One of the world’s largest online travel agencies, Booking.com, is being used by fraudsters to trick hotel guests into handing over their payment card details.
How do I know? The fraudsters tried it with me.
I’m speaking at an event in London in November, and needed to book a hotel room for the night before. I don’t normally use Booking.com for my travel arrangements, but on this occasion I did – and as a result I nearly fell for a scam that could have stolen my credit card details.
The online booking went smoothly as you would expect. But on Friday, two weeks after I made the original booking, I received a notification from the Booking.com smartphone app that I had a new message from the hotel I was planning to stay at.
I looked in the app, and sure enough I had a message from the “hotel”, straight after a legitimate message from the hotel. It also appears on the website version of Booking.com.
Hello! Dear Graham Cluley, we regret to inform you that your booking may be canceled as your card has not been automatically verified.
● You will need to re-check the card.
● Funds are only temporarily reserved and will be fully refunded within 10 minutes.● Important: The card must have the amount of the reservation for verification, check that there are no restrictions on online transactions on the card.
● This must be done within 12 hours or the reservation will be automatically cancelled.
● We recommend that you use a Mastercard in order to confirm.« Please follow the link below to confirm your reservation »
https://booklng.com-id334112.com/p/965664712
Copy link if you can’t click on it
Regards © Booking 2023 Team
Note that this wasn’t email spam. This was a message sent via the Booking.com website/app.
Here’s how it looked in the Booking.com smartphone app.
The message told me that my booking may be cancelled due to some credit card issue, and tells me to visit a URL to reconfirm my credit card details.
Clicking on the link took me to a webpage that contained my booking details, but was at a domain (com-id334112.com) that had been created just hours earlier. Sure enough, it asked me to enter my payment card data again.
After over 30 years of working in cybersecurity I like to think that I wouldn’t fall for a scam like this. But I received the notification when I was half-way down a supermarket aisle trying to find some aubergines. I could very easily have clicked on the link in my haste to ensure that I didn’t lose my hotel booking.
I can easily imagine how many Booking.com customers would fall for something like this, regardless of whether they were hunting for the ingredients for ratatouille or not.
I did the right thing. I went home, made a ratatouille, and then investigated how to contact Booking.com’s security team.
Unfortunately, Booking.com doesn’t have a “security.txt” file set up on its website listing how to contact it responsibly when a security issue has been found, which would have made things more straightforward.
Fortunately, colleagues in the security community on Mastodon, Twitter and other sites were able to point me in the right direction.
And so I sent the security team at Booking.com an email with all the details of what I had seen, in the hope that they would look into it and get back to me.
They haven’t responded to my email.
But this evening I (and I suspect other Booking.com customers) received the following email. Let’s take a look at what they say.
Some of our guests have reported potentially fraudulent behavior in the form of people pretending to be a representative of Booking.com or a hotel owner. This may happen via email or messages with a malicious link, asking you to confirm the reservation and pay outside of our platform, or via a copycat phishing site. This may compromise access to your device and personal data.
Okay, that sounds like what I’ve experienced.
We actively monitor our systems for fraud attempts and possible security breaches. We promptly investigate alerts and reports, and take the necessary steps to protect you, other customers, and hotels on our website.
Well, that’s good – although you didn’t manage to protect me on this occasion. I protected myself.
To make sure your personal information remains safe and secure, we’d like to inform you about what you can do on your end.
Great, let’s hear your suggestions.
– Never share your log-in details (username, password, pin, two-factor authentication code), personal, or financial information over the phone, by email, or instant messaging. Booking.com will never ask you to share this information with us. If someone – claiming to be a Booking.com employee – asks for your log-in details, personal, or financial information, or requests remote access to your devices, hang up and contact our Customer Service team. We strongly advise you to immediately change your password for your Booking.com account on our website.
I didn’t share my username, password, or any other information with anyone… other than with Booking.com when I log into Booking.com.
– If you used your Booking.com password to access other online services or accounts, we recommend you reset the passwords for those accounts as well.
I haven’t used my Booking.com password anywhere else. I used a unique, strong password.
It’s important to use a unique password for each account you have.
I agree.
– Always check email addresses thoroughly. We’ll only email you from an official Booking.com email address ending with “@booking.com” or “@partner.booking.com”.
Well, the message I received was via the Booking.com website itself (it’s still there by the way) and via the Booking.com app.
But now you mention it, if I look in my email I do see that I received the fraudulent message via email too…
Oh, this is embarrassing – it comes from a @booking.com email address.
In fact, it even contained a Booking.com tracking pixel so the company could tell if I opened the message! (Fortunately my email client warns of such annoyances.)
Anyway, back to the warning email from Booking.com.
Any email addresses using other variations, such as “,” are not official Booking.com email addresses. To learn more about online security and awareness, check out the section ‘Safety resource center’ on our website, which you can find on the bottom of our homepage.
Good advice, but in my case the messages arrived via Booking.com’s app and website. And the email came from Booking.com.
– Only access your account via the official Booking.com website at www.booking.com
Yes, I did that.
or the mobile app.
And that.
When accessing your account, always check for a secure connection. Look for the security lock icon in the address bar or make sure the address starts with https://. This ensures the page is managed by Booking.com and is genuine.
Hmm.. Err. No, the presence of https and a padlock in your browser does NOT confirm “the page is managed by Booking.com and is genuine.”
If any email or message link directs you to a website that looks like Booking.com but doesn’t have a secure connection, leave the website, don’t enter any log-in details, and don’t click on other links. You can bookmark the official Booking.com page in your browser for quick and secure access.
If you have any other questions, please reply to this message.
I have some other questions.
How are fraudsters using Booking.com to send out fraudulent messages to guests? Your email doesn’t answer that. Is there a fraudster working at the hotel I’m going to be staying in in a few weeks’ time who has access to the hotel’s Booking.com account and can communicate with their customers? Has the hotel’s Booking.com account been hacked? Or is there some other hijinks at play here?
For more discussion of this topic, check out this episode of the “Smashing Security” podcast.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
God, your life, man. Our listeners are crying for you. Their tears are just spilling down their faces as their hearts break at how hard your life is.
Smashing Security, episode 344. What's cooking at booking.com?
And a podcast built by AI with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 344. My name's Graham Cluley.
And I'm Carole Theriault.
Hello, Carole.
That's very kind of you. Hi, Graham. How are you?
I didn't say anything kind. I just said hello. I'm all right. Thanks. Not too bad.
That's all it takes. That's all it takes, Graham.
I'm particularly pleased, by the way, to our listeners this week.
Yes.
Last week on the pick of the week, I spoke about my friend Ali, one of our old colleagues, and she is raising money for Mind on her JustGiving page.
And can you believe, when we recorded that, Carole, Ali had raised £500.
And in the space of a week, thanks in no small part to the generosity of Smashing Security listeners, she's now raised over £800.
And can you believe, when we recorded that, Carole, Ali had raised £500.
And in the space of a week, thanks in no small part to the generosity of Smashing Security listeners, she's now raised over £800.
Wow. See, you guys.
Isn't that incredible? Isn't that fantastic?
You know, that's so nice that we have a good community. Like, if you're one of those people, high five.
I know it means a lot to her and it means a lot to us as well. So thank you to everyone for being so generous, supporting Ali's JustGiving.
You're amazing. Shall we get on with the show?
Let's do it.
But before we kick off, let's thank this week's wonderful sponsors, Collide, DEVO, and Vanta. It's their support that help us give you this show for free.
Now, coming up in today's show, Graham, what do you got?
Now, coming up in today's show, Graham, what do you got?
I'm going to be looking at Booking.com.
What was that, a play on words?
Just a little rhyme.
Okay. All right. Okay. And I'm going to be asking them a very important question. Are we out of a job, Cluley? All this and much more coming up on this episode of Smashing Security.
Now, chum chum. Let me take you back in time. Take you back in time to last Friday night.
I was at home with my partner and we had to, you know, we were going to do a bit of cooking, right? And she said, what do you fancy eating? I said, I don't know. What do you reckon?
I was at home with my partner and we had to, you know, we were going to do a bit of cooking, right? And she said, what do you fancy eating? I said, I don't know. What do you reckon?
Did you say hamburger-filled Pizza crust pizza?
No, I've never seen that.
