Smashing Security podcast #066: Passwords, pirates, and postcards

Welcome to Smashing Security. This is the Queen. That's what we think of being the Queen's English.

Hey, hey, buddy, you're not in the Commonwealth anymore, so you don't have the right to slag her off.

All right, I see.

All right, yeah, slag off Brenda. Smashing Security, Episode 66: Passwords, Pirates, and Postcards with Carole Theriault. Carole Theriault and Graham Cluley. Hello, hello, and welcome to another episode of Smashing Security, episode 66. My name is Graham Cluley.

Route 66, I'm Carole Theriault.

Clickety-click. And we are joined today by The CyberWire's Dave Bittner. Hello, Dave.

Hello all, happy to be here.

Oh, great. Now, for those people who don't know what The CyberWire is, first of all, shame on them. But we're actually committing a little bit of podcest today, aren't we?

Yes. That's right. And I've been fortunate enough to have you on our show.

Oh, loving.

Yeah, I know, right?

Yeah, thanks for the invite. I love—

Well, Carole.

Yes, Dave?

It's an open invitation. Anytime you'd like to be on, you're welcome.

That's very kind. Thank you very much.

Because your show is basically daily, isn't it? The CyberWire is,

The Daily is about 20 minutes of everything you need to know in cybersecurity for that day, plus special guests and so on and so forth.

I don't know how you do it, honestly.

amongst other things,

There are days that I wonder how we do it as well.

I bet you do.

We have a small team here. There's about half a dozen of us.

Forget about the editing. The question I have is, do you have a life? an infosecurity podcast, right? I mean, seriously. No, no, I don't mean that in an insulting way, but I mean, it's difficult, isn't it, producing? I mean, we find it a bit of a struggle getting the podcast out once a week. Well, if you'll do only what you really said, Graham, that's the problem.

You're welcome, everyone.

But it's difficult, isn't it? Don't you ever go on holiday?

Well, funny you should bring that up. No. Being a small team, and we are still very much in startup mode, so we have a shallow bench. And so vacations are, you grab them when you can. For example, yesterday was President's Day.

Yes.

Where we celebrated almost all of our presidents here in the United States, present president excluded. So.

I saw that on Reddit. A lot of people said that, celebrating, yeah.

Couple of minutes in and we got political.

I know, I know, I know. See, I can do that on your show. I can't do it on mine.

Go nuts, go nuts.

Right, exactly.

But so when you have the opportunity for a day off, you do that. And so I actually was reintroduced to my family. We went and saw a movie and it was nice. We all hugged each other and had a meal together. It was lovely.

Ah, fantastic. Yeah. Well, with all those shows you're having to produce each week, I'm not surprised that you are even prepared to have Carole on a future episode. So Carole, I would grab that opportunity while you can. I think maybe we should, we should go for a break. This would be a good time, wouldn't it? Yeah, you better.

Quick, quick, quick.

We'll be right back after this. Thanks to MetaCompliance for supporting this episode of Smashing Security. People are the key to minimizing your cybersecurity risk posture, and MetaCompliance makes this easier by providing a single platform for phishing, cybersecurity training, policy, privacy, and incident management. Listeners can get a 10% discount off the high-quality cybersecurity e-learning catalog by quoting the code Smashing. Just visit www.metacompliance.com. That's www.metacompliance.com.

Rapid7 is sponsoring Smashing Security. Rapid7's Insight IDR has been named a Visionary in Gartner's latest SIEM Magic Quadrant. It is an intruder analytics solution that gives you the confidence to detect and investigate security incidents faster. You can download a 30-day trial by visiting rapid7.com/smashingsecurity.com/insightidr.

And welcome back. And as always, Smashing Security, we look back over the last 7 days of computer security news and see what tickles our fancy and the funny stories of how computers have gone wrong or how cybercrime has gone crazy, which we will bring to your attention. And I saw a little story which is kind of interesting on Reddit. There is a user called Cranky Recursion, which in itself is rather marvelous. Yeah, it's a beautiful name. Last Sunday, Cranky Recursion. So he's obviously one of these fans of flight simulators, and he was installing a piece of software, which was an A320 flight simulator software program onto his computer. And he spotted an unexpected program in the package, which he was installing. Its name was test.exe. Could be anything, couldn't it? Test.exe.

