SCOTT HELMEE
Newsflash, newsflash.
GRAHAM CLULEY
Last chance to vote for Smashing Security in the Podcast Awards. Vote for Smashing Security in the People's Choice and Technology categories by visiting smashingsecurity.com/vote.
Do it before the end of July, if you know what's good for you.
SCOTT HELMEE
I'm not sure why Graham doesn't have a zip on his pants and I'm in What am I missing?
CAROLE THERIAULT
He calls them trousers.
SCOTT HELMEE
Yeah, but trousers still have zips.
GRAHAM CLULEY
Yeah, trousers do, but I don't have a zip on my underpants.
CAROLE THERIAULT
Bit hard on the pubes.
Unknown
Oh, that's the explicit tag again. Smashing Security, episode 88. PayPal's Venmo app even makes your drug purchases public. With Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 88. My name's Graham Cluley.
CAROLE THERIAULT
I'm Carole Theriault.
GRAHAM CLULEY
And Carole, we are joined today by a returning guest. We have in our midst is half man, half cyborg, Scott Helmeee. Hi Scott, welcome back.
SCOTT HELMEE
Hey everyone.
CAROLE THERIAULT
Hello everybody.
SCOTT HELMEE
Hello, my name is Scott.
GRAHAM CLULEY
How are you coping with your implant? Is your implant well?
SCOTT HELMEE
It's going well, yes.
GRAHAM CLULEY
Is it behaving itself?
SCOTT HELMEE
Yeah, I think we should clarify what it is for people that may have not heard the prior article though.
CAROLE THERIAULT
Okay, go, go, go, tell them.
SCOTT HELMEE
I know, let Graham do it, 'cause Graham loves talking about this so much.
GRAHAM CLULEY
He loves talking.
SCOTT HELMEE
I just feel I don't want to take this away from him.
GRAHAM CLULEY
It was about a year ago, you were with the guys from BBC Click in Las Vegas at the security conferences out there.
And you volunteered to have one of these, was it an RFID chip plugged into your—
SCOTT HELMEE
NFC for mine.
GRAHAM CLULEY
NFC plugged into you for a wide variety of helpful uses. And Well, you've been having a splendid old time ever since, haven't you?
SCOTT HELMEE
Yep. It's actually really good.
I've got this little gizmo that one of my Twitter followers sent to me, and it's kind of, you know, you can have a smart card reader to unlock your computer when you sit down.
Yeah, well, it's it does that, but for the chip in my hand. So now I can sit down at my PC and just go boop and unlock it without having to type anything in.
CAROLE THERIAULT
Does it ever itch? Do you ever feel it? The nub inside your skin?
SCOTT HELMEE
I mean, yeah, you can totally feel it because if I just poke it, I can see it stick out the other side under the skin.
So it's kind of a miniature tiny alien trying to burst out under. Yeah.
CAROLE THERIAULT
Yum. Yeah. I'm lining up to get one. Alien baby. Hey, Graham.
GRAHAM CLULEY
Hey, Carole.
CAROLE THERIAULT
So you run your own business, right?
CAROLE THERIAULT
I run my own business. Yes. And how many different applications and services and software pieces do you need to buy or rent in order to run a business ours in the technology space?
GRAHAM CLULEY
Scores, if not hundreds.
CAROLE THERIAULT
It would be physically impossible, would it not, to remember unique passwords for every single one of those apps, let alone your personal life and all the stuff you have there, all the chess and Doctor Who stuff you have.
GRAHAM CLULEY
Not completely impossible, because if your password was DoctorWho1 or Chess2, if you made— so you could have unique passwords.
They wouldn't be very good passwords though, would they?
CAROLE THERIAULT
Yeah, so you're recommending that people have crappy passwords? No. Or should they use password manager LastPass.
GRAHAM CLULEY
They should use a password manager like LastPass.
I think all businesses have got to, really, because otherwise your employees are going to choose sloppy, rubbish passwords, and you're going to get lazy yourself and use the same password for different accounts.
Horrendous. So you want central control of everyone inside your business and how they're using passwords and properly manage it.
CAROLE THERIAULT
Check out lastpass.com/smashing.
GRAHAM CLULEY
I don't think you need to say forward slash. Anyone who's listening to this knows which way the slash goes.
CAROLE THERIAULT
You're probably right.
GRAHAM CLULEY
Guys, many of us these days have Google accounts, don't we? Whether it's YouTube or Gmail, you know, it's very hard actually to be on the internet without Google, isn't it?
CAROLE THERIAULT
It is. There's loads of experts out there trying to tell you how you can get around it, but it's very difficult these days.
GRAHAM CLULEY
And I would hope as security professionals, which you both are, that you have both enabled two-step verification on your Google account. Have you done so or not?
CAROLE THERIAULT
LastPass.
GRAHAM CLULEY
Oh yeah. Excellent. Well done.
It's good that you've done that because according to Google's own reckoning, they said earlier this year that less than 10% of Gmail users have turned on two-step verification.
CAROLE THERIAULT
Seriously?
SCOTT HELMEE
That's shocking, isn't it?
CAROLE THERIAULT
Yeah. I'm shocked.
SCOTT HELMEE
That's terrible.
CAROLE THERIAULT
I would have thought at least a quarter.
GRAHAM CLULEY
Really? As many as a quarter? Well, you just have to think of how many hundreds of millions of people must have Google accounts.
