Smashing Security podcast #106: Google Maps, Fed phishing, and Grinch bots

Okay, how did they do it? I want to know how they did it.

Well, in the old days, Carole, the technique you could use is you could burgle people's houses and replace their telephone directories. So simple! Print it up!

With one ad on page 396, having a different

phone number. The spine of the book correctly bends, so that page just falls open. Hint hint.

Hello and welcome to Smashing Security episode 106. My name is Graham Cluley. And I'm Carole Theriault. Hello Carole. Hello Mr. Cluley. And by popular demand we are joined by a frequent guest of the show, Maria Vamarsis. Hello, Maria. Hello. Konnichiwa, Maria. Konnichiwa. Hi. You've just returned, haven't you, from Japan?

Yes, I was in Japan for two weeks and then dealing with toddler jet lag fallout for the week after, so I'm just emerging from all that. The worst. Yeah. You had too much fun. Too much fun, so now we're going to deal with screaming toddler. Well, don't worry. We will

save you from that for at least an hour.

Just screaming adults now. Exactly. Yeah, great.

Now, we have a glut of fab stories for you today from how scammers are using Google Maps to steal money, how you nab fishers, and we'll even explain what the heck Grinch bots are. But that's not all. We also have some brand new bonus content. You can listen to Graham and I get the lowdown on digital password safes in a fun tête-à-tête with Rachel from LastPass, this week's smashing security sponsor. Check them out at lastpass.com/smashing. Tête

-à-tête, are you showing off again that you know French? Well, at least you recognised it was French. Now, chaps, I want you to imagine that you are a bad guy. Not hard. Or a bad gal. And you want to trick people into giving you their bank account details, their pin codes, their secret CVV codes, their inside leg measurement.

Normally you just say, can I see your card for a second? I want to buy you something on Amazon. Give me your card for a second. Done. Well, you might find that a little bit suspicious if a complete stranger did it, wouldn't you?

Do you? I would pretend to be a server in a restaurant and I'd be like, oh, here's your bill. I see that you've left your card. Thank you very much. I'll come back with the card machine.

That's more creative. I had something actually happen to me where the whole time I thought they were doing this to me where they're trying to steal my info. It was somebody, not a busker, but those charity folks that are always on the sidewalks that are asking, you know, they're trying to flag you down and go, hey, do you have a second for Oxfam or whatever? Yeah. Yeah. And I had one of them flag me down because I was, I guess I look nice and approachable. And it was for Heifer International. What's Heifer International? Oh, you give them money and they give people in developing countries like oxen or sheep or goats or stuff so they can sustain themselves and make money and that kind of thing. Okay, got it. Yeah. So the whole time I'm just like, I don't know if this person actually works for this charity. I'm not really sure. Are you a genuine heifer? You're thinking. Are you a real heifer? Are you looking up and down? Are you really a heifer? like a cow to me. And then at the end, they're like, please give us money. I need your info, your financial info and I'm just like, oh that could be getting really hurt right now. Yeah. Just please give us money for charity. I promise it's legit. You have no way of knowing whether I am or not. I'm just a total stranger on the street asking for info. Well

they normally have ID in the UK at least, but at the same time how would I know that's valid? Yes, of

course anyone can print out some ID. Just hold a clipboard

and you look really official right

well look this is all very interesting but what you are describing are tricks where you come into physical contact with your target. And I would imagine many criminals are a little bit nervous about doing that because of the chances of getting punched on the nose or having the police come and grab them. So they like to do it over the internet and there's a variety of ways in which you could try and scam someone remotely. You could call them up pretending to be their bank for instance, but they might get suspicious about that. It would be so much better and easier if you were a bad guy if the victim called you up. So you could email your intended victim, pretending to be the bank, and ask them very politely to call you. But again, there's so many scams out there. Some folks are likely to find that a little bit fishy as well, aren't they? You know, if you get an email out of the blue. So can you give us a phone call or if there's a problem with your account, call us on this number. You might be suspicious. So wouldn't it be great if it was the victim's idea to call you up in the first place thinking that your phone number was the real number for the bank? Wouldn't that be ideal?

That's a long con you got to admire that. That's okay how did they do it I want to know how they did that's great

Well in the old days Carole the technique you could use is you could burgle people's houses and replace their telephone directories and so in the telephone directories

it up okay you got to know be really comfortable with publishing software with

one ad on page 396 having a different phone number

The spine of the book correctly bends so that page just falls open hint hint so

You could produce fake telephone directories but today of course no one uses a telephone directory today do they oh I do do you do as a

Doorstop to put my monitor on I get them every year they don't stop coming what am I supposed to do with them

They've stopped producing them over here, I think, because the trees were beginning to complain about

It. Oh, we don't care about trees in America, have we? Newsflash, yep. Yeah.

Well, today, the technique you could use is you could edit Google Maps. You see, a lot of people use Google to find out a bank's phone number rather than going to the bank's own website or, you know, I don't know. But they

Use Google Maps instead of Google Search?

Well, the thing is, Carole, when you search for something on Google, you don't just get your regular search results. If you look for, for instance, a bank branch, it's quite likely that you will also get a result from Google Maps as one of your search results, which may give the opening times of that bank or restaurant or whatever it is. I'm trying it right now. And the phone number as well.

