the authorities don't have much leverage to work with if they actually get their hands on these people.

The other thing I've heard, Carole, is that some of them aren't just asking you for money but they're trying to trick you into moving funds for you. So they basically romance you to turn you into a money mule where they're transferring funds through your account to them.

And also sometimes they get information on your extended family and then they can socially engineer your extended family. Yeah, not that I have personal experience with this, but I do. Even if they look Thom Selleck, stay away. Especially if they look Thom Selleck, I would say. Yeah, so things you want to do, you want to report the activity to the online dating website, right? Because they may have received other complaints from other users because often they're not just working on you at that time, they're working on a few of you.

The key thing is if one of these guys does get caught, the authorities need evidence or plenty of victims to really chuck them in the slammer for a long time.

Yeah, local police in the States, it's similar. You need a reporter, they'll write up a report for you and sometimes they'll refer you to a service that can help you. But yeah, they can't personally usually do anything. There's no capacity for that, but you'll get a paper trail, which is what you need often for this. Yeah, and you definitely want to tell if you've lent money, you want to tell your bank or financial institution immediately upon discovering any fraudulent activity. Now, this gets difficult if you have been lured in to do suspicious or fraudulent activity. I get that. But at the same time, if you've been duped into doing it and you weren't aware at the time, I still think it's worth them knowing what's going on. The banks will usually often ask you, do you have a police report to back this up? So you usually need all of that together, unfortunately.

Exactly. So it's not fun out there dating.

I imagine it's not that much fun if you work for the Bulgarian tourist board and you've had this terrible slur upon your name.

Bulgaria is a beautiful, wonderful country, for the record. Have you been?

Technically, yeah. I've been in their airspace.

No, no, I've been to the nation of Bulgaria while doing a road trip along northern Greece. We crossed over briefly, so I've been briefly but not on vacation. But it's a wonderful country. I have Bulgarian friends. Please don't hate me, Bulgaria. Your cheese is the best and yogurt's great.

Okay, I think you've covered yourself there. Please don't send me a hate mail.

We went through that. Maria loves Bulgaria. Yeah, hashtag it. Your yogurt especially is amazing.

If you're baffled by threat intelligence and how it might be able to help secure your company, the Threat Intelligence Handbook from Recorded Future is the book for you. It'll tell you what threat intelligence is and what it isn't. And you'll learn how other firms are applying threat intelligence inside their organizations. Grab it now for free at smashingsecurity.com slash intelligence.

Quote, most business security breaches are the result of one thing, sloppy password practices. Effective enterprise password management is a must to ensure that your employees are properly protecting their accounts. Unquote. That's my co-host, Graham Cluley. This is what he says on the LastPass Enterprise page. And most of you know how much I hate to admit when he's right, but he is. Sloppy passwords are a huge contributor to security breaches within an organization. The way to manage that is get a password manager. And the one we recommend is LastPass Enterprise. Check it out at lastpass.com slash smashing. On with the show.

And welcome back. Can you join us on our favorite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the Week. Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily. Better not be. And my Pick of the Week this week is not security-related. Huzzah! It is a TV show which I have been binging on. And it is available on Amazon Prime. It's just come out. It's called The Boys.

Yes! You've seen it too? Yes! It just came out?

Now, I think, Maria, you may know more about this than me, but I believe it was originally a comic book.

It was, yes.

And it has now obviously been televised, televisualized. It is a violent, foul-mouthed, subversive, laugh-out-loud, funny movie about superheroes who are bad superheroes.

Oh, it's a movie.

It's a TV show. Don't believe what I say. It's a TV show. Eight episodes. And I don't like superhero things normally. They just leave me sort of cold.

You don't like anything.

No, I like plenty of things, actually, Carole. But I don't like superhero stuff. I just find all that Spider-Man sort of nonsense. Other than Spider-Man, the animated one recently.

Do you like peanut butter?

Which was fantastic. No, I don't like peanut butter.

Oh, you don't?