So in some ways, less than 10%, you know, isn't bad if it's closer to 10% than zero.
SCOTT HELMEE
But still though, that's—
GRAHAM CLULEY
It is disappointing.
CAROLE THERIAULT
But if that were the case, why is it the people with two-factor authentication actually get hit?
If the 90% of people don't have two-factor authentication, surely there's enough fodder out there for hackers to focus on them instead of, you know, those with two-factor authentication.
GRAHAM CLULEY
Well, yeah, and I think they are focusing on one of the main victims, as we were discussing last week with the Russian hacking of the Democrat Party, was John Podesta, the chief of staff for Hillary Clinton's campaign.
If he had had two-step verification in place, chances that the hackers would have found it much, much more difficult to break into his account.
Doesn't mean it's necessarily impossible, but it would have been more difficult. Now, Google this week has said that it has done something really rather extraordinary.
It has prevented any of its 85,000 employees being phished for an entire year. Not one of them has had their account taken over through phishing.
CAROLE THERIAULT
Now that's interesting.
SCOTT HELMEE
And, but at the same time, it is kind of like, this really shows the power of two-factor authentication that we know that it has.
So it is kind of like, that's super awesome and it's an amazing stat, but it's like, this is why we push it, right?
It's just solidifying the thing that the security geeks have been saying for a long time.
CAROLE THERIAULT
Two-factor authentication can't be responsible for 100% of no one getting phished.
GRAHAM CLULEY
I think we need to be a little bit careful about our terms here, because there's two things.
There's two-step verification or 2SV, which it's sometimes known as, which is when maybe you have an authentication app on your phone.
So when you're trying to log into an account, it also sends you a number. Sometimes that's sent via SMS as well.
And there are issues there potentially where an SMS can be intercepted. And pure, really good two-factor is a second factor, which means an entirely different object.
And what Google has done is it's got all of its employees using what is known as Advanced Protection, a feature which is open to everybody, but which Google thinks is particularly important for those who are especially at risk, such as journalists, high-profile celebrities, top security podcasters, individuals in abusive relationships.
CAROLE THERIAULT
So basically people that are more likely to get phished because of their audience or their celebrity.
GRAHAM CLULEY
Well, it's not just those, or people who maybe work in business who may be thinking, you know, my account is so—
SCOTT HELMEE
Or people with viable Twitter accounts so they don't tweet out crazy things.
GRAHAM CLULEY
Right. Exactly. So you might want this additional level of protection. So what Advanced Protection does is it demands that you have a physical security key.
The most famous one is, of course, the Yubico key. This can be a wireless-enabled key, which means it can connect to both your computer and mobile devices.
So it doesn't matter if your smartphone doesn't have a USB port. And basically it disables all that regular two-step verification, which we would recommend most people enable.
But if you want this higher level of protection, when you try to log into your Google account, you've actually got to put your thumb on this physical device and then it goes blup, blup, blup, and that will actually log you into the account rather than having to have a number sent to you via SMS or via an authentication app.
So it's a pretty neat feature.
And I think Google, by making all of its employees do it, because of course they don't want to be compromised, they don't want to be the next Yahoo, for instance.
SCOTT HELMEE
It's not a good look, is it?
GRAHAM CLULEY
It's not a good look at all. And so they've given them all physical security keys. Now, of course, it's not all roses.
These physical security keys, not everything is fantastic about them. Now, there are caveats.
So if you want to sign up for Google Advanced Protection, which is free, you'll still have to buy one of these little keys from a company like Yubico, but it comes at a price.
So you won't any longer be able to use third-party apps to access.
CAROLE THERIAULT
I was just going to ask if they changed that. So it's still the case? No third-party apps.
GRAHAM CLULEY
Well, there are a very small number of third-party apps which will allow you to access some of your Google services.
CAROLE THERIAULT
What about Apple native mail?
GRAHAM CLULEY
So you can now, I believe, originally when they brought this out, I believe that you had to use Google's mail app to use this, the Gmail app or the Inbox by Gmail.
I believe you can now use Apple's iPhone mail app as well if you want to. But there's many apps which you can't use. So for instance, I use a particular client for my email.
Simply will not work with Google Advanced Protection, as Thunderbird won't work. And many—
SCOTT HELMEE
You can't just create an app password for your Gmail account?
GRAHAM CLULEY
You can with regular two-step verification, but you can't with this additional level of protection, these physical security keys.
So Google is saying, hey, we are taking security seriously now.
We are gonna lock down some of the benefits which you've had before and say for proper protection, you are basically— they want people to use their apps.
And you should forget about using anything other than Chrome or Firefox browsers to sign in to Google's online services as well, because they're not going to be available to you.
CAROLE THERIAULT
And I guess them saying 100% of our employees have not been phished is a good marketing campaign, really.
GRAHAM CLULEY
Well, I don't know that they're necessarily doing this for the marketing kudos.
CAROLE THERIAULT
Okay. As a nice healthy sideline.
GRAHAM CLULEY
I think they just don't want people being hacked because it looks bad. And so they would like people who are vulnerable to be using these kinds of protection.
There are other issues as well, of course, your physical security key. What are you gonna do if you lose it?
Google says, look, if you lose it, we are gonna make you jump through so many hoops. It may take you a few days to regain access to your accounts.
CAROLE THERIAULT
That's my big fear. I mean, God, I've lost my engagement ring in the last month, right? And I haven't found it anywhere. So yeah.