Okay. I'm going in. All right so I'm seeing your page at the moment on the right hand screen of your search result you have a bunch of information about a bank including a Google Map location finder.

Yeah and including I mean it's got these little bit of metadata so it's got the address hours open and the phone number as well and an option to suggest an edit should any of that information be wrong now that's the thing Google Maps in its wisdom allows folks to edit an organisation's contact details. Now, presumably, they're allowing users to generate their own content to try and make the information provided by Google search better. Right. But if the organisation's phone number has been changed to that of a scammer, then the scammer is going to start getting phone calls, which people intended to go to the real bank, aren't they? And so don't be surprised if you think you're ringing up your bank and you're being asked to confirm your password your bank account your credit card numbers your birthday your pin your CVV code

Come on I think most people would be wise to the fact that you don't share your pin number with anyone

You would hope so wouldn't you but social engineers can be awfully crafty and there will be some people maybe more vulnerable members of society who might fall for exactly that oh yes let's just blame people shall we Carole no it's interesting as

Well as people that are vulnerable could be duped by this only stupid

People get phished right only stupid normally

Carole you're the one who sticks up for the dolt heads and I'm the mean guy and

Yeah everything is topsy-turvy now after episode 100 I really don't know what's going on what has happened

Now police in India in Maharashtra. Oh, my goodness. Maharashtra. Oh. Maharashtra. Hello. Maharashtra. Absolutely right. They say they've had three complaints of exactly this happening in relation to the Bank of India in the last month alone. So there's no real reason to believe. That's hardly an epidemic. Oh, Carole.

This is. Poo poo to you too. Just wait till

Your story comes around. All right.

We're going to see all over that. This is

Three complaints. How many people might have rung up and may have given information and may still not realise they weren't talking to the real bank? How many people may have rung up and found it suspicious and just hung up and didn't think to go and contact the police? Standing down, buddy. Standing down. And there's no reason to believe it might not be happening in other parts of the world, too. It's unlikely to be purely an Indian problem, right? Yeah. So what should you do about this? Well, you can use the bank's official website to find the contact details of your local branch rather than necessarily relying on what your search engine gives you. And Google, for its part, says, well, you know, we allow people to suggest edits in order to keep the information up to date. But we do recognise there may occasionally be inaccuracies or naughty, malicious edits suggested by them. And we do our best to fix these as soon as we're informed. So, frankly, they're not doing anything. Now this isn't the only problem we've seen with Google Maps. Do you remember there was this thing which used to exist called Map Maker where you could plot your own paths around the world and walkways and things? I think it doesn't exist anymore. But one of the ways in which we saw that abused, if you remember, is people sort of painted paths onto Google. There was a famous one of the Android robot peeing onto the Apple logo.

Yes, so they were doing sketches. They were doing sketches.

So it's miles wide of this thing pissing on Steve Jobs' apple. There was a big penis as well. Well, I didn't spot that one for a while.

The important details. The important details.

And there was once someone actually claimed to have opened a snowboarding shop in Pennsylvania Avenue, home of the White House, actually right in the middle of the White House. And they called it Edward's Snow Den.

Get it? Get it? Get it? That's so clever. Oh, my God. How did they come up with that? How did they come up with that?

So I think what we're really saying here is user-generated content can be a fantastic way to create obviously lots and lots of content, but you can't always rely upon it. And of course, Google's business relies so much upon information that other people are giving them. So be careful out there, folks.

It's frustrating if the map is legitimately wrong, though. Have you ever had to try and fix Google Maps when it lists something incorrectly, like legitimately wrong? It's really hard. It's super hard to get them to fix it.

What sort of mistake did they make in your experience?

So my parents' house is incorrectly listed. The address and the actual house are incorrect. So unfortunately, even emergency services nowadays seems to rely on Google Maps. So when an ambulance was called to my parents' house years ago, they couldn't find my parents' house, and this was like two years ago.

But it's not that they have an entry. It's not like it says Maria's parents' house on Google Maps. You type in—

The address and the number does not align with the actual physical. So it's a real problem. And I know that there's a problem for a lot of people saying their home is listed incorrectly. People can't find them or business is listed incorrectly. The physical space and the map are not aligned. And trying to get Google to fix that is freaking impossible. You know what they need. A guy in India. They need

Past pick of the week, What Three Words. Yes, that actually would be pretty helpful. If only the world was using What Three Words, then there'd be no problems whatsoever. They'd be able to find anything in the world, wouldn't they?

So they kind of created this fake online merchant system that fooled phishers into thinking they could legitimately—

I don't think it was as complicated as a merchant system. They didn't go down the entire rabbit hole. But let me give you the setup here. So basically, the FBI was alerted to some criminals that were extorting a cranes company in New York State, and apparently this cranes company paid $82,000 to criminals. Didn't realize it till a little later.

For a bunch of birds?

No, no, no. Construction cranes.

I give that groaner one chuckle. Hashtag terrible jokes.