No, are you just going to list things I don't like now? Just to prove a point.

Cheese is great.

So anyway, back to The Boys, because cheese is not my pick of the week. The Boys is great because these are superheroes who are bad people.

Sounds like you're talking about your testicles. Wow! It's just the way you said the Boys are great. Let me tell you about The Boys.

The Boys is a collection of people who are not superheroes, who've realized that the superheroes are bad people who are getting away with all kinds of bad stuff. The superheroes, known as Supes, are run by some international conglomerate who are icily run by Elizabeth Shue, if you remember Elizabeth Shue. Yes, I love Elizabeth Shue. She was a star of the 80s, 90s. Yes, she was. And she's very adorable. Yes, she's very good in it. She's also a bit sexy, I think.

She's on your list too. She likes number eight and Elizabeth Shue. Okay.

And Simon Pegg is in it in a supporting role. And Karl Urban, who you may remember, was Bones in some of the modern Star Trek movies. Now, his accent, I believe he's actually a New Zealander. Is that what it

is? Because he was messing me up the whole time.

He is messing me up. He's one of the weak links for me. Because although he has some of the funniest lines, he's pretending to be British. And he both doesn't sound British.

He phases in and out of different accents. And it was totally fucking with me. I couldn't. And he doesn't look British either.

There's been no British man ever born who looks like him.

He's too good looking. He's too good looking, too hunky. I'm obviously not thinking of the right person. I find him rather jarring. But other than that, it is a very, very funny show.

I missed the jump to the next person. That's why I was like, what? He's not from New Zealand?

Yeah, Simon Pegg as an American also messed me up, but he did a good job. But Karl Urban's accent, I was like, I kept trying to place it. It's a bit like two smoking barrels. Yes, yes. But it's just sometimes a bit weird.

Excellent, it's on my list.

Maria, what's your pick of the week?

My pick of the week is a quick one. It's called CamelCamelCamel.com and yeah, what's that reaction? Is this rude? No, it's an Amazon price tracker.

Good lord, just because something's got camel in the name doesn't mean it's going to be rude. Come on.

No, this is pure service for our listeners today. Wow, I don't even think I can recover from that. I'm just gonna

What is camelcamelcamel.com because I've never heard of it. Yeah, it does sound rude. No it's not. It's an Amazon price tracker.

It feels like only the fourth or fifth. You're always so fresh. Like a daisy, like a daisy. I feel like it's time for me to upgrade my audio rig from this very basic microphone that I've got now. So I'm looking at this right now. So what you can see is you can see what the top products are. So the ones which have reduced in price the most over the last week or the last day. Right. How handy. And it's not just the United States.

So this is good news for everyone, apart from Geoff Bezos, I guess, because this is a way to sort of use technology against him.

Also, not very good for the rest of the world of the people who are actually building the stuff that have to compete with the prices that Amazon insists upon selling the stuff to us.

They've chosen to sleep with Amazon, haven't they, Carole?

Well, that's what you're doing as well by buying the stuff, just saying. I do too. I'm not judging. I do too. We're not supposed to use Amazon anymore. I guess we all collectively decided that. But sometimes you still kind of got to.

I see. Right. Right. Camelcamelcamel.com. The camelizer. Not rude at all.

Not rude in the slightest for once.

Carole. What's your pick of the week?

Well, mine is a podcast and it's called The Conviction, released by Gimlet. Now, it came out earlier this year. I'm not on trend like you guys, right? But it came out, I think, in February and I only just got a chance to listen to it this week, which I did during a single five-hour cleaning frenzy. And it totally has my thumbs up for the whole thing.

You weren't cleaning up after a murderer or something like that?

I'm doing this decluttery stuff, you know, like get rid of the eight billion books that we have in our house.

Oh, Marie Kondo told you.