It's fucking unbelievable. Jesus.
Hang on, what, you stuff hamburgers into the crust?
Yes. It's so gross.
Or pizzas.
I think it's from Domino's or Papa John's or one of these. But yeah, you have these burgers, there's like 12 burgers around in your crust.
What?
Yes. Like tiny burgers. What are those things called? Americans who are listening are yelling at me, right? You're yelling right now.
The burglette.
Yeah, the burglette, the little— You get them on a plate, you get 5 of them. Yep. I'm waiting for the emails and the tweets.
Anyway, we came up with an idea, which was ratatouille. I love a bit of ratatouille. It's not only a fantastic animated movie, it's also a wonderful dish as well.
So, I was sent to go and hunt and gather the ingredients for ratatouille. And so, I went to my local supermarket.
With my little shopping bag, and I was going up and down the vegetable aisle. And of course, one of the key ingredients for a ratatouille is an aubergine, right?
So, I was sent to go and hunt and gather the ingredients for ratatouille. And so, I went to my local supermarket.
With my little shopping bag, and I was going up and down the vegetable aisle. And of course, one of the key ingredients for a ratatouille is an aubergine, right?
Eggplant, for our North American listeners.
Is it? Is an eggplant— I know the Americans call something an eggplant.
Eggplant and aubergine are the same. Yeah.
They're the same thing.
Courgette and zucchini are the same thing as well.
Okay, right. Stop right there. Stop right there.
Okay.
Because that is my mental block. You have identified it. It's the aubergine, it's the courgette, it's the zucchini, it's the eggplant. In my head, they are all one vegetable.
At least when I'm in a— I know they look different, but in my head, I can't picture them differently.
At least when I'm in a— I know they look different, but in my head, I can't picture them differently.
I can't picture how you're going to get this story onto technology. That's where I'm stumped by.
I'm trying to find an aubergine and I haven't, you know, oh my goodness, where am I going to find aubergines?
You don't know what you're looking for. You don't even know that they are actually aubergine colored.
Do I?
You know, it's kind of a big giveaway on that fruit, an orange, you know?
And well, it's not an orange at all, right? It is.
An orange is orange and an aubergine is aubergine.
Oh, I see. Okay. But not, it's not an orange in the other way.
Anyway, the point is that normally when I am stuck with this sort of challenge, I might reach for my phone, because heaven help me, I'm not going to go and ask an assistant, right?
That's far too embarrassing.
Anyway, the point is that normally when I am stuck with this sort of challenge, I might reach for my phone, because heaven help me, I'm not going to go and ask an assistant, right?
That's far too embarrassing.
Yeah, or God, it seems, because—
I can't. So normally I would reach for my phone. I think I'll just do a quick Google image search to remind myself of what I'm looking for here. Oh, that's what I know, right?
But I can't because I've got lousy cell phone coverage. In my supermarket, there's no cell phone coverage. So I can't use my phone.
There's only one little bit where there's the tiniest sliver of a bar on my mobile phone.
But I can't because I've got lousy cell phone coverage. In my supermarket, there's no cell phone coverage. So I can't use my phone.
There's only one little bit where there's the tiniest sliver of a bar on my mobile phone.
You don't want to use their Wi-Fi or something?
What kind of supermarket are you going to where they have Wi-Fi for shoppers? They want people buying things, not playing Candy Crush. What do you— No, they don't have Wi-Fi.
Where do you live? Anyway. So, if I'm by the tills, there's a slight sliver of cell phone coverage, just a tiny little bit, a bit you're in the middle of Alaska.
That's the kind, imagine that, imagine you're halfway up there.
Where do you live? Anyway. So, if I'm by the tills, there's a slight sliver of cell phone coverage, just a tiny little bit, a bit you're in the middle of Alaska.
That's the kind, imagine that, imagine you're halfway up there.
Yeah, it's not that hard, I'm with you, yep.
Anyway, right, okay. So, I head over there thinking, oh, maybe I'll be able to just see, you know, if I get there. And at that point, my watch, right, I've got a smartwatch.
Of course you do.
It gives me a little notification.
Do you have smart earrings as well?
I don't have, no, I don't have it. Just have a watch, which normally reminds me of my calendar, where I'm supposed to be. Am I recording a podcast at 3 o'clock or 4 o'clock today?
That kind of thing. And it pops up and I'll take a look at it. And it is a notification from the Booking.com app, right?
Which is the online travel agency where you can book your hotel.
That kind of thing. And it pops up and I'll take a look at it. And it is a notification from the Booking.com app, right?
Which is the online travel agency where you can book your hotel.
So you have the app installed on your phone and it pings you?
Well, it came up on my watch.
Oh, right.
Which I didn't even know. I'd never seen anything like that before, right? But I think it's because I had the app on my phone, it synced up with my watch.
And so, I got the notification on my watch that Booking.com says there's a message for you. And I'm thinking, oh, well, I do have an upcoming hotel trip, right?
Because I'm doing a talk in London in November, and I had to book a hotel, and it was a real pain.
And for one reason or another, I had to use Booking.com, which I don't normally use. And I installed the Booking.com app onto my phone, blah, blah, blah.
And I booked it as normal, and I got a notification at the time of booking from the hotel saying, "Thank you very much, Mr. Cluley.
You know, we have booked you in and all the rest of it." And there was this little messaging facility, so I could chit-chat back and forth with the hotel if I wanted to, saying, "Oh, can you make sure that you know, my pyjamas are creased or whatever it is that I want done."
And so, I got the notification on my watch that Booking.com says there's a message for you. And I'm thinking, oh, well, I do have an upcoming hotel trip, right?
Because I'm doing a talk in London in November, and I had to book a hotel, and it was a real pain.
And for one reason or another, I had to use Booking.com, which I don't normally use. And I installed the Booking.com app onto my phone, blah, blah, blah.
And I booked it as normal, and I got a notification at the time of booking from the hotel saying, "Thank you very much, Mr. Cluley.
You know, we have booked you in and all the rest of it." And there was this little messaging facility, so I could chit-chat back and forth with the hotel if I wanted to, saying, "Oh, can you make sure that you know, my pyjamas are creased or whatever it is that I want done."
I never use that thing, ever, ever.
Right.
It's like, how can I help you, sir? Not a bot.
That kind of thing. But it's actually communication from the hotel.
So this is a way for the hotel to talk to me without sending me an email, which is kind of good because that's all happening inside the Booking.com app.
So this is a way for the hotel to talk to me without sending me an email, which is kind of good because that's all happening inside the Booking.com app.
Right.
Rather than via email.
Right, right, right.
Because if it did come via email, you might think, aha, what is this? Is this some kind of phishing email? Right?
But if it's coming from inside the Booking.com app, you think, well, I have booked this via Booking.com, therefore I get a message from Booking.com.
Anyway, so I'm by the tills and it's gone bloop, and I think, oh, what's this about?
So I take a look and it says to me, hello, dear Graham Cluley, it says, we regret to inform you that your booking may be cancelled as your card has not been automatically verified.
And I think, oh my goodness.
They say, we're going to have to recheck the card and we're going to have to reserve some funds, but don't worry because they'll be automatically refunded if there's no problem.
'You have to do this within 12 hours,' it says, 'or the reservation will be automatically cancelled.' And you're like, 'Oh, ffs. I just want my hotel room.
I've already sorted it out, I thought.'
But if it's coming from inside the Booking.com app, you think, well, I have booked this via Booking.com, therefore I get a message from Booking.com.
Anyway, so I'm by the tills and it's gone bloop, and I think, oh, what's this about?
So I take a look and it says to me, hello, dear Graham Cluley, it says, we regret to inform you that your booking may be cancelled as your card has not been automatically verified.
And I think, oh my goodness.
They say, we're going to have to recheck the card and we're going to have to reserve some funds, but don't worry because they'll be automatically refunded if there's no problem.
'You have to do this within 12 hours,' it says, 'or the reservation will be automatically cancelled.' And you're like, 'Oh, ffs. I just want my hotel room.
I've already sorted it out, I thought.'
I just want an aubergine, right?
I just want an aubergine. And it includes a link. And the link goes to booking.com-id334112.com/p/965664712.
Right. Very useful.
Yeah, yeah. And this has arrived via the Booking.com app.