Yes, they make cranes. They make birds. It's a thing. So when the bird guys figured out they'd been extorted out of money, they called in the FBI, and the FBI just needed to figure out where these cyber criminals were located. And in order to do that, they kind of used some sort of fishy, P-H-I-S-H-Y, fishy-esque. Sorry, I thought that was funny. Fishy-esque means to get a useful IP address out of the criminals. So what they did was they created an entirely fake FedEx website to scam the scammers. They sent it to the scammy guys, and they even had the website resolve as "access denied, this website does not allow proxy connections" to try and get the criminals to drop their proxies. I thought that bit was really clever.

So of course, you can imagine how a website might say, "Oh, you're running a VPN or you're coming through a proxy. You can't access us for whatever reasons." But in this case, this website always said that, and so—

Like, no matter what, you've got to drop your proxy. It's like, "Okay, well..."

In the hope that the criminal would keep on trying to think eventually, "Oh, for goodness sake, I just want to access this page to find out when my payment is coming through." And of course, the web server logs were grabbing their information as they did that.

They were. But there were two search warrants for this specific case, so I'm guessing that that first tactic didn't work. But kudos to the FBI for trying. That's pretty clever. The second thing the FBI did to these same cyber criminals was send the crooks a malicious Word doc.

Doesn't that sound familiar? Like, what are we, 1995? And yet, so this malicious Word doc had an image in it. So again, doesn't this all sound very familiar? It was a screenshot of a FedEx tracking payment for a sent payment. So the idea is you open up the Word doc, the image loads. I think we all know the yada, yada, yada, and then the image phones home saying "this is where I'm located" and the FBI nabs crooks. Well, do you think the criminals are expecting to get this kind of thing their way? I mean, they're the ones usually lobbing it out, but they're not expecting to get it, right?

Thing is, the criminal might be very careful when accessing a web page. So obviously, this fake FedEx page didn't manage to fool them. But they may be less careful when they've been emailed maybe a Word document, and they subsequently, maybe hours and hours later, after they've done their surfing, they access the Word document, and it tries to drag down an image at that point. So I think that was quite a sneaky trick for the feds to try. But I read the document which has been unearthed, the FBI search warrant, and there's some fascinating details in there as to what was going on. For instance, once the crane manufacturing company realized that they'd been defrauded and they brought the FBI in and the scammers came back. So they initially took $82,000 and then they came back asking for an additional $138,000.

A handout. In one tiny little payment.

Just a little bit. Obviously, the company was now onto it. And so the FBI said to them, well, stall them, stall them.

Do a dance or something.

And so Margaret, her name was Margaret, who worked in the accounts department. She said, well, look, what she wrote back to the scammer was, oh, you know, there's been a bit of a delay sorting out your check. Because the printer we use to print out checks, which we send people, is broken.

That's very plausible. That's so plausible, though.

And there's a part missing and we have to have it delivered. And the fraudster kept on email, still posing as the CEO. Surely this payment must have been made by now. The printer should have been fixed. Please advise.

And then he was saying,

I'm having trouble with the web link. You know, he didn't go into details. He explained it was the VPN proxy problem. But he said, oh, just give me the information. I don't need to go and visit the webpage.

Oh, that's great. And poor old Margaret was saying, well, it works for me. I've tried it from my home computer as well. This is so great. Good for you, Margaret. She's got a future in law enforcement.

So good for her for trying. But there are other fascinating details regarding this case.

I'm going to have to do some deeper digging in that. That sounds pretty interesting.

Well, one of the things is that the checks, apparently, some of them were being mailed to this woman who, on behalf of a guy who she met on Match.com, was having some kind of relationship with, who claimed to be in Afghanistan a lot, working for the army, but also had business interests in Australia. She was kind of getting the money, transferring it into his bank account, and then moving it into an Australian bank account.

There's a whole soap opera angle to the story. I had no idea. What?

And I think that whole relationship had basically been set up by this guy, who probably wasn't in Afghanistan.

You've got to be kidding. In order to scam people. I wonder if he had multiple women around the place. Oh, my God. There's a whole catfishing thing. Some really bored crook. This is like, I'm on the computer all day. Might as well catfish some ladies.

Wow. Wow. Okay, but I have a question. I have a question. What do you guys think about the feds using dodgy tactics like this? Like, should they try and stay within the realms of... Is it dodgy?

That's the thing. It wasn't a booby... Well, the Word document, for instance, it didn't contain malware. I think if it contained some malicious code which had run on people's computers, and they were quite careful in the search warrant to say, it's not going to do that, and we're not going to take screenshots of the computer or anything like that. We're simply going to get the IP details and the browser details.

The whole thing is that the feds don't want to accidentally entrap an innocent party while doing this kind of thing. They set up a phishing website. But all it did was grab someone's IP address. It wasn't really a phishing website. It's phishy, but not phishing. Yes. Okay, fair, fair.

If anyone's going to complain, actually, I wondered what FedEx might have felt about it.

They have no comment. That means they are peed off. That or they're actually involved and they can't comment because it's a law investigation and they're not allowed to.

It could be either or. I would think there's a security team at FedEx and one of their jobs will be looking out for fishy domains which get created and getting them shut down because it obviously damages their brand. But when there's a legitimate law enforcement reason to create one, presumably they have to be involved so that they turn a blind eye to it.