SCOTT HELMEE
And is your partner just finding that out now?
CAROLE THERIAULT
No, that when we, when we, when we publish the show, he might, it'll be a test to see if he listens.
GRAHAM CLULEY
Yes. That's a good one, isn't it? Hello, darling. I haven't put the bins out. But I think for many people, they'd find it too restrictive for use on their everyday accounts.
And you know, that's going to be a nuisance because a lot of people do want to use third-party apps in conjunction with their email or data held on Google Drive, for instance.
But it's good to see Google offering this for people who need it. So I think, well done.
CAROLE THERIAULT
Sorry, Graham. Is this a good news story? Well, holy moly.
GRAHAM CLULEY
The good news is Google have had a success. The bad news is many other organizations won't follow in their footsteps who maybe should have done.
And at the moment, as we said, less than 10% are even using the barest two-step verification to prevent themselves from being phished.
CAROLE THERIAULT
Yeah. Yeah.
This is a very good idea for companies as well that feel targeted or are carrying very sensitive information than if everyone, because something like 90% of successful attacks have some component of social engineering in it.
CAROLE THERIAULT
Which is likely to include something of a phishing nature. So it's a good idea.
GRAHAM CLULEY
And bear in mind that even if you think you wouldn't be targeted by hackers in your particular organization, you may have clients who are of interest to them.
And so increasingly we see malicious hackers who will hack into the soft underbelly of one company in order to try and infect other larger, more obvious targets.
That's often the way.
SCOTT HELMEE
A lot of people do that and kind of underestimate their value.
GRAHAM CLULEY
Yeah. So, Google Advanced Protection, check it out. May not be for you, but at the very least, please enable, as all three of us have, two-step verification on your Google accounts.
It makes a lot of sense.
CAROLE THERIAULT
You can call it two-factor too, can't you? Hmm?
GRAHAM CLULEY
You can call what two-factor?
CAROLE THERIAULT
Two-factor, two-step, two-factor, two-step.
GRAHAM CLULEY
Carole, I will, I will point you to the—
CAROLE THERIAULT
Potato, potato.
GRAHAM CLULEY
I will point you to the article which explains the difference.
CAROLE THERIAULT
I believe everything I read.
SCOTT HELMEE
And it's— so this is kind of like, I see Graham's point here. And I've had this discussion actually with Troy, who I work with.
And it's like, yes, 2SV and 2FA are like these two technically separate things.
But do you think for the benefit of the kind of, you know, just the average user that we— the distinction doesn't help. And I think 2SV or 2FA—
CAROLE THERIAULT
Thank you, Scott. I agree 100%.
SCOTT HELMEE
Kind of sound a little bit further away. I've tried to think of a way to describe these without being technical. And the best that I've come up with is double check.
It's a double check when you log in that it's definitely you.
You know, and it's like, could we just do with a more friendly term that doesn't make it sound like some horrific acronym of scariness?
GRAHAM CLULEY
That's a great, yeah, why not?
GRAHAM CLULEY
Because I'm sure you're not the sort of person who would bamboozle us with acronyms and four-letter abbreviations and things like that, would you?
CAROLE THERIAULT
Okay, Scott, you must have a story this week. Please save us.
SCOTT HELMEE
I do. So I'm super excited about it, and it's actually the day that we're recording as well. Chrome version 68 has been released.
So if you're here in the UK where we are— What are you laughing at? Are you laughing at my excitement of a browser?
CAROLE THERIAULT
Called number 68. Yeah.
SCOTT HELMEE
Okay. Chrome version 68. We've got to be specific. It's coming out today in the UK.
It'll be available from 6 PM onwards, so everybody can rush and update their browser to get the latest version of Google Chrome. I know it's high on everybody's priority list.
CAROLE THERIAULT
Are you going to tell us why we should? I want to hear why we should.
SCOTT HELMEE
So I'm sure they did lots of other really cool updates, but there's really only one that I care about.
SCOTT HELMEE
It's that they are now changing the UI indicator in the browser.
So if you do the update today, and then you go to an HTTP website, it will say not secure in the address bar all of the time.
There's already been some situations where it might have said that, like if there was a password or a credit card input field, but now it will just say it all the time on all HTTP websites forever.
CAROLE THERIAULT
I am really actually excited by that.
SCOTT HELMEE
I think that's a great—
CAROLE THERIAULT
I really am, because I was writing a story just this week for a client and it was a really nice piece of research that someone had put together, 1,000 pages wide.
So we're talking a serious amount of work went into putting this together, this big piece of report. And I wanted to see the report and it was on unsecured website.
And loads of journalists had quoted and put links to it. And it was just an HTTP. And it's all about cryptocurrency. So I couldn't understand why that was the case.
SCOTT HELMEE
Yeah. We've got to—
CAROLE THERIAULT
So that's good. You're saying in the new version of Chrome 68, it'll say in red, you know, not secure. LastPass.
GRAHAM CLULEY
Oh no, no, no, no, no, no.
SCOTT HELMEE
It's in gray today. It's not red yet. So it will put the gray one there all the time.
GRAHAM CLULEY
It will be in red, I think it's later this year, isn't it?
SCOTT HELMEE
No, I really don't think that we'll get that. Yeah.
CAROLE THERIAULT
How come?
SCOTT HELMEE
Because it's a very progressive thing. We're making steps towards encrypting the web and I don't think the browser can just flick their UI from one end of the spectrum to the other.