Feels very legit, except, you know, you've got a booking in your mind that you tried to do. It's come through the app and they're saying no.
And this is a message and it says it's from the hotel where I have indeed booked this.
And I can scroll back and see previous messages from the hotel that they have legitimately sent me. And the link looks kind of legit, at least on my mobile phone.
And so I think, oh crumbs, I've got to keep that hotel room because it's going to be a nightmare if I have to try and book another one again.
So I click on the link, but the link doesn't work because by now I've walked back into the vegetable department of the superstore.
And I can scroll back and see previous messages from the hotel that they have legitimately sent me. And the link looks kind of legit, at least on my mobile phone.
And so I think, oh crumbs, I've got to keep that hotel room because it's going to be a nightmare if I have to try and book another one again.
So I click on the link, but the link doesn't work because by now I've walked back into the vegetable department of the superstore.
And lost your half bar.
I've lost my— ah, it's just like, for goodness' sake. I still don't know what an aubergine looks like.
God, your life, man. Every week, our listeners are crying for you. Their tears are just spilling down their faces as their hearts break at how hard your life is.
So exactly.
I know.
So I wait until I get home. I'm a bit suspicious, but you know, because of my lack of connectivity, I haven't been able to act on it on impulse.
I've had a little bit more time to think about it. And I think, oh, I wonder what this is about.
So I managed to eventually find the aubergine, and I get back home, and we eat ratatouille, and it was delicious. Thank you very much for asking.
But having done that, I then thought, well, I better look into this thing, because they said I only had 12 hours. But now I'm suspicious, and I'm looking again at the link.
I've had a little bit more time to think about it. And I think, oh, I wonder what this is about.
So I managed to eventually find the aubergine, and I get back home, and we eat ratatouille, and it was delicious. Thank you very much for asking.
But having done that, I then thought, well, I better look into this thing, because they said I only had 12 hours. But now I'm suspicious, and I'm looking again at the link.
But why are you suspicious?
Well, because what I noticed was the URL said booking.com. This is how it looked anyway. Booking.com-id334112.com. So, the actual domain name was not booking.com.
Slash 1255. Yeah, yeah, yeah.
Yeah, yeah, yeah. It was com-id334112.com. But the way it appeared, on just casually looking at it.
And in the context of inside the Booking.com app, it looks like it was a legitimate link. And it turned out, of course, that it wasn't.
So me with my cybersecurity hat on thought, "Oh, what is this?
This seems all— actually, this seems kind of fishy." And when I went to the link, it looked like the real Booking.com site, which had prefilled in on it some of my details regarding the hotel I was staying at, regarding my name, yada, yada, yada.
Hmm. So I thought, I wonder how the bad guys have done this.
And in the context of inside the Booking.com app, it looks like it was a legitimate link. And it turned out, of course, that it wasn't.
So me with my cybersecurity hat on thought, "Oh, what is this?
This seems all— actually, this seems kind of fishy." And when I went to the link, it looked like the real Booking.com site, which had prefilled in on it some of my details regarding the hotel I was staying at, regarding my name, yada, yada, yada.
Hmm. So I thought, I wonder how the bad guys have done this.
So the thing, the only thing that gave it away to you was the crazy URL. So it was a, yeah, that's what it was.
I mean, it was a bit strange that they were asking me to re-verify my card, but because that hadn't arrived via email or an unsolicited text or something like that.
Because it was inside the app, inside the actual booking app I had used, I was— I have to say, I was tricked.
Not tricked so much that I actually entered my data, because thankfully my spider senses kicked in.
Because it was inside the app, inside the actual booking app I had used, I was— I have to say, I was tricked.
Not tricked so much that I actually entered my data, because thankfully my spider senses kicked in.
Yeah, but you looked into it. You thought, let me just see if this is— Yeah.
But I could well understand how anybody else would fall for something like this.
So is this a screw-up from Booking.com?
Well, this is what I wondered. I thought, what's going on here?
Right. Yeah.
How's this happened? Right. And so I think I need to contact Booking.com.
That must have been easy.
So, first thing I do.
I bet that was a cinch. No problemo, they pick up right away.
So there is this thing called a security.txt file, right? Which websites are encouraged to create, put on their website. I've got one on my website.
So there's a standard place you can go to on a website to get the contact details to tell people about a vulnerability or a bug or something like that, how to make contact.
So I look for one on Booking.com site. There is not one there. There's not one there. So I post up on Mastodon and Twitter and some other sites as well.
So there's a standard place you can go to on a website to get the contact details to tell people about a vulnerability or a bug or something like that, how to make contact.
So I look for one on Booking.com site. There is not one there. There's not one there. So I post up on Mastodon and Twitter and some other sites as well.
X.
People who follow me, I'm not calling it X, people who follow me saying, has anyone got a security contact at booking.com?
And then of course you got all these replies going, oh, I bet they've had a data breach. You know, people jumping to conclusions as to what's happened.
And then of course you got all these replies going, oh, I bet they've had a data breach. You know, people jumping to conclusions as to what's happened.
Oh, outrageous of them.
You know, the humans.
On a platform where there's 300 characters and you're supposed to have an opinion. How dare they?
Anyway, so people are making that assumption, which seems a reasonable assumption to me as to why would I be asking. And I tag Booking.com, by the way, in my tweet.
And I get a reply from Booking.com. Not the real Booking.com, of course. I get a reply from a fake Booking.com on Twitter.
And trust me, I found out since that there are numerous ones because they've been tweeting me ever since, trying to help with my Booking.com issues.
And I get a reply from Booking.com. Not the real Booking.com, of course. I get a reply from a fake Booking.com on Twitter.
And trust me, I found out since that there are numerous ones because they've been tweeting me ever since, trying to help with my Booking.com issues.
So it's a phony. Fucking hell.
I'm reaching out on LinkedIn as well, trying to find security contacts in my network, and I find a couple.
I do eventually get a reply from one of them who tells me basically to bog off.
I do eventually get a reply from one of them who tells me basically to bog off.
Do you know, why not just call a hotel directly from now on? There's wonderful people, concierges that are there to help you and just go, hello, I would like to book a room.
Eventually I get an email address, .
Okay, so I emailed them, I give them the details, I give them screenshots, say, hey, hey, hey, this seems pretty serious.
I imagine if this is happening to me, it's happening to other people as well. I still haven't heard anything back from Booking.com.
However, yesterday Booking.com sent an email to its customers saying that they have had reports of potentially fraudulent behavior in people pretending to be Booking.com or hotel owners, and they sent out this piece of advice.
Now, I'm not going to go into all the details.
You can read on my website exactly what they wrote because I've got some issues with what they wrote as well and how they perhaps haven't described this quite correctly.
Okay, so I emailed them, I give them the details, I give them screenshots, say, hey, hey, hey, this seems pretty serious.
I imagine if this is happening to me, it's happening to other people as well. I still haven't heard anything back from Booking.com.
However, yesterday Booking.com sent an email to its customers saying that they have had reports of potentially fraudulent behavior in people pretending to be Booking.com or hotel owners, and they sent out this piece of advice.
Now, I'm not going to go into all the details.
You can read on my website exactly what they wrote because I've got some issues with what they wrote as well and how they perhaps haven't described this quite correctly.
Or apologized.
My suspicion. Yeah. And you know, how come only the fraudulent Booking.coms are actually the people getting back to me?
But I have since been approached by other people who've had the same experience. It appears this has been going on since at least September.
So this has been going on for some weeks with other people seeing exactly the same thing. It's still going on.
It may be that the hotels themselves have been phished and someone is logging in with their Booking.com account to answer their future guests and to trick them into thinking—
But I have since been approached by other people who've had the same experience. It appears this has been going on since at least September.
So this has been going on for some weeks with other people seeing exactly the same thing. It's still going on.
It may be that the hotels themselves have been phished and someone is logging in with their Booking.com account to answer their future guests and to trick them into thinking—
That's interesting. Yeah.
Yeah. So I think that's how it's happening. But basically, my message, I suppose, is these scams don't always come via email. They don't always come via SMS.
And don't be tricked, as I almost was, into believing something just because it comes within what you believe is the safe harbour of an actual app.
Which you have used to make the booking in the first place, 'cause it could be that it's been compromised.