It would feel quite gross if they were not involved. I imagine

That would be a problem if they weren't. I would love to hear the war stories from them on that if that was ever legal to divulge. That is neat. Well, the sort of key thing I wanted to convey after all – we went down that fascinating path, though. I'm kind of amazed – was that this is kind of new for the FBI to be doing stuff like this for crooks that are basically just taking money. Because they've been doing stuff like this for child pornographers and violent guys for quite a while. So there was a story I covered a while ago about a guy who was sending bomb threats in the town I lived in. And the FBI did all sorts of cool stuff to track him down. But basically, as of the end of 2016, the U.S. Justice Department amended what's called Rule 41, not Rule 34, Rule 41, which lets judges sign warrants for computers outside of their district. So now law enforcement in the United States can basically, and I use hack lightly here, hack a criminal's computer wherever they're located. It does not have to be in their jurisdiction. So we're going to see a lot more of this kind of stuff from now on. And that's probably the reason why Motherboard went after this 2017 story. We're going to be seeing a lot of this. So keep your ears tuned for that.

I know nothing of this, OK? I'll do some digging after the show.

Yeah, especially if there's a little catfishy angle. Like, that's salacious. It's fun. That's right. I was just reading this thing and I thought, oh, crap. It's all this stuff that Motherboard hasn't written about here. I'm really interested in this bit. Well, now that the freight trains that are Thanksgiving and Black Friday have rumbled past, I say thank God, sayonara. I'm very sorry to say this. We have entered the realm of Christmastime. No, that sounds terrible. That's a kind of potato isn't it? It is, it's a fingerling potato.

I remember the days when you would be given a potato for Christmas and you'd be told to be happy about it. In the old country. Exactly.

In your shoe, right? A potato in your shoe. So this year is this fingerling. This is a plastic five-inch tall baby monkey, okay, made by the company called Wowie. A Grinch? Yes, Carole. I can't believe... What's your problem with Christmas? I just did all that to intro my topic of Grinch bots. See? Oh, fuck those guys. That sucks.

Right? So in other words, these resellers are using cyber grinches to game the online sales system.

Are these the guys that buy the consoles every year, like the NES or the Super NES thing?

Exactly. Isn't it the spirit of Christmas? High five. Now, the thing is, these bots are super fast, way, way faster than a person on a computer buying a present. You know, you peruse, you read a review, you shop around, then you put it in the cart. And when you finally get to buy it, the hundred or so they had in stock is poof, all gone. Happy Christmas. So a few senators in the States are trying to stamp down on this shitty practice. This past Black Friday, well-timed release from Senators Thom Udall, Richard Blumenthal and Chuck Schumer and U.S. Rep. Paul Tonko. They announced the introduction of the Stopping Grinch Bots Act of 2018. That's a bit of a mouthful. You try and say it.

Stopping Grinch Bots Act of 2018.

Stopping Grinch Bots Act, the SGBA, that's not a very good acronym. It's a pretty descriptive title, right? Seeing as it's all about cracking down on Grinch Bots and stamping out the practice. So the U.S. rep Tonko said in a statement, the American people should be able to spend the holidays with their loved ones, not be forced to camp out at store openings and race against an automated buying algorithm just to get an affordable gift for their kids.

You can just give your children a potato or one of my preferred methods particularly if your child is quite young maybe not going to school yet is just lie about when Christmas is because they don't know what day it is.

Yeah it's true if you think your average six seven eight year old doesn't know it's Christmas.

Well, maybe six or so, but under about five I think they haven't got a clue what even months or...

Yeah, but are you buying a five-inch fingerling for a three-year-old? No, probably not.

Now, it's funny, Graham, you say the whole thing about a potato because that was my idea. Why don't you parents get off the crazy buy-buy-buy Christmas train and make gifts instead for your little ones, right? Like a little felt book cover or sew them some pants or knit them some socks or build them a birdhouse.

Spoken like a true non-parent who doesn't understand the look they would get from their child of, how did I end up with this parent? What a load of rubbish this family is.

So then we come back to the fact that you guys are insane and you are going to be going crazy this Christmas time yet again and lining up to buy things like this fingerling, Bobby.

We are insane, we bred. We've been taken to insanity by our children not letting us sleep or through toddler jet lag on the way back from Japan or whatever. Yes, of course we're insane. Just let us spend some money, right? And they will get three minutes amusement, at least out of the packaging of the box, if not the contents of the box. And that'll be it. But stop being such a Grinch at Christmas.

So, Graham, you remember you were talking about ticket bots earlier. Well, that was signed into law by Obama, a law called the Better Online Ticket Sales Act, or the Bots Act, Maria, in 2016.

Oh, see, you got to have a good acronym. House of Cards taught me that. It's important.

Exactly. Obama was brilliant at the acronym. So I think that one we like.

So the SGBA, tremendous. Would apply the structure of the BOTS Act to e-commerce sites. So basically it would take advantage of what they've already been able to do with that act, which is actually they seem to have stamped out on a lot of tickets.

What's next, though? Are they going to start disabling eBay sniping going back to 1997 again? I mean, come on. eBay sniping is a proud tradition that I look forward to passing on to my daughter. I mean, come on. If eBay even exists when she starts using the internet.

So guys, if you find the present that your kids want is disappearing off the shelves, think about these Grinch bots and support acts like this that are going to try and stop these greedy effers from getting away...