It could be anything.

What could go wrong?

What could possibly go wrong? Well—

Did he just click it?

Well, I would, wouldn't you? It says test.

Throw caution to the wind.

Let's go. Well, this particular test.exe was a tool for dumping out passwords that users had stored in their Chrome browser. Ooh. Ah. Sounds a bit of a worry, doesn't it? Especially when you note that FlightSim Labs, who are the developers of this particular program, specifically ask you, they say, "We'd be very grateful if you turned off your antivirus." Shut the front door! Before you install this.

They do not.

They do. And this is something, of course, we used to see years and years ago. And some games still do say this, but yes, they tell you to turn off your antivirus.

I don't know about you, yeah, but anytime a stranger asks me to turn off my antivirus, I just go ahead and do it.

Yeah, why not?

Yeah. It's a bit of a Columbo moment, isn't it?

It makes perfectly good sense to me.

So this program, which isn't detected by your antivirus because you've uninstalled it or you've turned it off, leads us to some interesting questions. Had FlightSim Labs been hacked? Had the bad guys tampered with the download in order to steal flyers' passwords? In fact, let's do this in the style of Hong Kong Phooey, if you remember that '70s cartoon.

Number one super guy.

Who is the supervillain? Sarge? No. Rosemary, the web server operator? No. Flight Sim Labs, the mild-mannered purveyors of the software?

Could be!

So yeah, this is the case. It was actually the software developers themselves who had shipped their flight simulator.

Holy moly! I'm sure there's a perfectly reasonable explanation for why they did this.

Well, they explained it. The idea was to unmask people who were pirating their flight simulator software. Now you know why they asked you to turn off your antivirus, don't you? You see, this software is selling for around about $140.

Okay. So they had more users than they had money.

Absolutely. And people were pirating and copying the serial numbers because people don't like to pay $140 to fly an A320. What FlightSim Labs do is when they think they've identified a pirate, they try to gather as much information about the pirate as possible, including all of their passwords.

And seems perfectly reasonable to me. Seems like a proportional response.

Well, the chief of the company, a guy called Leftaris, it's a wonderful name, isn't it? I wonder if he's a Siamese twin or something. Leftaris Calamaras admitted that some people might consider his behavior a little bit heavy-handed.

Yeah, I'm in that group. I'm in that group. Yep.

Do you think, Carole? Because everyone on the internet was absolutely fine with it. Reddit were perfectly happy with his explanation.

I stand alone.

No one complained about this whatsoever. Well, of course people did complain. Software developer Luke Gorman called it a violation of software ethics and more than likely illegal. And there were a series of posts put up on the Flight Sim Labs website where they tried to explain what they were doing. And they said, well, we're in ongoing legal battles against these criminals who are pirating our software. We only use it against people who we've identified haven't paid the software. And what they noticed was And of course, regular paying users were like, you've planted— even if you're not planning to run it on our computer, you've planted it on our computer. lots of scumbags online were

Yeah, so everyone who downloads it has a copy of the potential— yeah, whatever— yeah, ticking time bomb. Exactly.

ripping them off because— Good. You know, they could activate at any point. Maybe they could click on it, or indeed their antivirus may trigger on it, and you may go, lawks a mercy, I've got malware on my computer, and thus panic as a result. So—

So it's kind of like they want to handle a real problem and they may have done it in not the best way. Is that what we're kind of saying?

Yeah.

Yeah. Well, they're kind of being upfront about it. You know, it kind of shows that maybe they didn't really consider it.

When you say upfront, it's more down back, isn't it?

Yeah, it's more down back.

In retrospect. Was that wrong? Should we not have done that?

It's not so much after the horse has bolted, but after the horse has been turned into glue.

So what are they doing to fix this? What are they doing to fix this?