And don't be tricked, as I almost was, into believing something just because it comes within what you believe is the safe harbour of an actual app.
Which you have used to make the booking in the first place, 'cause it could be that it's been compromised.
Yeah, it's not fair. I mean, how can people do that?
I'm wondering whether we should say, hey, if you work in the hospitality industry and use Booking.com, I don't know, maybe it's a good time to change password, just see what happens.
I'm wondering whether we should say, hey, if you work in the hospitality industry and use Booking.com, I don't know, maybe it's a good time to change password, just see what happens.
Absolutely, and if, I don't know if two-factor authentication is available with those accounts, but if it is, turn it on.
Yeah, you know the problem I bet is though, is that there's gonna be multiple people having access to it to manage it.
Somehow the technology industry has not figured out a way to have access.
Somehow the technology industry has not figured out a way to have access.
So you are right. When you've got a team of people logging into the same account, then two-factor authentication can be a bit of a pain.
What I've experienced is if you use a good password manager, you can now get the password manager to generate the time-sensitive one-time password.
And if you're sharing those details, inside your password manager in a secure way, they can also access the two-factor token as well.
What I've experienced is if you use a good password manager, you can now get the password manager to generate the time-sensitive one-time password.
And if you're sharing those details, inside your password manager in a secure way, they can also access the two-factor token as well.
That's a super good point.
In order to enter it.
Yeah.
So, maybe another reason to get a good password manager.
Definitely.
Maybe inside your organization.
Yeah.
Oh, loads of good advice. Interesting. Anyway, Ratatouille, great. Love it.
Great. Now you know what an aubergine is. Don't ever use the emoji though, unless, you know, in an iMessage.
I think I'm more of a chipolata man.
Right.
If I'm lucky. With a good wind behind me. Carole, quickly, moving on. What have you got for us this week?
Graham, I don't even know how long it's been. 5 years, almost 350 episodes worth. We've been creating this award-winning podcast.
It's actually longer than that. Do you know our first episode was in December 2016? Wow. We are coming up to our 7th birthday.
Jesus God. Oh God.
I think. Is that not right?
I have no idea.
I think that's correct.
That's a long time, Graham.
It's called the 7-year itch, Carole. Yeah.
Is it fair in saying that we can boast about 10 million downloads or listens? Is that about right?
Oh, I haven't been keeping count, but yeah, it's something that, yeah.
It's pretty impressive. You know? More than a million a year. Anyway, I thought we could work out roughly how many hours we have spent so far on Smashing Security, just for fun.
Okay, so I've done a little breakdown. You just correct my numbers here and see what I think.
So I'd say each show on average is about 45 minutes long, because sometimes we have featured interviews and all that, no longer.
Okay, so I've done a little breakdown. You just correct my numbers here and see what I think.
So I'd say each show on average is about 45 minutes long, because sometimes we have featured interviews and all that, no longer.
Yeah, yeah.
And I would say it takes me on average about 2 hours to prep for the show, to get the story, write it up, et cetera.
Okay, so combined, yeah, combined, I guess we come up to about 2 hours 8 minutes, I suppose. Yeah.
Oh, you only do 8 minutes, right?
About, but I think it's obvious. Come, come.
And then in the editing side and all that stuff, reviewing, listening to your half, you listening to my half, all the stuff, I would say that's about 4 hours on average for me.
Yeah, I think it's probably a bit more for me.
Yeah, you probably have 5.
Yeah.
Okay, so we add all that up, what, we've got 9, 10, 11, basically 12 hours, right?
Yeah, we've wasted a large chunk of our lives doing this. Yeah.
12 hours times 2, because 12 hours for me, 12 hours for you each week. Yes. 24 times 345. You could do the calculator because I'm doing the story.
Oh, okay. It's actually episode 344 today, I think.
There we go. Yeah, don't exaggerate our numbers.
So I've got 24 times 344. Yeah, okay. So that is 8,256 hours.
Jesus, okay.
Doesn't Malcolm Gladwell say you get good at something after 10,000 hours?
If we were a two-headed beast, Graham, we're almost there. Divide that by 24 just to get a number of days, 24-hour days that we've been doing this stuff.
Oh, okay, 10,000 divided by 24, 385.
385 24-hour days. So for more than an entire year, no sleep.
No going to the loo.
No going to the loo. Well, unless you take your phone and do some editing.
No eating ratatouille.
It's a lot of time.
It is a lot of time.
That's a lot of time. I just, listeners, I'm not trying to say poor us, right?
We have amazing, wonderful sponsors that help make this all worthwhile and they're great and thank you and our Patreon supporters and everybody.
But imagine, Graham, imagine if we could just sit on our cute little tushes and get someone else to do all the work for us. Virtually for free, right?
There'd be a lot more profit at the end of that. We'd be quids in.
We have amazing, wonderful sponsors that help make this all worthwhile and they're great and thank you and our Patreon supporters and everybody.
But imagine, Graham, imagine if we could just sit on our cute little tushes and get someone else to do all the work for us. Virtually for free, right?
There'd be a lot more profit at the end of that. We'd be quids in.
That would be wonderful.
Eat our cake and— what's that expression? Get your cake and eat it too. I've never understood that. Why would you want a cake and not eat it? Anyway.
Worry not, Graham, because get ready, because we found a podcast that has been entirely AI-generated, or so Develop AI claim.
Worry not, Graham, because get ready, because we found a podcast that has been entirely AI-generated, or so Develop AI claim.
Right.
This is a company that reports on AI in Africa. Trains African journalists to code, to work with AI tools. And I'm guessing this was a bit of a PR stunt to get some eyeballs.
And it worked because look at me today, right? I'm talking about it. I looked into this, right? And I wanted to see what the plan was.
And they wanted to get a working script that would spit out a complete 10-minute podcast episode recounting the daily news, in this case from Johannesburg, where he's based, in a discussion format between 3 trained imaginary voices.
And it worked because look at me today, right? I'm talking about it. I looked into this, right? And I wanted to see what the plan was.
And they wanted to get a working script that would spit out a complete 10-minute podcast episode recounting the daily news, in this case from Johannesburg, where he's based, in a discussion format between 3 trained imaginary voices.
Oh, so it's not just coming out with a script, it's actually then got AI bots reading it.
Yeah. Basically, I'm giving you the highlights of his article. The link is in the show notes if you want to read more about it. Guy's name is Paul McNeely. Paul has a dream.
He has a dream, he writes. He says he has a dream of building an application that could produce a podcast episode from scratch without even needing to record a human voice.
That was the big plan.
He has a dream, he writes. He says he has a dream of building an application that could produce a podcast episode from scratch without even needing to record a human voice.
That was the big plan.
Right.
So he said he spoke with ChatGPT a lot and he used Google Colab to pull a script together.
And Paul says he got the idea that one of the presenters would be predicting what comes next in the news.
So in other words, you've got two main hosts that are recounting the details of a story of the day.
And Paul says he got the idea that one of the presenters would be predicting what comes next in the news.
So in other words, you've got two main hosts that are recounting the details of a story of the day.
Yeah.
And then at the end, they hand over to a third host for his, her, its predictions on where the story might go.
A bit like Mystic Meg, a bit like an astrologer would.
Well, look, we've all done that.
In the crystal ball.
In the crystal ball and tell us where it's going to be.
Yeah.
So Paul says this was because ChatGPT was actually stronger at creating imaginary narratives than pumping out facts.
Oh yeah, it's great at making up stuff. Yeah, exactly.
So I love that he's, instead of just creating a podcast full of shit. He's like, we're gonna do the news.
We're gonna do the news with something that is really good at creating imaginary narratives. This is awesome.
We're gonna do the news with something that is really good at creating imaginary narratives. This is awesome.
Right. Oh my goodness.
So the program that he wrote spoke to Google News, found the top stories of the day, and then scraped prominent websites for the material.
Ripping them off.
Yeah, my thoughts exactly. No wonder content creators are up in arms about AI.
Yeah.
And interestingly, Paul says that ChatGPT couldn't produce a script straight from website text.
So he first had to ask it to convert the news article into lists of facts and then build a script from these facts.
And the difficulty was apparently getting each host to then be paired with a different synthetic voice.
So Paul needed to break up the script into different lines of dialogue and then send each line to its appropriate synthetic voice emulator.