No no no no don't think that instead think about how miserable your childhood could have been if Carole was your mother and all she'd given you was a pair of sewn up trousers or a raw potato and said get on with it there you go happy solstice enjoy your potato. Fantastic, well nice one Carole, nice one, nice one.

You're so, me wanting to make something with love and care you're turning into...

It's not going to be appreciated, it's not going to be appreciated. You're in cloud cuckoo land right now, it's absurd. And welcome back and you join us on our favorite part of the show, the part of the show that we like to call pick of the week. Pick of the week, pick of the week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like. Doesn't have to be security related necessarily. Please don't be this week. And mine is not security related necessarily this week. Mine is, it is not even celery, which is another gift which Carole would probably give people as a present. Here's a piece of celery.

I need celery. I'm making a lot of soup lately and I need celery. It's true.

Well, instead of celery, my pick of the week is the Internet Arcade, which is run by our good friends at the archive.org. And they have a gallery of over 1,700 retro arcade games. Some of them for your computer, some of them might be for arcade. And you can play them online inside an emulator. And it's wonderful. This is what people need, Carole. Not a potato or a stick of celery. They need something like this. And it also includes the greatest game ever written for Microsoft DOS. I'm sure you know what I'm talking about. Mavis Beacon teaches typing. No, not Mavis Beacon. I am referring to Alley Cat.

Oh, come on. Do you remember Alley Cat? Yes. It's not a great game. I'm sorry.

Alley Cat is a great game. It is a great game, and it also has the greatest theme tune of any game ever. I love the theme tune of Alley Cat. It's a very entertaining game.

I will give you the theme tune. The game, entertaining? Yes, I've spent many a long hour playing Alley Cat. So my pick of the week is primarily a shout out to the team at NASA because they just landed something on Mars this week, which I think is just amazing. Freaking awesome.

It's a great comic strip, which is right that it's great, isn't it? Because what an incredible achievement to get something like that all the way to another planet and land it safely and then begin to have it sending information back to us. Super complicated. It's super complicated. Imagine.

That's the problem, I think. I think it's even too big for me to marvel at because it's just too crazy.

Carole, you've done an Excel pivot table before haven't you? You've done a pivot table.

You can read this comic and it explains it beautifully. I got this, seriously the comic will explain it really well. It's really easy to understand.

No, I'm not, yeah, I can, you can, I was talking more about actually getting to Mars.

It's a marvel of human engineering and I think kudos to NASA right. I would agree with you there definitely, definitely from that tremendous human achievement to Carole's suggestion of all of the things which she's seen in the last week, all of the things which she's encountered, everything that she's read about. Well, Cluley, this morning. So on board with that article. Yes. Yes. Right? Sorry, I'm really, really passionate about that too.

Yes, many of us, I was going to say, including me, can't get over it. And I think you voiced exactly my feelings inside, Maria. That's exactly how I feel. And so I, therefore, cater my little baby, my old headphone jack sporting iPhone, right? Hoping it stays alive long enough for Apple to wake up and go, oh, wow, people do want a headphone jack. Anyway, I'm looking at Reddit, and this poster, RushATGC, writes that they're a student, and they had to come up with a cheap idea to be able to use headphones. Because the dual adapters are really expensive, right? They're heavy to carry, and they're not that reliable, he says, or she says. Okay. So, simple and cheap and very reliable solutions for phones without a headphone jack. You need your old wired headphones. You need a Bluetooth receiver. Okay? They run for about $10, $15. And you need a 6-inch USB to C-mail to micro USB mail cable. In other words, a USB cable. And that's it. And that's it. Okay. Well, think about it, though. You never run out of battery on Bluetooth receiver because you can charge it from the phone itself. Right? Battery lasts three to four days in the receiver. That's a lot better than most Bluetooth headsets. Yeah. I know I'm not saying this is better than having the old headphone jack back. Sorry, Carole. I'm just a bit confused. You got a bit technical for me, I'll be honest. Your Bluetooth receiver. So you would take your normal headphones, plug it into the Bluetooth receiver. The Bluetooth receiver interacts with your phone.

Oh, so the phone is sending the music or whatever, or hopefully a podcast from your phone via Bluetooth to the Bluetooth receiver, which is plugged into your earphones.

Yeah. Now, it's kind of a workaround. It's a workaround. They're saying it's great because it's super cheap. It's super ultra lightweight. If you look at the Bluetooth receiver, it's very small. It's an insane solution, but it costs just a few bucks, right? It's not that insane. It sounds quite sensible to me. And if you're a student, right, you don't have 150 bucks lying around. It's cheap.

And presumably, if you are the owner of a car, which still requires a three and a half inch, you know, a little wire, a millimeter wire to plug your phone in. And you've now got something which you can't. You could do the same thing, couldn't you? So if you don't have a Bluetooth enabled car. That's me. Why don't you go and get one? I'm going to

Get one. I never even thought about that. Thank you very much for the idea. See, this was a great pick of the week.

Not bad. I'll let you know how I get on. It's completely free for me to complain about the lack of a headphone jack, though. It's free to complain.

Honey, I'm with you 100%. I think Graham's on this bus as well. I hate it.