Well, they've now replaced the installer and they say they humbly apologize. And I'm sure that is going to make everyone feel happy dealing with them.

All's well that ends well, right?

A good story to begin with. But hey, other software vendors out there, of course you don't like people pirating your stuff, but don't install malicious code. Don't breach frankly, computer crime laws by running code if they are criminal, because it's not something that's going to end well.

I say thank you for the sorry. There are so few corporations out there who do, you know, mistakes that we have to pay the price for that do not say sorry. So, no, I'll give a hat tip for the apology.

All right. Okay. Well, you're so kind, aren't you, Carole? What's got over you this week?

I'm a comedian. Of course I'm kind. I'm always kind.

What's happened? Something strange.

You are outrageous.

Dave, what's your story this week?

Well, before I dig into that, I have a question for you. So I was listening to a recent episode where Carole and Maria were razzing you about your ability to do accents from around the world.

Its inability.

So I was wondering, can you do an American accent?

Well, there are so many, aren't there?

Well, but you know what, that brings up a good point. I wanted to know your natural style of speaking, what would you call that? Here in the United States, you could say, oh, you have a Southern accent, you have a New England accent, you have a Mid-Atlantic accent. How would you describe your accent, your British accent?

Well, my accent, my English accent is really what we call the Queen's English. This is the A1 top tier.

Really?

Received pronunciation, BBC. And I think most people would think that is a lovely, home counties. I live in Oxford, and I think that is represented. Yes, I know. That's the Queen's English.

Because I would think this is the Queen's English.

Hello!

Hello! Welcome to Smashing Security. This is the Queen. Now, that's what we think of being the Queen's English.

Hey, hey, buddy, you're not in the Commonwealth anymore, so you don't have the right to slag her off.

All right, I see.

All right. Yeah, slag off Brenda. Anyway, when it comes to an American accent, I think we had a commercial in this country. It was selling insurance and it was done through the character of a mouse who was driving a car called the E. Shore Mouse.

And he's, hey, hey, hey, do you want to buy some insurance?

That's kind of what we think of when we think of American accents.

Okay, not we, not we, you. Unless you're talking about you and the plural.

It is we when you speak the Royal English.

Anyway, see, the problem we have is that when we try to do your accent, we all end up sounding like Dick Van Dyke in Mary Poppins.

Yes, that wasn't our plan. If you're lucky.

If we're lucky, right. Mary Poppins.

It's a great time today, Mary Poppins!

Yeah.

Ain't no use.

Yep. I think, Dave, you're enjoying not being on the Cyber Wire, aren't you?

I really, really am.

Or he doesn't have a story.

You got me.

Maybe when I go on vacation, you can fill in for me, Graham. What do you think?

Oh, yes.

We'll upset your sponsors. It would be an upgrade. Yeah. That would be totally— Now then, look, you're too anarchic. So we're going to pull you back now.

All right.

Dave, what's your story for us this week?

My story is from ZDNet.

Zed.

The article is called—

Yes.

Are we going to get into the whole privacy, privacy thing or how you all mispronounce aluminium?

Ooh, oh, that's a corkscrew through the heart. You go ahead.

Lawsuits threaten InfoSec research just when we need it most. So this story is about the chilling effect of white hat researchers being sued when they discover and are trying to point out flaws in people's software. And it's happened time and time again where someone finds a flaw doing what they think is the right thing.

Right.

They notify the people who have the software. And rather than saying thank you for pointing this out.

Yeah.

They respond guns ablaze with their legal team and say, "We're going to sue you into obliteration." Right, exactly.

They shoot the messenger, effectively.

They do, and in effect trying to shut down the story, which of course seems to me to be self-defeating. I mean, I was reading a commentary on this on Twitter this past week. Someone was saying that, well, if the researchers don't tell you about it, you're going to find out about it when people start stealing money. And, you know, it's much worse when the bad guys discover it rather than having the good guys point it out to you.