Then you'd have to put all the lines back in as dozens of small MP3s, stitch them back in, and then spit it out as a complete MP3.
So he first had to ask it to convert the news article into lists of facts and then build a script from these facts.
And the difficulty was apparently getting each host to then be paired with a different synthetic voice.
So Paul needed to break up the script into different lines of dialogue and then send each line to its appropriate synthetic voice emulator.
Then you'd have to put all the lines back in as dozens of small MP3s, stitch them back in, and then spit it out as a complete MP3.
Don't you feel that he slightly copied our idea? Because we have a synthetic robot voice.
You're welcome, Paul.
At the start of the Smashing Security podcast. There's no reason why we couldn't get the chap who goes, "Episode 300," you know what he does, all that stuff with Graham Cluley.
To tell a whole story.
To do the whole thing. I mean, we could take a holiday one week and just get him to do it. Would anyone even notice?
What's his name again? I always forget his name.
Let's call him Dave.
I don't know. Yeah, so maybe Dave will close the show today with something.
All right.
Let's see what he can do.
Okay.
And we've been doing that since when? 2017? So put that in your hat, Paul. Okay, so the snags in this project of his.
Okay.
The cost of synthetic voices, so charged per character, he says was too high.
Because he says in his mind, he envisioned this kind of dystopian factory of 100 podcast episodes a day being produced, right, with no one even listening to the content before it's published.
And he says the costs make that impossible. And I'm thinking, okay, they may be expensive now, but I imagine in a few years' time, it'll be a dime a dozen. Don't you think?
Because he says in his mind, he envisioned this kind of dystopian factory of 100 podcast episodes a day being produced, right, with no one even listening to the content before it's published.
And he says the costs make that impossible. And I'm thinking, okay, they may be expensive now, but I imagine in a few years' time, it'll be a dime a dozen. Don't you think?
And is it really?
I mean, maybe it's expensive if he's using some sort of cloud-based service to do this, but surely he's got some old Bitcoin mining rigs down there in Johannesburg, which he could adapt to get to work on this project instead.
I mean, maybe it's expensive if he's using some sort of cloud-based service to do this, but surely he's got some old Bitcoin mining rigs down there in Johannesburg, which he could adapt to get to work on this project instead.
The other thing was his issue was the speed of production for each episode wasn't as quick as he anticipated. Or hoped.
Oh, how long does it take?
So what he had budgeted for, what do you think was? So for a 10-minute, 3-character blah blah about the news.
Is he thinking he could do 20 minutes in an hour?
He's budgeted 2 minutes per episode. So—
What? 2 minutes to produce 10 minutes of audio?
10 minutes. Yeah, that was his plan.
That sounds optimistic.
It turned out it was closer to 10. So 1 to 1. So our shows are what, 45 minutes? That'd be 45 minutes work, bish bash boosh.
And compare that to us, we guesstimated 24 hours for the average episode.
And compare that to us, we guesstimated 24 hours for the average episode.
I'm actually impressed by that. I thought it would take longer than that.
Yeah.
To do it well. That's quite impressive.
Well, there's a third snag. And this is maybe the most important for us.
Is it libel lawyers?
Well, I think he put "AI produced, AI produced. Don't sue me. Don't sue me" everywhere.
Yeah, but he's publishing it, isn't he?
He is saying it's AI produced, though. He seems to be pretty clear on it.
Although, yes, he should probably review the content before he's published. Never mind.
Do you want another third snag?
Go on.
I'm going to quote him here. Quote, unforgivingly boring. Unforgivingly boring.
We all know about that.
And he says, because as someone who creates podcasts, for him it was a relief.
Oh.
Right? So I don't know. That makes me feel better too. Because anyway, I've actually played with a bunch of AI trying to get them to tell jokes that are actually even minutely funny.
And I've not succeeded at all. So anyone who has an AI joke that actually made them have a little ha moment, please send it. I'd love to see it.
But the chatter amongst the three hosts, maybe we should play a little bit of it. Let's just play a tiny bit of it because it is deadly boring.
I don't want anyone to fall asleep at the wheel if they're driving home. See what you make of it.
And I've not succeeded at all. So anyone who has an AI joke that actually made them have a little ha moment, please send it. I'd love to see it.
But the chatter amongst the three hosts, maybe we should play a little bit of it. Let's just play a tiny bit of it because it is deadly boring.
I don't want anyone to fall asleep at the wheel if they're driving home. See what you make of it.
I'm glad we get to navigate all these developments together. Speaking of developments, here's our first fact of the day.
Sweeping across from Zimbabwe, we learned that the Centre for Innovation and Technology, also known as CITE, has created an AI news reader named Alice. Isn't that captivating, Will?
Sweeping across from Zimbabwe, we learned that the Centre for Innovation and Technology, also known as CITE, has created an AI news reader named Alice. Isn't that captivating, Will?
Captivating indeed, but just to temper the excitement a bit, let's remember Alice operates on X. She uses a traditional newsreader's voice to deliver news bulletins.
Sounds like a glorified radio to me.
Sounds like a glorified radio to me.
You have a point, Will, but isn't the level of technical advancement astonishing? Alice was inspired by the world's first AI news anchor launched in 2018 by China's Xinhua News.
I think it's pretty impressive, and it's just going to get better and better, isn't it? Even if the jokes don't.
You have a point, Graham Cluley. Thank you to Smashing Security sponsors Vanta, where you can shortcut compliance without shortchanging security.
Expand the scope of your security program with Vanta's market-leading compliance automation.
Vanta's 5,000+ global customers report saving over 300 hours in manual work and up to 85% of cost for SOC 2, ISO 27001, HIPAA, GDPR, custom frameworks, and more.
And with Vanta's 200+ integrations, you can easily monitor and secure the tools your business relies on.
From the most in-demand frameworks to third-party risk management and security questionnaires, Vanta gives SaaS businesses of all sizes one place to manage risk and prove security in real time.
As a special bonus, Smashing Security listeners get a whopping 20% off Vanta. Just go to vanta.com/smashing. That's vanta.com/smashing. And we thank Devo for sponsoring the show.
SOC analysts are often overworked and underappreciated. In fact, many consider leaving their jobs or changing careers altogether.
Devo is hosting the 3rd annual SOC Analyst Appreciation Day.
This year's program includes presentations and discussions from some of the InfoSec community's most prolific thought leaders, including the likes of YouTube creator Jon Hammond, CISO Olivia Rose, and unpopular opinion guy Josh Copeland.
This event will cover everything from real-life use cases to SOC automation, managed phishing, your mental well-being, and more. You won't want to miss it.
Join Devo and other cybersecurity industry professionals on October 18th, 2023, for sessions and panels focused on de-stressing, SOC career development, and more.
Visit smashingsecurity.com/devo to register. That's smashingsecurity.com/devo. If you work in security or IT and your company has Okta, this message is for you.
For the past few years, the majority of data breaches and hacks you read about have something in common. It's employees.
Hackers absolutely love exploiting vulnerable employee devices and credentials. But imagine a world where only secure devices can access your cloud apps.
Here, credentials are useless to hackers, and you can manage every OS, even Linux, from a single dashboard.
Best of all, you can get employees to fix their own device security issues without creating more work for IT. The good news is you don't have to imagine this world.
You can just start using Kolide.
Kolide is a device trust solution for companies with Okta, and it makes sure that if a device is not trusted or secure, it can't log into your cloud apps.
Visit kolide.com/smashing to watch a demo and see how it works. That's k-o-l-i-d-e.com/smashing.
Expand the scope of your security program with Vanta's market-leading compliance automation.
Vanta's 5,000+ global customers report saving over 300 hours in manual work and up to 85% of cost for SOC 2, ISO 27001, HIPAA, GDPR, custom frameworks, and more.
And with Vanta's 200+ integrations, you can easily monitor and secure the tools your business relies on.
From the most in-demand frameworks to third-party risk management and security questionnaires, Vanta gives SaaS businesses of all sizes one place to manage risk and prove security in real time.
As a special bonus, Smashing Security listeners get a whopping 20% off Vanta. Just go to vanta.com/smashing. That's vanta.com/smashing. And we thank Devo for sponsoring the show.
SOC analysts are often overworked and underappreciated. In fact, many consider leaving their jobs or changing careers altogether.