Oh, I'm not buying a phone which doesn't have a headphone jack. I care more about the headphone jack than I do about the home button disappearing. That might be because we're addicted to podcasts. Possibly. But, you know, I'm pretty annoyed about the fact that Touch ID has disappeared from modern iPhones. You have to use Face ID. But the lack of a headphone jack is even worse. What's going on at Apple? Why are they so obsessed with skinniness or whatever it is? I think we know what happened at Apple.

It's all since Steve Jobs died? Really? Is that what we're...

Yeah. I think that's where she's going. Well, that just about wraps it up for another week. Not

Quite, Mr. Cluley. We have special bonus content this week. We did a little cheeky interview with Rachel from LastPass. And we're going to slot that in right here. She is hilarious. You'll see. Take a listen. And thank you once again to our wonderful sponsors, LastPass. This is a special interview with LastPass's Rachel Stockton. Welcome to the show, Rachel. Thank you so much for having me.

Now, we've brought you on board because LastPass, of course, are experts when it comes to the subject of passwords. Are you an expert when it comes to password? Do you find your friends and family are always asking you for password advice?

Yes. You know what? I think I am an expert on passwords. I've definitely moved on from my password years ago being my dog's name, which is a whole other podcast about my dog. But also, you know, I've been using password managers now for years, and that's helped me up my password game. But one of my favorite things to do, though, guys, and if we're ever at a party, I'm totally doing it to you, is going in and asking people just small talk. You know, hey, what was your first pet's name? What high school did you go to? And then turning around and guessing what their password is. So I'm also a little bit of a magician.

Has that worked? Have you ever actually caught people out doing that?

Oh, totally. Really? Yeah, people want simple passwords. It's a huge challenge.

And I think the thing is, even if people aren't using those as their passwords anymore, they might be using those as their password reminder questions. You know, those security questions you get asked when you create accounts. So if someone wanted to break into your account, they might pretend to be you and say, oh, yes, of course I remember the name of my first pet or the first road I lived on or my mother's maiden name.

Yeah, definitely. You know, you find out that somebody's first pet, maybe the year they were born. Boom, you're into so many things right now.

Now, maybe we should get Rachel to tell us what she actually does at LastPass, Graham. Yeah,

What do you actually do? I mean, come on, it's just passwords. What is there actually to do?

Oh, my gosh, there's so much to do. So I focus on product marketing. And so what that means is really understanding what's happening out in the market. You know, what are people doing when it comes to passwords? Why are they still reusing passwords? Figuring out how we can move people to understand there are better solutions to keep them safer and trying to get that into their hands. Do you

Think that password managers, does everyone know that they exist? Or do you think there's still a huge learning curve and actually introducing the whole concept to people?

Carole nails it. There is definitely still a huge learning curve to understand that there's a solution to one of the problems that sort of plagues everybody. Everybody gets frustrated when they can't remember a password. So they write it down or they use something simple. And I think the majority of people out there don't realize that there are solutions out there that literally will do this for them. They'll remove all of that pain.

If you looked at a password, right, if someone gave you some password examples, would you be able to say that's a rubbish password or that's a great password?

So in a way, yes. So for example, you know, you give me a simple dictionary word password, of course, but you give me this really complex password, if you're still using that in all of your applications, then that's a rubbish password. So it's not just the word, it's how you use it.

And how, of course, you reuse it. So you might have a really strong password, but if you're using it in more than one place... Exactly. Can you explain what the danger is there for those people who haven't quite cottoned onto that one yet?

Sure. So if you're using the same password in many different locations. So in your personal life, so let's say it's on your Facebook and your LinkedIn and all of your different retail accounts and your bank. When one of those gets breached, and I say when because we do know breaches are just going to happen. Yeah. They're going to be able to get that information. And then what those hackers end up doing is they try that username and password on all of these other sites and they're able to access that. And I think thinking about it in your personal life and the impact of that is one thing. But what we have also found is that people are reusing the same password at home and work. Yeah. People are able to find out more information about the passwords that they do have. And then they're actually able to take this to an enterprise level. Right. And so by reusing passwords in your daily life and in your business life, you're actually putting your business and company at risk, too.

And do you think most people know that they should reuse or sorry, do you think people know that they should never reuse the same password, but they're probably thinking, OK, how am I supposed to remember unique passwords for each one?

So we did this survey. So I love psychology. I love the why behind stuff. Like what's the catalyst that makes people do things? And people are like, okay, you know, 72% are saying I understand password best practices. All right, great. But almost 60% are still using the same password. So it's kind of like flossing. Like we know, we know we should be flossing. We know it. We've been told it

So boring oh it's so tedious oh it's

Oh it's so tedious and this dental survey okay so I know this is a little off topic

You guys don't eat mango enough that's all I'm saying but

So then this dental survey comes out right and they found out that only 30% people actually floss every day yeah and I mean no surprise I mean I don't have a dentist appointment in a week. So I'm going to floss like crazy for a week. Make sure the gums stop bleeding. Yeah, it's the same thing. And it goes back to your initial question, to be honest, about do people understand that there is something that can help them with this? Being safe with your passwords can be really hard if you're trying to do it on your own. If you're trying to create that algorithm, if you're trying to keep track of it in Excel. But if you have some kind of solution that can generate it for you, save it for you and fill it for you. My God, you know, that makes it so easy.

So this is a problem that impacts not just the at home user, but also companies, right? It's on both sides.