And they're quite rightly taking many small steps as the web evolves. So today they're bringing in the gray not secure indicator for all HTTP sites.
And then later this year, the change they're bringing in, do you know when you get the green padlock and it says secure on secure connections?
They're taking away the word secure later this year.
So what they're doing is they're pulling back the green and the positives and all the good ones, and they're introducing more information about when things aren't secure.
So they're flipping the model around.
CAROLE THERIAULT
Really slowly. So you can't— so it's kind of comfortable.
SCOTT HELMEE
Yeah, exactly. You know, people are like the vast majority of people are kind of averse to change anyway.
CAROLE THERIAULT
Graham, do you think that's true?
GRAHAM CLULEY
So the hope is that we will get to a situation where the norm will be that they're not really giving you any information at all about the security of the website unless there is a problem with the security of the website.
So the normality, we hope, will be HTTPS. Sorry, there's another 3 or 4 or 5 letter acronym, which is the one which we're looking for, of course.
But the alert will be, uh-oh, they're using an unencrypted connection. And so potentially there could be man-in-the-middle attacks going on.
There could, if you enter information on the webpage as well, it could be something which has been intercepted.
CAROLE THERIAULT
Do you guys know of any plugin that would prevent a visitor from, for example, me working too quickly and clicking on a site that isn't secure, that would actually prevent me and put a big bold alert up saying, you know, Carole, watch out.
SCOTT HELMEE
So something to just stop you going to HTTP sites altogether.
CAROLE THERIAULT
Yeah. Giving you a warning. You could maybe override it if you chose to, but it would certainly—
SCOTT HELMEE
I've not seen that, but what you could do if you do use Chrome as your main browser.
So if you go to Chrome, there's a special flags page and you go to the address bar and do chrome://flags.
Inside there, you can actually turn on the big red scary warning for HTTP pages.
CAROLE THERIAULT
Oh, what a cool thing. I'm looking for it right now.
GRAHAM CLULEY
This is like a glimpse into the future, Carole.
CAROLE THERIAULT
I love Scott Helmeee. I love when he's on the show.
SCOTT HELMEE
All of these features are already built into Chrome. All of the changes they're going to make are already there. They're just not enabled yet.
But you can go turn them on in that special page. The one you're looking for is mark non-secure origins.
So if you just put mark in the search box, it should be one of the two that pop up.
Yeah, you have to restart your browser to apply the changes, but you can mark HTTP as actively dangerous and then you will get the big red scary warning.
CAROLE THERIAULT
Yeah, I've just done that. I've just done this.
GRAHAM CLULEY
This Chrome flags thing, as I remember, it is a bit nerdy in there, isn't it?
SCOTT HELMEE
Yeah, it's a little bit—
GRAHAM CLULEY
No, Carole, I'm just thinking of some of our listeners.
CAROLE THERIAULT
It says here, allow invalid certificates for resources loaded from localhost HTTP. And you say disable or enable them.
SCOTT HELMEE
So there are lots of different flags in there.
CAROLE THERIAULT
There's a lot of them.
SCOTT HELMEE
Yes. The two that you want to look at are mark non-secure origins and then simplify HTTPS indicator.
SCOTT HELMEE
So those are the two things that are coming throughout the rest of this year and into next year.
CAROLE THERIAULT
They give you quite a lot of flexibility under mark non-secure origins.
SCOTT HELMEE
Yeah. So in fact, you can—
CAROLE THERIAULT
Enabled and mark as actively dangerous or mark with a not secure warning.
SCOTT HELMEE
So that's where we're going today. Mark with a not secure warning will become the default today in Chrome 68.
That will leave the only one left is mark actively dangerous, and that I think might come next year.
So we've actually already gone most of the way through that list, and mark actively dangerous you can enable yourself now manually, and we will hopefully have that by default in 2019.
GRAHAM CLULEY
So Scott, I am imagining that this changed behavior in Chrome is going to be universally welcomed.
Everyone is going to be delighted that web pages are now going to be, if they only use an HTTP, are going to be marked as not secure. Is that right?
SCOTT HELMEE
Oh, I can send you some copies of my fan mail to prove that.
GRAHAM CLULEY
So what has the reaction been?
SCOTT HELMEE
To be honest, you know, I think that most people will wake up tomorrow. I mean, certainly UK time, because it comes out 6 PM local in the UK.
CAROLE THERIAULT
It's going to be more exciting than Christmas, I tell you.
SCOTT HELMEE
Most people will wake up tomorrow morning excited little kids and open up their websites, and I think it will come as a surprise to a lot of people.
I think this will probably still come as a surprise to more people than it won't come as a surprise to.
GRAHAM CLULEY
Well, and that's what I'm expecting.
I'm expecting some websites to be mightily pissed off because they may have users saying, "Whoa, how come your website's no longer secure?" I just think our answer is about frickin' time, dudes.
Well, maybe it is, but there's going to be some fallout from this, isn't there?
SCOTT HELMEE
I mean, I don't think we can get away from that. And, you know, looking at the situation, Chrome have advertised this very widely.
If you subscribe to things Google's Webmaster Tools, they've emailed people and site operators to say, hey, you use Webmaster Tools and we've noticed you don't have HTTPS.
By the way, this change is coming. It's been on the Google blog, the developer blog, the security blog.
I think they've done more than a reasonable amount of effort to try and communicate this change, but at the same time, communicating that to everyone is probably an impossible task as well.