Devo is hosting the 3rd annual SOC Analyst Appreciation Day.
This year's program includes presentations and discussions from some of the InfoSec community's most prolific thought leaders, including the likes of YouTube creator Jon Hammond, CISO Olivia Rose, and unpopular opinion guy Josh Copeland.
This event will cover everything from real-life use cases to SOC automation, managed phishing, your mental well-being, and more. You won't want to miss it.
Join Devo and other cybersecurity industry professionals on October 18th, 2023, for sessions and panels focused on de-stressing, SOC career development, and more.
Visit smashingsecurity.com/devo to register. That's smashingsecurity.com/devo. If you work in security or IT and your company has Okta, this message is for you.
For the past few years, the majority of data breaches and hacks you read about have something in common. It's employees.
Hackers absolutely love exploiting vulnerable employee devices and credentials. But imagine a world where only secure devices can access your cloud apps.
Here, credentials are useless to hackers, and you can manage every OS, even Linux, from a single dashboard.
Best of all, you can get employees to fix their own device security issues without creating more work for IT. The good news is you don't have to imagine this world.
You can just start using Kolide.
Kolide is a device trust solution for companies with Okta, and it makes sure that if a device is not trusted or secure, it can't log into your cloud apps.
Visit kolide.com/smashing to watch a demo and see how it works. That's k-o-l-i-d-e.com/smashing.
And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like.
It doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like.
It doesn't have to be security related necessarily.
Better not be.
Well, the real rule, Carole, is it doesn't have to be security-related. Not that it better not be security-related.
Only if you think a man's rule is more important than a lady's rule.
I think whoever speaks first sets the rules in this particular case.
Oh, so you start the podcast.
Doesn't have to be. Look, my pick of the week this week is security-related. Is that all right with you?
Thank you very much for asking. It is fine with me. Thank you. Go ahead. Please proceed.
My pick of the week this week is something which has been made by Ryan Kovar.
He is the distinguished strategist at Splunk, and he has put together an online map where he's coloured different countries according to whether it is legal to pay ransomware gangs, or more specifically, cyber extortion gangs, or not.
He is the distinguished strategist at Splunk, and he has put together an online map where he's coloured different countries according to whether it is legal to pay ransomware gangs, or more specifically, cyber extortion gangs, or not.
Oh my God. So this is used by corporations everywhere. So they, instead of asking their legal team, they can go, I can find out. Don't worry. Don't worry. I'll just check this. Yeah.
We'll work out where to make the payment from, which country. Have we got a division in Mongolia? Right. They're the ones who are going to pay it.
Oh my God. The world.
So if you go to isitlegaltopay.com.
Oh my God.
Okay.
I'm going right now.
The first thing you will notice is it isn't protected with HTTPS. So it's HTTP, which means your browser—
Well, you're not putting any information in, are you?
Yes, but come on. This is Ryan Kovar, distinguished strategist at Splunk. Surely he can get Let's Encrypt to produce an SSL certificate free for his little website.
I felt embarrassed linking to it in the show notes.
I felt embarrassed linking to it in the show notes.
Well, then don't. I'm not sure he'll care. Well, you don't have to give him a lecture.
Well, I just, I found anyway, that's the first thing.
You were surprised to see that it's not HTTPS. Although actually I'm seeing right now it's HTTPS. My site's HTTPS.
Is it?
Yes.
Are you sure?
Well, I'm looking at it and it says HTTPS.
Oh bugger, so it is. All right, so.
Oh dear, and I get to edit this bit.
Apologies, please. Ryan, I take it back. It turns out that if you go to http://isitlegaltopay.com, it doesn't redirect you to HTTPS. But if you go to HTTPS, it does. So, okay.
So he's just got a tiny little niggle. No problem.
So I've made a big thing about this.
Yep. Like the aubergine.
Ryan now hates me. Just exactly the same thing. Now, what you see there on the map, Carole, is probably lots of countries which aren't filled in with a colour.
Yep.
Because he doesn't yet know what the situation is in Kazakhstan. He doesn't have information on that, for instance, or what the information is in the Sudan.
So he's building out the database. Yeah.
Exactly. And you can contribute to this via a GitHub page. It's linked to from the site.
Because some countries do say it's a bad idea to pay ransomware gangs because you could be funding terrorism. Others simply say, no, you cannot, full stop, do it.
The only place marked in red at the moment where you definitely cannot pay your ransomware is in North Carolina, where apparently state agencies and local government are prohibited by law for paying ransomware demands.
In some other places you have to report it. But I think this is kind of interesting and I think it will grow over time. Canada, do what you like. UK, do what you like.
Because some countries do say it's a bad idea to pay ransomware gangs because you could be funding terrorism. Others simply say, no, you cannot, full stop, do it.
The only place marked in red at the moment where you definitely cannot pay your ransomware is in North Carolina, where apparently state agencies and local government are prohibited by law for paying ransomware demands.
In some other places you have to report it. But I think this is kind of interesting and I think it will grow over time. Canada, do what you like. UK, do what you like.
Yeah. France, do what you like. Australia, do what you like. South Africa, do what you like.
Although if you click on some of these countries, you will find a little bit more granularity.
So they may say, although it's not illegal, it's strongly discouraged, or you have to, in some places, you know, there may be additional rules. There's certain criminal code.
What the website says is, look, I'm not a lawyer. I'm not Judge Judy. Do not take this website.
If you are thinking of paying a ransom demand, go and consult proper legal advice regarding whether what you're doing is right or not, because otherwise you could end up in a bit of a pickle.
So they may say, although it's not illegal, it's strongly discouraged, or you have to, in some places, you know, there may be additional rules. There's certain criminal code.
What the website says is, look, I'm not a lawyer. I'm not Judge Judy. Do not take this website.
If you are thinking of paying a ransom demand, go and consult proper legal advice regarding whether what you're doing is right or not, because otherwise you could end up in a bit of a pickle.
I'm just having fun while I have, you know, cereal. Yeah.
So one other thing, Carole, which ties in with your story just now is I went to the about page for isitlegaltopay.com and it says that the entire website was written with ChatGPT.
So the data's been collected, outsourced from the, you know, people are contributing the data, but the actual website is written by AI, which might explain if you do go to the about page, it sort of glows in this menacing green.
It pulsates a bit like a giant maggot, which has been infected by some sort of mutation. But anyway, but that might be ChatGPT, which has chosen that.
But anyway, isitlegaltopay.com is my pick of the week.
So the data's been collected, outsourced from the, you know, people are contributing the data, but the actual website is written by AI, which might explain if you do go to the about page, it sort of glows in this menacing green.
It pulsates a bit like a giant maggot, which has been infected by some sort of mutation. But anyway, but that might be ChatGPT, which has chosen that.
But anyway, isitlegaltopay.com is my pick of the week.
All right.
Nice work, Ryan. And remember to use HTTPS. Such a bobo. Carole, what is your pick of the week?
My pick of the week this week is a movie.
Oh yeah.
It is called Licorice Pizza. It was created by the creator of Boogie Nights and Magnolia, Paul Thomas Anderson.
Oh yes.
And it came out last year, November '21, but I really think it's destined to be a cult classic of its genre, the coming-of-age movie. I saw it last night.
So I got it on BBC iPlayer where it's available at the moment.
And it kind of underscores the sweet pleasures, but also the nasty heart-wrenching pains associated with infatuation at a tender age.
So we're in 1973 and you have this 15-year-old kid and he reminded me a bit of you, Graham.
So I got it on BBC iPlayer where it's available at the moment.
And it kind of underscores the sweet pleasures, but also the nasty heart-wrenching pains associated with infatuation at a tender age.
So we're in 1973 and you have this 15-year-old kid and he reminded me a bit of you, Graham.
Is this the character of Gary I'm looking up right now? Yeah. Yeah. I can— there is a physical resemblance.
I don't know. Not about looks.
No, not about looks. Not about looks.
Not about looks. Listen, just listen first, right? So he's been killing it as a child acting star, child acting star. But he's getting old. He's 15.
Oh, right.
You know? And he doesn't fit into that world anymore. And he can see the writing on the wall. But this is where he meets Alana.
Oh, yes.
And Alana is the— a photographer's assistant or something, but is 10 years his senior, Graham. So she's 25.
I'd have quite liked that when I was 15.