And furthermore, if you take legal action against someone who's found a vulnerability in your site, there's the danger of the Streisand effect, isn't there? Of journalists being much, much more interested. Well, that's what I'm thinking. Of course, of course they'll freak out. And actually, that just whets the appetite of any journo. So what's happened on this particular occasion? Who's made this disastrous mistake of taking action against the person who's found the problem?

Well, they interviewed several journalists about this, and one caught my eye. There was a gentleman who goes by the name Johnny Christmas, spelled with an X. Is that an X, right? You don't have a different way to pronounce that letter?

No, X is X. Scrambled X sometimes, but yes.

Obviously.

So he's most famous for releasing the master key for the luggage locks used by the TSA a few years ago.

Yes.

And he discovered that his school ID system everyone had a university ID card, basically had everyone's information including their Social Security number in the clear on the card.

No.

Yeah, anyone could have access to it. So what he did was he posted flyers around the school, you know, sort of bringing people's attention to this fact. The school noticed, verified it, and they severed the contract with the company who made the ID cards. Well, the company who made the ID cards was not happy about losing such a large client as the university.

Right.

But wouldn't admit their mistake.

No. So they sued Mr. Christmas for slander.

For slander?

For slander. So they settled out of court. But basically what happened was their legal team was bigger than his, and they just dragged it out until he ran out of money.

Yeah. I guess his dad didn't have a lot of money, did he? Carole didn't get it.

Father Christmas?

No, sorry. I was just thinking of something I heard in a podcast recently that apparently in the States, 97% of claims or court cases end up in a plea where people basically plead guilty and then they're—

Yes. Well, yes, criminal law, that's a whole other kettle of fish here in the States. Yeah, we've got issues.

So even though what he discovered was presumably verifiable, they took action against him and that some kind of settlement's been made.

Right. And so the chilling effect is that this article points out that many of these researchers have decided rather than spending their time on vulnerabilities, they're looking into other things because it might not be worth it to discover something and be dragged into a long, protracted legal argument, expensive legal argument, for just trying to do the right thing.

Yeah.

What some of these researchers are doing is simply rather than informing the company, they're just posting it publicly anonymously.

Yeah.

Which is not responsible disclosure.

Exactly.

Because, yeah, so they're making it worse for themselves by not approaching this in what I would consider to be a sensible way. I also wonder, should there be some sort of cyber equivalent to a Good Samaritan law? You know, a Good Samaritan law is where, you know, if I have a heart attack on an airplane and, you know, an orthodontist tries to save my life because you know, he had some medical training.

He loved your teeth.

Yeah, fails miserably, but my family can't sue him for not being the right kind of doctor because he was just trying to be a good Samaritan. I wonder, do we need something similar to that that holds back companies' ability to go after people to sort of take advantage of the Computer Fraud and Abuse Act to just get people to shut up?

Maybe we need something that. So this ZDNet article has— I don't know how many people it spoke to, but clearly there are some researchers out there who are worried about talking about vulnerabilities because of potential legal ramifications. It may force them underground. It may lead to irresponsible disclosure. I wonder if we'll see some of the people in future choosing to use pseudonyms. I mean, Johnny Christmas, for instance, he may, you know, that was silly of him to use his real name that. If it'd been Henry Halloween or Sydney Shrove Tuesday or something that.

Andy Arbor Day.

Yeah. Bro, what's your topic this week?

Well, imagine if a gaggle of the world's leading What if 20 leading technologists, legal eagles, and brainiacs were locked in a room and asked to come up with the most effective solution to prevent bad actors Russia or elsewhere from purchasing election ads on social media? That's what I want to talk about today. So imagine all these smart people in the room and long, intense discussions over cold pizza and flat fizz pop. That's how I'm seeing it. And they're mopping their brows and they present you with the one-word answer, the solution. Postcards. Now, I'm sure this is not how Facebook actually came up with this new plan to use postcards and the US mail to curb election disinformation and meddling, but my question today is, can this actually work? We're using a kind of ancient communication method in order to solve a very new world problem. So last week, the day after the US special counsel Robert Mueller unsealed an indictment accusing 13 Russians and 3 Russian companies of criminal interference in the Trump-Clinton election process, Facebook unveiled its plans to start using postcards via US mail.