So the sites that care should be keeping themselves abreast of upcoming changes in the world's most popular browser.
GRAHAM CLULEY
Well, that's the thing, isn't it? There may be some websites which simply don't care and they're to be the ones who kick up a fuss about this.
But this is, although this is with Chrome this week, I think in the coming months and, you know, next couple of years, I would expect all of the major browsers to be following probably in Google's footsteps with this.
So it is kind of inevitable that websites, you know, if they don't want their users complaining, they've got to fix this.
And it has of course, security benefits, both for the website administrators and for the people who are visiting their web pages too.
SCOTT HELMEE
It is something that we need to do for sure.
CAROLE THERIAULT
Well, good. I'm very pleased with that story. I'll let you know how it goes down.
SCOTT HELMEE
So Chrome 68.
GRAHAM CLULEY
Are we so far? Are we on two good stories? Two just good news security stories this week?
CAROLE THERIAULT
Yeah, great. Because that means I don't have to work too hard.
GRAHAM CLULEY
Carole, what's your topic?
CAROLE THERIAULT
I want to talk about Venmo. So Venmo is a mobile payment app powered by PayPal, and it lets one user transfer a nominal amount of money to another user.
Basically, it's like a bank card or a debit card, but it doesn't actually require a card reader. Plus, you can track all your spending in your app, right? So it's all good.
Graham, you may not have heard of Venmo.
GRAHAM CLULEY
I haven't heard of it.
CAROLE THERIAULT
No, it's only USA-based, so that's maybe why. Now, it is big, big money. Apparently, Venmo's handled $12 billion worth of payments in 2018.
Venmo has an 80% year-on-year growth, a CEO's dream. It's almost like our growth, isn't it, Graham?
GRAHAM CLULEY
In terms of listeners, absolutely. Yes, absolutely.
CAROLE THERIAULT
Yeah, absolutely. Anywho, last week Bleeping Computer reported about an independent privacy researcher named Hang Doo-Hee Dook. I hope I said that correctly.
Now she published her findings based on the glut of data available from Venmo's public API.
The privacy problem here is Venmo makes its transactions public by default, and there is identifying information in here.
CAROLE THERIAULT
Yes, I know. We're gonna have a really big chew on the fat in a second. There's 200 million public transactions that were performed last year.
CAROLE THERIAULT
And it's up to the user to change the setting from public to private.
GRAHAM CLULEY
So by default, it's public.
GRAHAM CLULEY
Oh, so boring. Once again.
CAROLE THERIAULT
Sorry, sorry to bore you. Go to sleep, but I'll keep our fans, our listeners interested.
So it seems our researcher Hang is not a fan of Venmo's privacy policy and has built this rather cool data aggregate site full of tidbits on the spending habits for Venmo's users.
And it's all to raise awareness of this default setting, which is stupid, and getting people to move it to private.
So if I can get you guys just to click on the links, that's publicbydefault.fyi.
CAROLE THERIAULT
You're gonna see lots of information they were able to gather.
GRAHAM CLULEY
I'm glad I wasn't Rickrolled. It's normally what happens when I click on your links. Okay.
CAROLE THERIAULT
I was good this time.
GRAHAM CLULEY
All right. What is this? There's a lot of smiley faces. What? This is a crazy—
CAROLE THERIAULT
So stop at the third page. You can actually click on this link to see the latest transaction on Venmo.
And it's showing you above a screenshot of all the information that's publicly available.
This includes people, username, picture, often from Facebook, first names, last names, the date the transaction was created, the message that they sent between two individual users.
And they've known about this since at least 2016.
GRAHAM CLULEY
This is insanity.
SCOTT HELMEE
I mean, it's 2018. How could someone think that that was a good idea ever?
CAROLE THERIAULT
Hang was able to establish that Venmo was used in the States for 2017 for 3 million transactions involving pizza delivery. 100,000 have used it for transport.
People define their payments in cute ways, right? So some people say use emojis.
GRAHAM CLULEY
I always knew emojis would be the end of civilization as we know it.
CAROLE THERIAULT
Almost 2 million users have their Facebook IDs attached to their usernames.
GRAHAM CLULEY
Oh, that's a good idea.
CAROLE THERIAULT
Right? And 18.5 million Americans have performed public transactions in 2017.
So this information that Hang's put together is quite interesting and it protects you the individual user.
It's really trying to alert us to the fact that, hey, Venmo, this is not cool that you're leaving this open by default.
CAROLE THERIAULT
On the other hand, someone else by the name of Joel Guerra posted an article on Medium explaining— and I'll give you the title, actually— Why I Blasted Your Drug Deals on Twitter.
GRAHAM CLULEY
Attention-seeking. Yes.
CAROLE THERIAULT
Which is quite an interesting title.
So as you dig in, it turns out that completely unrelated to Hung's work, he also looked at the public API and wanted to do something creative to point out the lack of privacy here.
Now, let me just read from his blog post.
He says, "I already run a squad of Twitter bots doing harmless things like giving users the contact information for their members of Congress upon request.
So another Twitter bot was the natural choice.
He says, "I slapped together 70 lines of code and made a new Twitter account and let it run, it was automatically tweeting the names of profile pictures of users making drug transactions on Venmo." Bet everyone loved that.
SCOTT HELMEE
Is there a category that says drug transaction true in the API?
GRAHAM CLULEY
When you buy drugs via Venmo, you tag it as being a drug transaction.