Uh-huh. I know. And he's kind of got all completely swoony over Alana. And he's also a very determined kind of person, a bit like you are.
Like, you know, when you say, "I'm going to do this," you just go for it.
So rather than wallow or fight back about his acting career, he changes tacks completely embarks on a little venture flogging waterbed mattresses. And it's crazy.
And he's got charisma and charm, which means his mates and siblings are all involved in his venture as he navigates the world of marketing and buying and selling for the first time with all these adults around.
And then there's more ventures that happen when there's a bill that's reversed. He seizes the opportunity to capitalize, right?
To be the first person in town to offer a specific type of service. And so we have this, zany, determined, savvy kid.
And she's kind of curious about him, but kind of can't believe he's 15, but just is also kind of intoxicated by him. Because he's kind of fascinating.
Like, you know, when you say, "I'm going to do this," you just go for it.
So rather than wallow or fight back about his acting career, he changes tacks completely embarks on a little venture flogging waterbed mattresses. And it's crazy.
And he's got charisma and charm, which means his mates and siblings are all involved in his venture as he navigates the world of marketing and buying and selling for the first time with all these adults around.
And then there's more ventures that happen when there's a bill that's reversed. He seizes the opportunity to capitalize, right?
To be the first person in town to offer a specific type of service. And so we have this, zany, determined, savvy kid.
And she's kind of curious about him, but kind of can't believe he's 15, but just is also kind of intoxicated by him. Because he's kind of fascinating.
That's a little bit awkward feeling though, if she's 25. If she's—
Well, you know, that's kind of my issue. They called it puppy love, but a mature one.
And I'm like, I don't know, if the roles were reversed, and this was a 25-year-old guy and a 15-year-old girl who was completely obsessed with him.
But they don't deal with that at all. And none of the reviews that I saw dealt with it.
So I found that interesting because it is, there's no sex scene or anything in it, but there is deep, tender love that happens. So make of it what you will.
It's quite beautifully written.
It's got a really nice cadence and it really gets that feeling of, you know, my age and thinking back to the days when you went through this, you can go, oh, I remember.
But if you're in it, you're sick, you're just sick. Your tummy's constantly going crazy.
You're wondering when they're going to call, why they've— are they ghosting you and all that stuff. So that's my movie. So it's Licorice Pizza.
I'm sure you can stream it wherever you stream stuff. But I know currently it's available on BBC iPlayer. And that is my pick of the week.
And I'm like, I don't know, if the roles were reversed, and this was a 25-year-old guy and a 15-year-old girl who was completely obsessed with him.
But they don't deal with that at all. And none of the reviews that I saw dealt with it.
So I found that interesting because it is, there's no sex scene or anything in it, but there is deep, tender love that happens. So make of it what you will.
It's quite beautifully written.
It's got a really nice cadence and it really gets that feeling of, you know, my age and thinking back to the days when you went through this, you can go, oh, I remember.
But if you're in it, you're sick, you're just sick. Your tummy's constantly going crazy.
You're wondering when they're going to call, why they've— are they ghosting you and all that stuff. So that's my movie. So it's Licorice Pizza.
I'm sure you can stream it wherever you stream stuff. But I know currently it's available on BBC iPlayer. And that is my pick of the week.
I've just been looking at it. According to what I'm reading here, you can't stream it anywhere at the moment. So maybe BBC iPlayer is the place for now.
I guess you can pay for it on somewhere like Amazon Prime Video. So, you know, but yeah, you can't stream it for free at the moment.
Anyway, he's made some other good movies, hasn't he? Paul Thomas Anderson.
I guess you can pay for it on somewhere like Amazon Prime Video. So, you know, but yeah, you can't stream it for free at the moment.
Anyway, he's made some other good movies, hasn't he? Paul Thomas Anderson.
Yeah. Boogie Nights, Magnolia.
Magnolia. Yeah, that was—
Magnolia was very long. God, that was long. Thom Cruise, wasn't it? It was 3 and a half hours or something.
That's right. Yeah.
Numb butt. That's how I ended that one.
That's what I call him too. Anyway, that just about wraps up the show for this week. You can follow us on Twitter @SmashInSecurity, no G, Twitter announced have G.
We also have a Mastodon account as well. Don't forget to ensure you never miss another episode.
Follow Smashing Security in your favorite podcast apps such as Apple Podcasts and Overcast.
We also have a Mastodon account as well. Don't forget to ensure you never miss another episode.
Follow Smashing Security in your favorite podcast apps such as Apple Podcasts and Overcast.
Massive thank yous to this episode's sponsors, Divo, Fanta and Collide, and of course to our wonderful Patreon community. It's thanks to them all that this show is free.
And as always, for episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 343 episodes, check out smashingsecurity.com.
And as always, for episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 343 episodes, check out smashingsecurity.com.
Until next time, cheerio. Bye-bye.
Bye. All right.
Excellent. Very good. Very good. Fun story. Well done, Carole.
You should watch it with Miss Amanda as well.
Yeah, maybe we shall.
I think you're going to want to hide a bit.
A bit close to home.
It'll be a little close to home, but it's not embarrassing. He's very sweet. He's a really— he's actually kind of the star character. He is a really good character.
And you're going to be waiting for something awful, and there's nothing awful. He's just— but it's just— anyway, it's really great.
And you're going to be waiting for something awful, and there's nothing awful. He's just— but it's just— anyway, it's really great.
I really love it. Here's a cybersecurity joke that uses AI. Why did the AI cross the road? To get to the other side of the firewall. Hahaha, I hope that made you chuckle.
Fraudster will have phished the hotel pretending to be booking.com then once they have control of their account they can contact upcoming bookings.
Thanks for this article. Exactly the same thing has happened to me and if I hadn't read the above I may have been fooled as it's incredibly convincing. I've been around a while and am not often so close to being duped! I've replied to the hotel. Maybe they will press Booking.com to do something about this as it won't be good for the hotel's reputation.
Data from their site was being used by attackers targeting people who had booked accommodation for Eurovision. Having previously been in charge of security at another Online Travel Agency I have a very good understanding of what has happened.
A few months back my credit card information was stolen. The card was immediately cancelled and vendors contacted. Shortly thereafter, I received emails from Booking.com written in a language I could not read, in characters that were not from the English alphabet. I went to check my app and got a message saying my account had been disabled due to security concerns. I knew the stored credit card number wouldn’t work anymore but I was concerned about a reservation I had for an upcoming trip. I also wanted to get any other information about me out of there. Since I was unable to find any contact info for Booking.com I started Googling. No one could help me without me giving them information that I was sure they did not need – they couldn’t look something up under my name? Then I saw something else on Google saying many of these help numbers for Booking.com were run by scammers!! So I hung up and just prayed my 1 and only reservation would stay intact. (I tried calling the hotel but got multitudes of automated menus and messages – never a person.) Fortunately, my reservation was there but I have now deleted the app and do not plan to use it again. I have also blocked all emails from booking.com. It’s a shame. I liked that app a lot! (The scammers writing in that other language still send me messages – I get a weekly rundown on blocked messages .) But it’s not worth the hassle.
I recently (on October 17, 2023) received the similar fraudulent message via booking application. Will contact hotel to inform that their account has been hacked most probably.
I got the exact same message and unfortunately paid the scammers :(
For me a difference is that I have not yet paid for the hotel and I was told the hotel would arrange the payment before arrival. The fake website also had the correct amount I owed to the hotel and I only got suspicious once I approved the first transaction with the correct amount (later I noticed it was in GBP instead of EUR). After the first transaction new requests started coming to my bank account to approve with larger and larger amounts that I kept rejecting and this is when I realized I'm being screwed over and froze my card immediately. Unfortunately the first transaction was authorized and my bank gave no guarantee that they can recover that money for me.
I immediately reported the whole thing to booking as well and they are not responsive via chat. I could get hold of someone in customer service and it seems like the hotel got fooled by phishing email indeed and the scammers got access to their login details and hence to my reservation. The customer service representative said if the bank cannot recover my money then they will pay the lost amount back to me, but there is nothing written down, so I have no hard evidence of this promise (I should have recorded the call)
I hope there are not a lot of stories like mine and people did not get as far as actually sending money to the fraudsters
It happened to me as well. I paid the scammers. Bookings is saying they are investigating, but it’s been 3 weeks and I don’t see any reply from them.