Yeah, see, someone else asked me that. And I remember it was your pick of the week once, wasn't it? I think I did watch some of an episode back then, but I thought they were way too – the people were just shockingly messy. I was like, wow. Okay, so let me, back to the spot. The main guy that they're kind of featuring is called Manuel Gomez or Manny. And he is a larger than life character. So the whole story is set in the Bronx. And it's about how a black teen and this private detective Manny fight for the kids bail. And what ends up happening is rather surprising.

This is a true story.

This is a true story. Yeah. This guy, Manny, is what makes the show, right? And you know what he reminds me of? He reminds me of that guy, the main guy in Staircase, that Netflix documentary.

Oh, yes. Whose wife fell down the stairs. Was she murdered or not?

Did he murder her or what happened? And so this guy, Manny, is so sure of himself. He loves the spotlight. He's always right. He's a little bit wide, you know. But he also seems to have quite a heart. And it's just weird and gripping.

So, Carole, you said that they're fighting for bail. But why do they need bail?

I don't really want to give it away. But basically, I will say a kid gets into trouble with the cops in the Bronx. Maybe what happens to him isn't 100% fair from everyone's point of view. And this journalist, Saki Nafo, who hosts the show, went and did some digging on it. And he has the most relaxed tone. I swear, God, it must be like 4 a.m. when he's recording. You can imagine him. He almost sounds bored. But in a way, it's a perfect foil for Manny Gomez, who's kind of larger than life. And if you had two of those characters, you just might get overrun with it. So it works really well. I think it's clever. And I think I had to tip the team to put it together because it's tight. So The Conviction, Gimlet Media, available wherever you get your podcasts. Check it out. Six episodes of joy.

Nice. Fantastic. Well, thank you very much, Carole. And that just about wraps it up for this week. Maria, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that since you're not on any data maps?

So if you're on infosec.exchange on Mastodon, I'm at Maria. And if you're on Twitter, I'm at M-V-A-R-M-A-Z-I-S. Sorry, it's a long one.

Super duper. And we're on Twitter as well at Smash Insecurity. No G. Twitter allows us to have a G. And we're also on Reddit where you can have discussion about the show up there. Go and find us on Reddit. And we're also on Patreon now. So if you want to support the show, just go to patreon.com slash smashing security and you get bonuses and extra content and all kinds of goodies like that.

Yeah, huge thank you to this week's Smashing Security sponsors, Recorded Future and LastPass. Their support helps us give you this show for free. So check out their offers. And thank you, listeners, the sunbeams of our lives, wouldn't you say? Thank you so much for tuning in. It makes our week. Check out smashingsecurity.com for past episodes, sponsorship details and info on how to get in touch with us.

Until next time, cheerio. Bye-bye.

Bye. Mwah! Aw, that was a Maria smooch for everyone.

Carole, when you said this guy Manuel Gomez in the podcast is larger than life, was that in relation to the size of his eyes? Or was, I just want to know, is this sort of, is it again proportional to the size of his face? You just seem very obsessed with this sort of size thing. You got a link here.

Yeah, he seems proportional. Yeah.

Okay, I'm clicking. Okay. Well, he looks like a normal sort of chap. Middle-aged sort of fella.

He's so wide. Oh, my God.

What, you mean physically?

No. He's just like, I'm wide. He's like, hey, hey, hey. He's from New York, girl. They're all like that. Hey, hey, what's it doing to me? I'm not a cop. Stop. Talk to me.

Talk to me. I'm an investigator.

You think I'm funny? You think I'm funny?

No, he's serious. Those references are all like 40 years old, you guys. Just letting you know. Oh my God. We're old, Maria.

Have you been to New York in the last few decades?

Yes. You know what? You haven't heard the sky. Just go listen. Just go listen.

Those voices I just heard are not what I think of when I think of Bronx. Just saying. Can you do us one? Can you do us one, Maria?

I cannot do impressions. Oh, just bitch about it. Probably very wise. I will complain really well, but I can't deliver. It's how I am. All right my darling I'm gonna go I have to go work my butt.

Yes you do we're gonna work your butt go do the thing.