CAROLE THERIAULT
What he did is he used known terms that kind of like marijuana and, you know, Mary Jane and knew some of the terms and some of the emojis used.
SCOTT HELMEE
You seem to know a lot of them. What's some more of them, Carole?
CAROLE THERIAULT
I don't know. I was looking it up this morning.
SCOTT HELMEE
Oh yeah, okay.
CAROLE THERIAULT
As I was smoking a big spliff. Can you imagine? Okay, so hold on, hold on.
So he says, "I chose drugs, sex, and alcohol keywords as the trigger for the bot because they were funny and shocking." And he says, and this is the bit I love, "I removed the last names of users, want their pictures because I didn't want to actually contribute to the problem of lack of privacy."
GRAHAM CLULEY
No, he hasn't contributed to the problem at all, has he? No.
CAROLE THERIAULT
So this of course got tons of attention, right? This guy is a guy with like— I don't know how many Twitter followers he had before this, but he now has 1,000.
So he says it exploded, and he was getting media queries from people like Vice and all kinds of people.
And he basically turned it off after 24 hours, which makes me think that despite his comments saying that actually he had lots of positive feedback and it was generally received with love, hmm, I'm not sure.
GRAHAM CLULEY
Well, basically every drug dealer in the United States would be looking for him, presumably, because he could potentially be ruining their customer base.
CAROLE THERIAULT
You know, if I were buying aspirin off a friend, I mean, why would I do that?
SCOTT HELMEE
Is that what the kids are calling it these days?
GRAHAM CLULEY
Well, hopefully if they're your friend, they just give you an aspirin.
CAROLE THERIAULT
Can I buy an aspirin off you? Hopefully your friend will go—
GRAHAM CLULEY
Now you've said this, Carole Theriault, now you've said you're prepared to pay. Next time you've got a migraine, I'll say, well, sorry, 75 pence.
SCOTT HELMEE
My brain's doing this kind of usual evil idea thing, right? So let me just make sure.
So we both sign up for this app and then we send each other some money and we can leave a comment and this comment comes up in the API.
So— Why don't we just keep sending each other 1 cent backwards and forwards and then we could just keep spamming the API and just Rickrolling it with loads of crazy comments or something.
CAROLE THERIAULT
Listeners, Smashing Security does not advocate that anyone does this.
SCOTT HELMEE
I'm just trying to think of ways that we could have some fun with this.
CAROLE THERIAULT
Do it at your own risk.
GRAHAM CLULEY
Yeah, so what's Venmo saying about all this?
CAROLE THERIAULT
Venmo are staying very strum as far as I see so far. Of course, by the time we publish, this may be different. But here is a little bit of advice.
If you are a Venmo user, there is a built-in passcode and fingerprint access on the app, but these are turned off by default. Don't ask.
So it's up to you, the individual, to go in and protect your own data.
On the Venmo website under security, it says to add a layer of security to Venmo account, set up multifactor authentication and add a PIN code in the app.
GRAHAM CLULEY
But hang on, this is just about your access to your account. This doesn't make any difference to the information being in the public API, does it?
CAROLE THERIAULT
It also, on the security page, makes this huge song and dance about how everything is encrypted.
So I don't understand how they have all this encryption, yet the API is sending out all this information and making it available for anyone who wants to play with it.
GRAHAM CLULEY
But somewhere in the app itself, you can turn off your— you can turn privacy on or something?
CAROLE THERIAULT
You can apparently in the app, I can't use the app because you're Canadian.
CAROLE THERIAULT
Not being in the US.
SCOTT HELMEE
Wait, that's America, right?
CAROLE THERIAULT
That's right, Scott. Canada is part of the US. So no, you can go to privacybydefault.fyi and on the site, Hang has put all the instructions to change your Venmo setting.
CAROLE THERIAULT
For transactions to be private rather than public.
GRAHAM CLULEY
Okay. That's really what people need to do, don't they? If they're using this app, they've got to turn off that sharing of that data.
CAROLE THERIAULT
Well, yes, and be careful because people don't have PIN codes.
Some guy on Reddit was saying how he'd lent his phone to, you know, someone he knew but not a friend, and he basically paid himself money. And he didn't notice till the next day.
So, yeah. No, you can't borrow my phone, Mr. Cluley.
And to quote a friend, Lisa Vaas, friend of the show who's been on before, she wrote an article about this and she says, "Advise your friends to zip up their Venmo pants." So I'll echo that.
GRAHAM CLULEY
Can I just point out, being British, I don't have a zip on my pants. That would be very, very dangerous indeed.
CAROLE THERIAULT
Okay, so Graham, just for you and for your English friends who don't wear pants on the outside, why don't you zip up your Venmo sports slacks?
SCOTT HELMEE
I'm not sure why Graham doesn't have a zip on his pants, and I'm English. What am I missing?
CAROLE THERIAULT
He calls them trousers.
SCOTT HELMEE
Yeah, but trousers still have zips.
GRAHAM CLULEY
Yeah, trousers do, but I don't have a zip on my underpants.
CAROLE THERIAULT
They're harder than pubes.
GRAHAM CLULEY
That'd be— oh, shut— That's the explicit tag again.
SCOTT HELMEE
Oh, so Graham's recording this in his underpants is where we arrived at.
CAROLE THERIAULT
You imagine he looked down and went, oh, I didn't see that.
GRAHAM CLULEY
At this point, I think we need to look forward to something else.