Happened to me in August, recieved message from booking.com but just to be safe I checked my booking.com app where there was also the same message. Still not refunded after phoning, emailing and sending messages multiple times, never any communication from them, all on me to chase. Now they are telling me they are giving hotel five days to pay and if this doesn’t happen they will refund me. I am sceptical.
I had very similar message earlier this week from booking.com receiving it from booking.com via email first but I thought I was being careful by logging into the app to check if it was a legitimate message and same as you, the ‘fraudulent’ message is in the app. So I followed the steps to put in another card details to make sure my booking wasn’t cancelled. I had I initially thought it might have been the hotel
System that got hacked but sounds like this is happening across a lot of different hotels using booking.com (mine was for a Tokyo hotel) so it must be a fault on their own system. I use booking.com a lot but this has put me right off as I do not normally fall for these scams!
I've just had the same thing happen to me.
I didn't trust the email so checked on the booking.com app. The same message was there so now looking very genuine.
I was still suspicious however so decided to call the hotel and check. The hotel confirmed that lots of their customers are receiving these and it is a scam. They didn't know how it was happening though.
Surely booking.com have a duty here as it is technically through their platform?
Thank you, Graham!
I booked an accommodation using Booking. I hope when I arrive at the destination I will have where to stay and my card details will not be shared with third parties.
It looked like the original link (first screenshot, from 13 October) said "booklng", like "book LNG". (Compared to the "i" in "id" in the same link.) Is that just an artifact of the screenshot itself?
Yes – the URL is pretty obviously dodgy. But how many people are going to look closely at that when they are reading a message in the Booking.com app or on the legitimate website? (Graham, obviously. But not everyone.)
It is great that people have been informed of this hack but now Booking.com need to do something about it. For example MFA everytime the hotel logs into the Booking.com app to access customer bookings would solve the problem. Its not rocket science.
Hi Graham,
I can report that this has also happened twice to me when using Expedia to book hotels in Spain and France this summer. Rang Expedia and reported it and they confirmed that had not sent any such notification. Also rang the hotel and they said that the booking was fine.
Did not lose any money, as my golden rule of never clicking on anything that is suspicious seems to work well for me.
Booked two more hotels later this year and did not receive any other notifications, so the spammers have moved on, methinks.
Great Newsletter by the way.
I got this same message today from Agoda(both via email and Agoda app). I tried to contact the hotel but it was 8pm, they told me to contact them again in the morning. I hope my reservation is still fine.????
The exact same thing happened to me today. Luckily I noticed they had spelt cancelled wrongly so I was suspicious and rang the Hotel who confirmed my card had been verified. They also told me they had 6 other same phone calls today from guests. So it looks like Booking.com have not done anything to resolve this serious issue
Yeah. My mother got scammed through her booking for a hotel in Portugal. After she has paid the scam link- I called the hotel as it all looked suspicious.
The hotel confirmed the exact thing as the article. We contacted our bank with screenshots and Booking.com.
The hotel said many client with many hotel across the platform were getting this message. And booking is doing nothing to stop it. Some clients are being reimbursed by booking.com.
I was victim of fraud on Booking.com in July this year and am fighting with them for a reimbursement since then and there is complete silence on their part. The thing is i have absolutely no Idea what i could have done differently. I have lost nearly $ 1700 including bank charges due to this fraud.
I made a booking for my family trip to London for a property listed on Booking.com. Got the booking confirmed through email with the reservation number for advance payment to be done at a later date. Then i receive another mail from Booking.com mentioning that i should contact the representative( some sophia wayne) of the accommodation to verify details and i may need to pay an advance . Both emails came from Booking.com. I send a message to the lady. She asked me to provide credit card details for the advance .As the number was advised by Booking.com , i paid the advance amount .
Next morning, i kept contacting the lady ( or whoever it was) waiting for a confirmation. Did not get any response. I called Booking.com. They confirmed AGAIN that the reservation is fine and i will receive confirmation shortly. I then suddenly noticed that the property listed earlier on booking.com had now disappeared. I called my bank. They confirmed that the transaction seemed fraudulent as the recipient was from Nigeria.
I called Booking.com. They still had no clue. In another half an hour , they call back , fibbing that the property owner can no longer honor his commitment and i should stop the payment and if the payment is already made, they will help me get it back but first ask my bank to stop the payment . I called the bank . The bank said it is too late to reverse the payment.
The bank refuses any responsibility for this fraud and rightfully so as it was not an unauthorized payment. booking.com officers on the helpline keep asking me to ask the bank for reimbursement as they are covered by insurance and now they dont even bother replying to my many mails. I have original mail from Booking.com confirming this reservation as well as asking me to contact the person who defrauded me. It is shameful that they now take no responsibility for this fraud committed by one of their fraud vendors through their platform.
More or less same thing.
Missus got the spam message, asking for card verification, after the 5th (I know) push notification, I turned to her and asked the simple question "Why did I get 5 push notifications?". Panic ensues.
She showed me the app, it had ALL of our details, name of hotel, check ins etc. Sent from WITHIN their app. Immediate emailed my bank, it was late, hence the lack of brainpower form both of us.
Anyway, she called Booking.com and got the usual "Do not worry we will refund the money, we were hacked etc. etc. etc. We will deal with this and get back to you." Two witnesses to the phone call, I took notes but did not record.
She call again the next day after & same reassurance.
Called the third day and the tome changed, asked if we had blocked the charges with our bank, of course we had and had told them this previously. Then said they are investigating and will get back to us. We asked for transcripts of the calls and also did so in writing.
Three days later no communication AND they have now blocked herself from calling booking.com. As in her number is blocked!!! She calls the phone line, enterers her details and it hangs up. We are talking €4,200 here, and they are in radio silence.
100% scumbag company I will never touch again.
This is really discouraging to read. I have fallen for the same scam. I paid 600 euros. My bank refused chargeback as they say it wasn't fraud because I authorised the push notification. Booking.com upon first call were full of reassurance, but nothing happened. I called again they said that the process was ongoing. Nothing. I called again today and was diverted the app chat, which is ironic as this is where the fraud took place! The chat asked me for a bank statement showing the charge and a letter showing the bank had refused the chargeback. Hilariously the chat only allowed me to submit one file and then closed so I couldn't do anything else. So I turned to twitter and eventually got through via DM to customer service there. They gave me a booking.com email address prefixed by my booking number and told me to send bank letter and statement to that address. So now I'm waiting again. What can you do in a situation like this? Booking.com's system is obviously not very robust. How will I have faith in it again. I don't trust any messages I get. I wonder if anyone ever gets a satisfactory outcome with Booking.com? They say they will refund, but do they?
The booking.com app is essentially malware. I used to use it on my rooted and heavily secured Android. Like all apps on my phone, booking.com was not allowed to run unless I was using it based on the philosophy that the Android app that is not running is the Android app that is not spying.
After an update, this app refused to stop when told to; when I or my task killer stopped it, it restarted itself. Given that it requires internet access to perform its basic function this was absolutely unacceptable. I uninstalled it.
At a much later point (May 2022) I used their website (I started on Trivago and wound up on Booking.com because Trivago pointed me there) to book a room in Medellin Colombia. A few days later, I received a notification in my email that was very much like the one you describe here, but I completely overlooked it, arrived in Medellin, and checked into my hotel without incident.
It was only after that that I noticed the particular email saying my reservation was canceled due to a credit card problem. So it could be that this problem has existed for quite awhile.
I was recently scammed by fraudsters who claimed that my hotel stay could be cancelled. Be very careful when booking anything online – always check the details carefully and don't let yourself be pressured into making a decision.
Booking.com still haven't resolved it as I was being scammed. Can't believe I will fall into scam as I was always very careful. The email got all my bookings details so it must be something wrong from them
I've just been had. Kicking myself! This scam must be making the hackers a fortune.
Has anyone had any success with Booking.com refunding their money out of interest?
I'm three days behind you and asking the same question. Perhaps everyone who has been scammed needs to get together to work on this in numbers rather than as individuals? Is that an idea? There must be hundreds, if not thousands of us (which doesn't bode well for getting a refund). Surely these criminals can't so sophisticated that specialists can't find out who they are?