Yeah, definitely. It impacts both. And as I said, with password reuse between business and personal, that really raises the bar to the impact your choices can be having on your organization.

So why would a company look for an enterprise password management solution rather than just rolling out a consumer version onto all of their computers?

The big one that I say is control. When you're looking at an enterprise password management solution, you really want to be able to set policies, ensure that people are managing passwords the way you want them to be able to do. And so if you have an enterprise solution, you're able to access those policies and apply them. You're also able to gain visibility. So you have a score that says, this is how well my company is doing when it comes to their password. And that takes into account things like password reuse, password complexity, the use of two-factor authentication, which is a whole episode in and of itself. Right. Yeah. And so you're able to see, okay, here are the areas for improvement and then target the departments or even the individuals to do that.

Oh, so you would be able to drill down through some sort of dashboard and say, okay, I don't know, for instance, the finance department seem to be reusing a lot of passwords. Exactly. Oh, right. And then you have to go there with a cricket bat, wallop them around the back of the head and give them some training.

Well, I mean, of course, depending on the country, we might use baseball bats here. And I'm from Boston, so it is about the Red Sox. But I'll go with you, Graham. I'll go with you with cricket.

I love the idea of password managers. And I think they're good for consumers and for businesses. But one of the responses I often get is people saying, oh, but hang on. How can you trust the password manager? You know, aren't you putting all your eggs in one basket? So you must hear that all the time. What's your response to that?

Yeah, I think. Yeah, Rachel.

Yeah, Rachel. Yeah. Come on, then. You think you're hard enough.

Yeah, it's true. I think we hear that all the time. And the key piece for our password manager and for a lot of the other ones out there too is we take this really very seriously. We have more than half a billion passwords that we have. We encrypt it, wrap it in aluminum foil, put all sorts of bubble wrap around it, making sure people can't get at it. But really the key there is that with a password manager, you're given a master password, something that only you need to have and you need to remember. And that is actually the secret key that unlocks it. Even the company that has the password manager, in our case, LastPass, we can't gain access to any of that information. It's just that master password.

This is going to be my million dollar question. What happens if you forget your master password?

You know what? In enterprise, using those policies that I mentioned, that organization can help reset that. And if you're using two-factor authentication, you know, if you're an individual, then we're able to help reset that as well. But that's one of the biggest challenges still is you still have that one password that you need to remember and you want it to be a good one.

Yeah, it's the kingdom.

It is. But you know what, Carole? That's a really good point, though. I think it's very important that when we're talking about password manager and we're talking about basically those keys to the kingdom that that one master password gives you, is you have to be able to protect that with two-factor authentication. Right. I mean, two-factor authentication has come a long way, baby. We're not talking that you have to have a key fob hardware thing that you're carrying around with you all the time. You can use our two-factor. You can use your Google Auth. You can use anything, but just use something.

Because everyone these days is carrying a mobile phone around with them anyway, which can obviously run an authentication app, whether it be yours or one of the other third-party ones out there, to do this kind of job.

Definitely. There's really no reason not to.

So why are you guys better than the competition?

There's got to be something. Is there any competition, Carole?

Yeah, I think there are a few things that we hear from our end users, as well as businesses that separates us. I think the first thing really just comes down to it works. If you're using a password manager, you don't want it to go to a site and then it's not working. So this is tried, true, and we've been around for years. So when you're signing up to use LastPass, you know that it's going to work on all the different sites that you're going to. So that's number one. I think number two is really the ease of which we're able to generate complex passwords for you. And so we take even the complexity out of figuring out what's a good enough password out of that equation.

I love that feature. I totally love that feature of being able to choose a random password with lots of characters and whether they're numbers or letters or even special characters and any length. It's a really great little feature.

Because if you had to rely on your imagination, Carole, or your puny human brain.

Was that my name that you tried to barf out there?

Sorry? Then you would struggle, wouldn't you? I mean, you would struggle if you had to come up with 15 different passwords or something for those different accounts.

I would struggle coming up with them, let alone remembering them.

I've got some very good passwords, let me tell you. On the days before, I've actually found a piece of paper with some of my old passwords on it, because I very handily wrote them down. Do you want to hear some of these? Some of these are quite clever, actually. So let me in, obviously.

That was your password? There was not even a please there. I mean, what do you think you're going to get?

I'm English. It's just I feel like I have a god-given right. I've arrived into the account. I am here. Let me in. So password three which I thought was quite clever because it wasn't password one and I thought hackers would give up after password two they'd move on password three. Carole, have you got any? Do you remember any of your old passwords? No, I bet you're gonna say one of yours was...

S3x and how good is that? Oh dear god. Yeah, I now see what we're dealing with. Now, okay, so Maria, Graham is getting on in years. I'm worried about a time when he actually has trouble even using a password manager. Do you recommend for those that do have trouble, even with the simplest computer tasks, to write them down or never?

You know, I think that you're at risk if you write them down.

I know. It's so hard.

I think it is really hard. And what I actually really do... And so I have my dad, he's awesome. Hey, dad. And also has thrown more than one computer off the table so he can get frustrated. I think the great thing about LastPass is it is intuitive, but sometimes it helps to have a helping hand. So we have a lot of different videos, all of that to help people do that.