So they're going to fight the Russians with postcards?

Yes, they're going to fight it with paper cuts a go-go.

Not a letter from Brezhnev, but a postcard from Mark Zuckerberg.

That's right.

Fantastic.

One postcard at a time.

High tech.

The point of these postcards is to verify the identities and the location of individuals who want to purchase US election-related advertising on its site, on Facebook. After all, it's estimated that Russia's influence over the election via Facebook alone reached 126 million users, right? Now, the whole problem here is under American law, foreigners are forbidden from donating or contributing anything of value to any election, whether local, state, or federal. So the idea is that postcards can mitigate the risk that electoral ads are purchased from outside the US, from non-Americans. So Facebook's global director of policy programs, Katie Harbath, said, if you run an ad mentioning a candidate, we're going to mail you a postcard and you're going to have to use that code to prove who you are in the United States. Now, I imagine it's actually going to work the other way around. I bet you're going to have to do the code thing first before you run the ad. But I suspect that's just semantics in this, you know, whatever.

That's— yes.

Harbath also admitted to Reuters that this is not going to solve everything. But she did say this is the most effective method the tech company could come up with to prevent Russians and other bad actors from purchasing ads while posing as someone else.

But you see, how's this actually going to work, right? This whole idea of if you're going to run a political ad mentioning a candidate, you've got to sort of apply and they're going to send you a postcard and you're going to say, oh yes, I have received your postcard and so I will enter your code. First of all, if someone receives that, then they could clearly just IM it to Boris, you know, from that hotel room. But more than that, how are Facebook going to identify that you're running an ad which mentions a candidate? Because you could always refer to the orange guy, right? Or Big Don with the long tie.

We all know who we're talking about here.

Killary Hilton. Or, you know, it's not difficult, is it? Will anyone who wants to run an ad about their friend Hillary, for instance, think, oh no, it must be a political ad.

I don't know how it's gonna work. Yeah, I wonder if there's just a checkbox where someone has, if someone says this is an election-based ad or if they just don't, if they omit to check that box, maybe they bypass this altogether. I don't know.

And how much of this is Facebook really trying to fix the problem and how much of this is Facebook being able to say, well, we tried to fix the problem.

Yes. Yes, yes, yes, yes.

That's what it sounds like to me. I mean, you know, there's tons, you know what, but half the population don't actually have voting rights, but they actually live in the US. So, you know, what's stopping them from getting the code and putting something up? Is that allowed? I guess it is because under the law, if you're not a US citizen, if you're outside or if you're foreign to the US, that's the problem. It doesn't matter, I guess, if you're underage or not allowed to vote.

But postboxes are not difficult things to get here. Right. And there's automated services. There's exactly that. There's automated services that will forward it to you anywhere in the world from your anonymous postbox.

You just need a buddy, right?

You have some of those, Graham?

Well, hypothetically.

Hypothetically.

Just like these Russians who've been indicted apparently had a guy, you know, helping them steal identities and credit card information.

I'm going to go out on a limb here and say that the Russians who were, according to this indictment, were spending over $1 million a month. Just going to go out on a limb here and say that they could probably find a way to get a mailbox or two to be the place for these postcards to come. Call me crazy, but I think the Russian intelligence services could probably come up with a workaround here.

I think we need to be more imaginative. This postcard system isn't going to work. What else could we come up with? How about if you had to be photographed in front of a famous American monument and then Facebook's clever artificial intelligence machine learning facial recognition could identify you're in front of the Statue of Liberty or Dunkin' Donuts or one of your other famous landmarks.

Have you heard of Photoshop?

Or—

Oh, you know, I—

I know. I find it depressing as well. I mean, you think about the guys and gals who built this incredible, gigantic, addictive, useful social monster, right? And it's this, you know, millions and millions upon millions are using it. And even whilst numbers are dwindling, we're all reading that in the press, right? They can't keep their services free from illegal interference.