CAROLE THERIAULT
Hey Graham.
GRAHAM CLULEY
Hey Carole.
CAROLE THERIAULT
Hey Graham. LastPass has this automated password generator, so no more do you have to sit there and dream up silly long passwords that mean nothing to you.
You can just press a button and presto, you've got a 25-character, 50-character password that's impossible to guess. Yes.
GRAHAM CLULEY
Will it put all kinds of crazy characters in?
CAROLE THERIAULT
You can choose to put them in or not, depending on the website, because some websites don't let you do the crazy characters, do they?
GRAHAM CLULEY
Linking websites which don't allow you to have decent passwords.
CAROLE THERIAULT
Ah, grumble, grumble. Check out lastpass.com/smashing.
GRAHAM CLULEY
I'm glad you said slash that time.
CAROLE THERIAULT
You're welcome.
GRAHAM CLULEY
And welcome back. Can you join us at our favorite time of the show? The part of the show that we like to call Pick of the Week.
CAROLE THERIAULT
Pick of the Week.
SCOTT HELMEE
Pick of the Week.
GRAHAM CLULEY
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like.
It doesn't have to be security-related necessarily.
CAROLE THERIAULT
Should not be.
GRAHAM CLULEY
And my Pick of the Week this week is a TV show which I've been watching, and I think it's just finished. I don't know if it airs in the States as well as in the UK.
I've been watching it on BBC iPlayer, and my reason for bringing it to your attention right now is that the first episode is going to disappear off BBC iPlayer very, very soon.
The program is called Reporting Trump's First Year: The Fourth Estate, and it is a fascinating fly-on-the-wall documentary following the New York Times during, of course, the first 12 months of Donald Trump's presidency.
And it starts at the beginning of his presidency. Turns out there was quite a lot to report on and quite a lot of goings-on.
And it is fascinating to anyone, whatever side of the political fence you may stand on.
Anyone who's interested by the fractious relationship between the media and politics, not just in the States but all around the world, I would really recommend it.
It doesn't just follow the Trump story, follows as well Harvey Weinstein and the accusations of his unpleasant sexual shenanigans.
CAROLE THERIAULT
Just something I just decided to look up, right? So they started— what that was, that started right after his presidential election, right?
So November, November 17th, that's when that happened.
GRAHAM CLULEY
Yeah. I don't know when the documentary actually starts, but yes. So around that point, that sort of triggers it. Yes.
CAROLE THERIAULT
If you go look at the New York Times stock price, right, it's gone up almost in line with Trump's candidacy and ascent to power.
GRAHAM CLULEY
Well, there's a lot of people now who are more interested in the news than ever, and many people are supporting the media and choosing to buy subscriptions, for instance, to the digital versions or to the websites, because they view that the media are under attack.
CAROLE THERIAULT
Yeah, that makes sense.
GRAHAM CLULEY
I get that. So it's a great documentary, really recommend it.
It's fascinating to see the newsroom in operation, and you see people that you may recognize, the names of people like Maggie Haberman, for instance.
Every time she gets in the car, her phone is ringing from her secret sources, giving her information as to what the new thing is that's happened at the White House.
It is fascinating.
CAROLE THERIAULT
You've been telling me about this for weeks, and I— it is on my list, and I will watch it this evening.
GRAHAM CLULEY
You've got to watch it soon before it disappears off iPlayer. We will put a link into the BBC iPlayer in the show notes as well.
CAROLE THERIAULT
Good pick, Graham.
GRAHAM CLULEY
Thank you very much, Carole. And Scott, what's your pick of the week?
SCOTT HELMEE
My pick of the week is security related. It's a website. I know, right? Everyone's heard so much about this.
It's a website that I've kind of been working on with another researcher called Troy Hunt.
GRAHAM CLULEY
Have you never heard of him?
SCOTT HELMEE
Never heard of him. He's the Australian version of me. So he speaks funny and isn't as good looking.
GRAHAM CLULEY
I'd agree with that.
SCOTT HELMEE
It's a website that we kind of jointly built together called whynohttps.com.
CAROLE THERIAULT
Ah, doesn't that fit in well with everything we talked about?
GRAHAM CLULEY
Is this website protected itself with HTTPS?
SCOTT HELMEE
Of course, because all websites need to be protected with HTTPS.
GRAHAM CLULEY
Just checking.
SCOTT HELMEE
Some people may be familiar with the Alexa ranking, not the smart home personal voice assistant thing, but the Alexa ranking ranks websites around the world, and they produce this list called their top 1 million every day.
So it was the biggest 1 million websites.
And what I do is I crawl through them all with my fleet of crawlers on the interwebs every day, and I look at which ones are using HTTPS and which ones aren't.
This website is the list of the largest websites that don't do HTTPS yet. So if you go to winohttps.com and scroll down, you can see the top 100 websites that are not doing HTTPS.
Tut, double tut. This is shocking.
CAROLE THERIAULT
Some of the names here are shocking.
SCOTT HELMEE
I know, right?
GRAHAM CLULEY
And you've also split them by country as well, haven't you?
SCOTT HELMEE
Yeah. So if you zip past the list of 100 down at the bottom, you can then look at the top 50 on a per-country basis.
So if I just zip down here and let's go to GB or Canada, you can see the top 50 in your country that don't do HTTPS by default.
CAROLE THERIAULT
Royal Bank?
GRAHAM CLULEY
Here in the UK, the highest ranked website, which is not using HTTPS.