I'm imagining in the enterprise environment, there are occasions where you do need to share a password with different people. Does LastPass give you an ability to easily do that? And is that something which could also be used to, for instance, look after elderly relatives who may have more difficulty handling different accounts and different passwords?

Sharing is, on the business side, one of the primary reasons people actually start to look at password management. And when people think about sharing, they often think about sharing IT passwords or things along those lines, but it's happening all over. Marketing departments, sharing social media passwords, all sorts of tools. And think about what happens if that password is shared over email, gets in the wrong hands and then somebody's Twitter account gets hacked. And so being able to share it ensures that number one, people have access. Number two, they still don't know what it is. But let's say that somebody leaves, you don't even have to change that password. You can keep it going because they've never known what it is.

Right. So it's obviously— You're sharing access somehow. So it's LastPass itself running in, for instance, your browser on your desktop, which is filling in the password. You don't get to see it when you log into accounts, which means that you can't take it with you when you leave the company. And if you did want to reset the password, that would reset it for everybody.

Yes, it would. So you mentioned sharing it among your family and among those elderly relatives. I think that's another use case we really see, another way people are using this. No offense, nobody get mad, but sharing that Netflix password. How many times are you getting that text or that phone call? Look how apt that was with that phone ringing.

You've got your own sound effects. I'm so sorry. That was me. Was that you, Carole?

Yes! I thought it was Rachel. I was doing my own sound effects, Graham. I'm good. I'm not that good, man. She's got a cowbell. She's got all kinds of stuff. Wait, you just wait. You just wait. Yeah, I've never thought about grounding in this day and age. It must be really difficult. Just wait Graham, a few years we have to do that sort of stuff. How are you gonna—

That's the way— My wife already grounds me. What are you talking about? I don't have to wait for my child to grow up.

But being able to share the password and being able to revoke the sharing when you need to do so is quite cool. All hell is going to break out if that happens. Well, who wears the trousers in your place?

Oh, yeah. Thank you very much. Let's not go there.

Now, Rachel, can you even envision a time when passwords will no longer be necessary?

Yeah, you know, because the fact is, in my heart, I would love that to happen. Because I am lazy. And I don't want to have to worry about passwords. And I want to be able to get access before I even know I want access. So as an individual, that being said, we do need to be able to protect things that matter to us. And I think what we're probably looking at more now is less the concept of passwords going away, but more of it being layered on. So being replaced by some sort of biometric access, which really, in a way, is another password and also has its pros and cons. I mean, you can't change a fingerprint.

Yeah. Do you feel that there's a preference for fingerprints or for facial ID?

Ask me that a year ago, I would have definitely said fingerprints. Yeah. But I do think that as we look at those devices that we talked about, the phones that we literally will turn around if we have lost it and go back and be late to wherever we're going. As more and more of them are incorporating facial ID, I think you're going to see a preference there. The challenge is going to be ensuring that you have the same kind of ability to do that on your phone as you do your laptop, as you do your desktop because what people want is they want consistency. They don't want to have to do different things on different devices.

So you're not worried? You've got a job for life basically with passwords is what you think?

I think passwords and identity are going to be things that we are continually struggling with. So yeah, I'm pretty sure I have a job for life.

And you have a friend for life now. Did you enjoy being on the show?

Oh, this has been great.

Friend for life? Is that in the contract?

I think we're buds now, don't you think?

Oh, that's lovely, isn't it? Yeah, that is nice. Well, I was just—

I was thinking maybe Rachel would want to share her password now.

Yeah, you trust us, don't you?

Yep, I'll send that to you right away, Carole.

Hey, pinky square, I'll share it with no one.

Well, there we go. You're lovely, Rachel. You're very easy to speak to.

Oh, thank you so much. This is so fun.

Well, hey, Maria. What did you think of that? Wasn't that interesting to listen to Carole and me there speaking to Rachel at LastPass?

Yes, that was fascinating. Yes, you didn't actually hear it, did you?

No, I didn't. No, you didn't. Well, on that bombshell, we really have just about wrapped it up for this week. If you want to follow us, you can follow us on Twitter at Smash Insecurity. Twitter wouldn't allow us to have a G. And Maria, folks I'm sure would love to follow you as well. What's the best way to do that? Yeah, on Twitter, Twitter wouldn't allow me to have a reasonable last name. So it's M-V-A-R-M-A-Z-I-S, M-Varmazis. And if you want merchandise like T-shirts and Smashing Security mugs and stickers and things like that, go to smashingsecurity.com slash store.

Thank you for listening each and every week. We are thrilled if you like what you hear. And if you want to help us grow so we can deliver more content, all you need to do is help us get the word out. So tell your friends, wax lyrical on social media, rate us in your podcast apps. All this stuff really, really helps. Scrawl the name Smashing Security in blood on your bedroom wall. Whatever you can do to get the name out there works for us.

A Smashing Security tattoo? No?

Until next time, cheerio. Bye-bye, bye everyone. Bye. Who's that from? What's that from? I'm thinking of a cartoon character. It reminds me of Frasier. Oh my God. Wasn't she on Friends? No, it was Friends. Wasn't it Chandler's ex-wife or something? Why do I know? If only we knew someone who knew a lot about Friends, but they don't listen to the show.