That's the problem. Where do you all stand on the notion of verified IDs on these types of services? I mean, Facebook tries to be real names, to varying degrees of success. Twitter doesn't care who you are, clearly. But if there was a system by which you had to provide some sort of ID to get your account, would that help?

It's interesting. I have a Facebook account which doesn't use my real name. For a while, I was Zuck Muckerberg, but they spotted that one and closed it down. But I have another one now, which isn't my real name. And it doesn't seem like this is a problem which is easy to fix. I think that we're trying to fix the problem really from the wrong end. I think maybe the legislators are looking at Facebook and saying, you need to get your act together. And it's like, how are we going to do this, guys? Maybe what we need to do is have more education of people to not fall for such silly scams, just like we used to protect them against hoaxes in the old days and warn them about that kind of nonsense.

Well, it's interesting you say that, because actually Facebook's VP of ads took to Twitter this week and published a 7-part tweet, trying to kind of reestablish some sort of authority over this whole situation of disinformation, Russian meddling, I imagine. And, you know, it's quite a powerful 7-parter. However, The New York Times dismantled many of the arguments he made in this kind of fascinating fact-checking piece. So it's really worth a read, actually. So I've put both links in the show notes for you to check out.

It's not fake news, is it, Carole?

You know what, these days, who can tell? Who can tell?

I can't tell anymore.

I can't tell anymore.

I can't tell.

Let's ask the eShow Mouse.

I don't know.

I don't know.

Can I doxx this on that?

I'm sorry, cheating.

Who can we trust? Who can we trust?

This episode of Smashing Security is sponsored in part by Rapid7. Trusted by over 6,700 organizations globally, Rapid7 security solutions harness the critical information essential to protect an organization's best interest. Rapid7's InsightIDR has been named a Visionary in Gartner's latest SIEM Magic Quadrant. InsightIDR unifies SIEM, UBA, and EDR and is an intruder analytics solution that gives you the confidence to detect and investigate security incidents faster. You can download a 30-day trial by visiting rapid7.com/insightidr. That's rapid7.com/insightidr.

And thanks once again to MetaCompliance for supporting this episode of Smashing Security. People are the key to minimizing your cybersecurity risk posture. You can save 10% as a Smashing Security listener off the high-quality cybersecurity e-learning catalog by going to metacompliance.com and quoting the code SMASHING. That's metacompliance.com, and don't forget the code SMASHING. On with the show. And welcome back. You join us at our favorite part of the show. We to call it Pick of the Week.

Pick of the Week.

Pick of the Week. Everyone on the show chooses something they. Could be a funny story, a book they've read, a TV show, a movie, a record, an app, a website, a podcast, whatever you. Could be.

Could be.

Could be security related. It's not the first time ever.

Have I done one before?

Yes, you have, but I can't yell this week because mine's security-related too.

Okay.

Okay.

So my Pick of the Week deals with a particular problem associated with phishing. One of the tricks which phishers will use, they will try and fool you into thinking that you're clicking on a link to a well-known site like PayPal or Facebook or Netflix or whatever. And it even looks that, right? It even looks it. Well, Carole, hang on to your hat. Even when you hover your little mousey over it, it looks you really are going to PayPal.com, but it isn't the real PayPal. And because I think possibly for the first time

Are you talking phishing here?

Yeah, phishing. Exactly.

Dastardly.

ever, I have a security-related Pick of the Week. So what they're actually doing is they are using internationalized domain names because these days with domain names, you've got all these other kooky, crazy countries which contribute in all these lunatic characters, ones with little tildes underneath, ones with little crosses. And these are called IDNs, Internationalized Domain Names. In fact, you could, if you wanted, and if you've got enough money, buy a domain name, which is basically just an emoji, right? It's www.hamburger.com and you have a little picture of a hamburger if you really wanted. It's bonkers, but that is possible. And some of these crazy characters actually look identical to normal English language characters or Western alphabet characters. And as a consequence, you think you're going to PayPal, but you're not.

You're going to something else.

Gotcha. Yeah.

Gotcha. Yeah.

So what is happening is the browsers are using something called Punycode to handle these domains.