SCOTT HELMEE
Don't say it. Don't say it.
GRAHAM CLULEY
I'm going to.
SCOTT HELMEE
Don't do it.
GRAHAM CLULEY
Yeah, I'm going to.
GRAHAM CLULEY
They can't stop me. The highest ranked website is the Daily Mail.
GRAHAM CLULEY
Which means that people could be injecting malicious or unpleasant stuff into that website and the people visiting it wouldn't realize.
CAROLE THERIAULT
And people have to log in to leave comments as well on that site.
SCOTT HELMEE
No, but maybe, maybe, maybe, maybe that's what's been happening this whole time. Maybe that's what's wrong with the Daily Mail.
GRAHAM CLULEY
So you can't trust the Daily Mail website, can you, until you get HTTPS?
SCOTT HELMEE
No. And this is a technical, provable reason to not trust them.
GRAHAM CLULEY
Probably can't trust it afterwards either. So, you and Troy, you've put this website together. It's a fantastic little thing.
And you can find out which websites in your neck of the woods are misbehaving. And maybe you can sort of, you know, send them a tweet and say, oi, get it sorted.
CAROLE THERIAULT
Guys, guys, this is raising a problem for my pick of the week.
CAROLE THERIAULT
So my pick of the week, interestingly, is on your list. But I have it as HTTPS. So my pick of the week is newsnow.co.uk.
This was a news site aggregator I used to use a long time ago, and I've been using it.
SCOTT HELMEE
Is this in the GB list? Sorry, just so I can—
CAROLE THERIAULT
Sorry, newsnow.co.uk. So it's in the UK ranking.
CAROLE THERIAULT
1, 2, 3, 4, 5, 6.
SCOTT HELMEE
No, I've literally just clicked on it and I'm on HTTP. Oh, so if you just click that.
So this is one of the things that comes up because we've had a lot of issues with geo-sensitive websites.
So there are some websites, for example, that are HTTPS in America but HTTP in Europe, and people are like, hey, this, you know, this thing does this, and it's like, ah, but then if you VPN to America, you get the HTTPS version.
So sites do crazy things. But if I click on that right now and go through, I do go to HTTPS.
CAROLE THERIAULT
Mine goes to HTTPS, but that might be picking it up from my cache.
GRAHAM CLULEY
Mine is going to HTTPS as well.
SCOTT HELMEE
Try an incognito window and then see.
GRAHAM CLULEY
Ah, now I've opened it in an incognito window and it stayed on HTTP, whereas in my main browser it didn't.
CAROLE THERIAULT
Oh yeah, mine, yes, that happened to me as well, Graham.
SCOTT HELMEE
So, okay, so it's only if you're logged in. So that's why we see it as HTTPS. And this is a kind of weird thing, right?
Because there's been a few scenarios like that where we've just seen now, live, if you're logged in, they'll give you HTTPS, but if you're not, they won't.
And obviously we're not logged in.
Yeah, what we've kind of proven is that it's HTTP sometimes and not others, and that means that they're not using HTTPS all the time by default, which means that they're not doing it properly.
And that's kind of our point, right?
CAROLE THERIAULT
I don't know if it's my pick of the week anymore. I'm just gonna not— I'm not gonna have a pick of the week this week. There you go.
GRAHAM CLULEY
Are you going to controversially potentially revoke your pick of the week?
CAROLE THERIAULT
Yep, I'm revoking my pick of the week.
GRAHAM CLULEY
Oh, this has only happened—
CAROLE THERIAULT
I apologize to you all.
CAROLE THERIAULT
And let's hope next week I do a better job if I'm invited back.
GRAHAM CLULEY
And on that bombshell, please, people, make sure you listen to the next episode of Smashing Security to see if Carole is here.
Scott, if people want to find out more about you, what's the best way they can do that?
SCOTT HELMEE
Probably through my blog, ScottHelme.co.uk. Has all my infos and Twitters and Facebooks.
GRAHAM CLULEY
Fantastic. And if you want to listen to more episodes of the Smashing Security podcast, you can go to smashingsecurity.com.
On Twitter, you can follow us @SmashInSecurity— no G, Twitter wouldn't allow us to have a G— and you can buy t-shirts and mugs and stickers and things like that at smashingsecurity.com/store.
Until next time, all that remains is to say thank you to everybody for coming along. Thank you for listening and tuning in. If you like the show, rate it on Apple Podcasts.
CAROLE THERIAULT
And thank you to the loads of people that said nice things this week. We got a bunch of lovely reviews and I loved them. So thank you. Keep them coming.
GRAHAM CLULEY
Oh yeah, absolutely. Until next time, cheerio. Bye-bye. Bye. Hang on, hang on, hang on. Scott, Scott, you're not going to say goodbye?
GRAHAM CLULEY
Did he? Oh, I didn't hear him.
CAROLE THERIAULT
This is not the first time.
GRAHAM CLULEY
Am I getting a bit deaf?
CAROLE THERIAULT
Yes. Have you not heard me say that before?
SCOTT HELMEE
The irony is lost.
CAROLE THERIAULT
You know we're still recording, right?
GRAHAM CLULEY
Oh yeah, right.
CAROLE THERIAULT
Okay. Psst, if you're still listening, remember, please visit smashingsecurity.com/vote so that you can register your vote for Smashing Security in the upcoming podcast awards.
We need your help, guys. Thanks.
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.