Punycode?

Punycode.

Yeah, it's lovely, isn't it? And so what I'm recommending that people do is you should configure your browser to spot these Identikit-style URLs more easily, and you'll know whether someone is using some Punycode in a URL or not. And there's a great little browser extension. There's a few of them. I've tested out a few of them, but my favorite, and the one I'm going to recommend today, is called IDN Safe. Puny as in weakling. IDN for Internationalized Domain Name, and then Safe. And you can add that to your Chrome browser, your Firefox, your Opera. And what it will do is when you try and go to a URL which contains one of these funny characters, it will block it.

Because you happen to click on a link and you think you're totally going to PayPal, but you're actually going to paypah— Exactly. And it will pop up in a little red box in the corner and you'll say, "Oh, what's that doing there?"

But hopefully that will be enough of a safety net to prevent you from going into that link. Now, on modern versions of Chrome and Opera as well, and I think possibly Edge as well, it will actually show the Punycode in the browser bar, in the URL block at the top there. So you can see that it isn't the real PayPal.com.

I it.

You'll see some other characters up there instead of how it's displayed. But with Firefox, you need to actually configure it to show the Punycode. And I'm going to put a link in to the show notes if people want to do that.

That's very helpful.

But really, my recommendation is you probably want to have a browser plugin this which will alert you. Now, particularly if you're English-speaking, it's unlikely you're going to be going to very many internationalized domain names, and so this will be a great safety net. If you're not, if you're Chinese or something, you're going to be really irritated by this recommendation from me, and I'm sorry about that. So either ignore me or you'll be whitelisting an awful lot of sites. But that is my pick of the week. IDN Safe. Dave, what's your pick of the week?

Well, I don't mean to wade back into this again and bring us back to where we were earlier, but my pick of the week is privacy.com, or as you would say, privacy. Thank you. Yeah, privacy.com. First of all, I have to wonder, what did it cost them to buy that domain name? Yeah, right? Yeah, that's a pretty good one. So this basically allows you to create burner credit cards. Oh yeah, so you— and there's all sorts of ways you can dial it in. So you can have a one-off credit card where if you're signing up to buy something and you're not sure if it's dodgy or, you know, a place where you're not planning on doing a lot of business over and over again, you can say please generate a credit card number for me that will only be good for one use, and it will do that for you. You can also spin up credit card numbers that have limits over time. So if you had a subscription, let's say you wanted to put your Netflix on a credit card number, you could say, you know, do not exceed $20 a month on this credit card, and it can dial that in as well. So all kinds of different ways for you to be able to create one-off credit card numbers and protect yourself from having all your eggs in one credit card number basket online.

So I imagine the way this works is you go to privacy.com, it's going to ask you for your legitimate credit card number. Well, there's no getting out of that, I imagine, right?

Well, actually, that's— when I was looking at this, I kept thinking to myself, what's the catch? What's the catch? That's because, first of all, it's free. They are using— they're taking a cut of the credit card transaction fee to make their money.

Yes, yes. However, the one thing that gave me pause with these folks is that you do not give them your credit card number, you give them your bank account number. Oh, ouch.

Yeah. Yeah.

So now you could potentially have a bank account with a very small amount of money in it, right?

You could.

Dave was asking how they afforded the domain name privacy.com.

Yeah, I think we figured it out.

I think we've just nailed it.

That's right. That's right.

So next, yeah, on next week's show, privacy experts recommend scam credit card.

Dave, have you used this site?

I have not, but I know people who have.

Okay. I was hoping you would do it first because when you first mentioned this and I thought, oh, you have to— I imagined you'd have to give your credit card details to then create a sort of sub-credit card. Yeah, I think maybe you could use recursion. Maybe you could use one of their credit card numbers to create an account on their site, which could— before you know it, you've ended up with a black hole.

Yes, just get sucked into the time-space continuum. Yes, fantastic. Yes, I love it. I love that idea.

Okay, so they're taking a direct— okay, and they're getting a cut. So are you sure? I just want to get this on the record.

I recommend people look into Privacy.com as a possibility for their— to do this sort of thing. I will tell you very much before— no, I just want to get to this message provided by the CyberWire legal team.

Smashing Security does not endorse the recommendations of the CyberWire legal team.

Yeah, exactly. Before I recommended this, I did do some digging around and looked for online reviews of the service, and it all seems to be on the up and up. So, but of course, there is that old saying, if it seems to be too good to be true, then perhaps it is.

But listeners, if you trust Dave's gut, go for it.

Do you feel lucky?

What I can say is I do definitely think it's a good idea maybe to have a separate credit card for online purchases with a low limit rather than maybe the one you're using for regular household purchases. And, you know, it— yeah, to just keep an eye obviously on your transactions. I mean, I the idea of this. I haven't had any experience of it. And so we look forward to the feedback from users who go try it out.

From a service we have not endorsed in any way.

Right, exactly.

Yeah, this is Carole Theriault and Graham Cluley.

We're so authoritative, aren't we?

We really are.

What's your pick of the week?

So my dad, who occasionally listens to the show— salut papa, c'était là— asked if we could cover more how-tos in our picks of the week.

Okay. Okay. So this is one for you, dads. I know.

No. So look, lots of people like to put their credit cards in their iPhones. There's lots of good reasons to do it. It helps you download apps, make in-app purchases. You know, you can perform NFC-based Apple Payments. You can send money to friends via Apple Pay Cash. Lots of cool things. But you know, you may get your credit card stolen. Your card might expire. Your bank maybe report a problem, whatever. And you may need to disconnect them.

You may have had all of your money stolen by privacy.com.

Exactly. And you may want to get it off your phone.

Again, that wasn't us who said that. That was our third-party contributor.

So I have put in the show notes a link to the support.apple.com official page, as well as another page from iDownloadBlog to tell you all the step-by-step instructions.

Well, that sounds very helpful, Carole. Well done. Glad that we've got the ship back on its correct course.

What do you mean by that, Mr. Cluley?

No, I think we've done very well with our picks of the week this week, you and me, Carole.

They've been all very security-related.

Yes, it's all been—

Let's not do that again.

Yeah, exactly. You know, rather than us talking about Blake 7 or something like that.

You know what, it's Maria's fault. She did bring up Furbies last week, and I think we did want to have a bit of authority.

The idea of that Furby in the organ was just horrendous, wasn't it? Well, that just about wraps it up for this week. If you want to follow us, you can follow us on Twitter @SmashInSecurity. Twitter didn't let us have a G. On Facebook, we're at smashingsecurity.com/facebook. And we've got a store where you can buy some tatty merchandise as well, smashingsecurity.com/store. Thank you to everyone who's done that. All that remains is to ask our guest Dave, where people can find him online. Where's the best place to follow you? What do you want to plug? As if—

Where can people yell at you about privacy.com?

Ah, yeah, yes, exactly. It's GrahamCluley.com.

Funny.

TheCyberWire.com. Don't forget the the because someone else has CyberWire.com. So I know we couldn't— we didn't have the kind of money that Privacy.com had to buy it outright from them. So TheCyberWire.com and you can find the podcast, find our daily news brief, all that good stuff.

Great. And all that remains to thank you at home for tuning in. If you like the show, rate it on Apple Podcasts. It really does help.

Please rate us.

We've had some very good reviews.

We have. I love them.

Yes, I love them.

And I— except some— someone called me potty-mouth though. Someone called me potty-mouth in a review that everyone sees.

You are a bit fucking potty-mouth though, Carole Theriault.

I know, I know. I'm allowed. I'm your friend. How else am I supposed to put up with you?

If you want to catch up on our past episodes, you can go to www.smashingsecurity.com as well. And for details on how to get in touch with us. Until next time, cheerio, bye-bye, sayonara, guys.

Later, later, bro.

That's D-Dawg.

You don't just have characters A to Z, you've got all those crazy kooky other countries contributing.

I'm sorry, what?

Excusez-moi, monsieur.

Have to be careful how you edit that.