Let me say this again.

I just think if you're going to do jokes, Graham, you should just know the punchlines. I don't know.

You're literally halfway there.

I know, but it kind of matters, the last few steps, right?

It's the other half that matters.

Smashing Security, Episode 89: Data Breaches, Ransomware, Bitcoin Robberies, and Typewriters.

Hello, hello, and welcome to Smashing Security episode 89. My name is Graham Cluley.

I'm Carole Theriault.

Hi, Carole.

Hello, Mr. Graham.

And it's not just us two this week. We are joined by a returning guest.

Thank God.

We've got Geoff White, technology journalist and author Geoff White. Geoff, you're working on a new book right now, aren't you?

I am. When you say working on a new book, that sounds like there's an old book.

It was there.

I'm working on a book, a first book, and that is genuinely terrifying.

Is it? Do you have to— are you good at spending a lot of time on your own and motivating yourself to write? Because I think that's where I fall over.

I'm good at spending a lot of time on my own. There's no problems there.

That's—

So, you know, it's very exciting. And, you know, the publishers kind of came along and we talked about this book and they said, okay, we'll pitch it. And, oh great, we'll pitch it. Great. And then there was a day when he said, you're right, that's it, you're contracted to do the book, you know, off you go, write this book, and I said, so what happens now? And he went, well, you just write it. And I went, all right, okay, so that's on me, is it then? So off you go.

I mean, I know other people who've written books, so I know it's possible, but fiddlesticks, I think all you need is an app that goes and yells at you and says, stop procrastinating, Geoff, start freaking writing.

I call that my wife.

Oh, isn't she lucky?

Are you going to tell us what the book is about? Is it about an intrepid Channel 4 technology journalist investigating murders?

Oh, I'd read that.

An erotic romance.

Actually, Fifty Shades of White's not a bad idea. No, it's about cybercrime. It is a book about cybercrime. So it is slightly historical and it tells the story of cybercrime from first beginnings to where we are now. But obviously in terms of grand sweep of history, cybercrime is a very new thing. So very quickly we get up to present day, and the idea is to just take in the whole lot and try and work out what some of the movements are. So you'll be familiar with this, the idea of moving from kind of banking fraud and banking Trojans, and those guys kind of start working on ransomware, and that feeds in. So it's trying to really look at the long trends of what's happened and where those trends have come.

Right. Now, Geoff, I hate to worry you, but now you've said that on the podcast, you're actually going to have to write it.

No!

Geoff, I've got a question for you.

Go on—

Is there a chance it'll be out at Christmas? Because Graham's been making up stuff in cybercrime for about 20 years and I could get this for him, right? And actually, you know, educate him.

I think the honest answer, Carole, is yes, it will be out for Christmas, just not this Christmas.

Did you have a favorite teacher at school? I did. Madame Gilmour. She made learning not only fun but useful. I once asked her why I needed to learn percentages, and with a wink she told me, so no one rips you off while you're at a sale, silly. Decades on, I still remember. Like Madame Gilmour, MetaCompliance, the security e-learning experts, make learning best practice engaging and fun through stories, realistic scenarios. The MetaCompliance guys provide animated e-learning and even games like phishing drills to test your knowledge. Plus, these guys get passwords, they get GDPR, they get security, and they've won awards for security awareness. Smashing Security listeners, you guys can get 10% off by smashingsecurity.com/metacompliance and entering the code SMASHING. That's smashingsecurity.com/metacompliance. Hi, Graham.

Hey, Carole.

I have a question for you.

Okay.

Do you have a password manager?

Yes, of course I've got a password manager.

Do you?

Yes, I do.

And do you honestly, honestly think that all companies should have a password manager?

Oh, absolutely.

I totally agree.

If you don't have one of those, your employees are going to make some terrible password decisions and hackers may be able to break in. And an enterprise-grade password management solution like the one from LastPass, for instance, will have support for Microsoft Active Directory and funky functions like that to make it even easier to secure your business.

Okay, I think you've passed my test. Listeners can check out LastPass Enterprise for themselves by visiting lastpass.com/smashingsecurity.

It's not easy to say.

Okay, guys, now ransomware. I think we need to talk about ransomware again.

Again?

Yes, I know. I mean, it's never far from the headlines, but it has taken something of a dip of late, hasn't it?

How much money could I pay you for us not to talk about ransomware?

We could maybe hold them to ransom.

Well, I'll give you a bitcoin address and you can do some—

Yeah, you could.

Yeah. 5 bitcoins to that. So Chinese shipping firm COSCO, Costco's not a Chinese shipping firm. Oh, for goodness sake, Carole, it's not Costco. It's not the place where you go and buy all your toilet rolls in bulk. I'm talking about a shipping firm, one of these huge container ships. They are China's largest carrier of containerized goods and the fourth largest such operator in the world. They have been hit by some nasty ransomware at the end of last month. What they did was they went out onto their social media and said, look, we've suffered a local network breakdown hitting our offices and they're a number of offices which were hit across the Americas, into South America, up to North America and Canada as well, affecting all manner of their users. Their computer systems went down and then emails leaked out as well, revealing that in fact what had happened was they'd been hit by ransomware.

So basically they were trying to buy time to figure out what the heck is going on and how do we solve this?

Buy some bitcoins.

And they isolated their offices in order to investigate. That turns out that, you know, that's obviously quite a good idea. You should isolate—

Get offline, you mean?

Well, you should certainly disconnect one network from another network if you believe that one is infected. You don't want it to spread further and further. That's one of the bad things. The more aggressive ransomware these days doesn't just infect a single computer. It will spread laterally throughout your organization, spreading across the network and potentially compromising massive amounts of data and encrypting it. And obviously you're then going to have trouble. So Costco the shipping company, their website went down, their VoIP phone lines collapsed. They had to rely on free external services such as Twitter and Facebook and even personal Yahoo email accounts to communicate with the outside world. It's true.

So the age of people working at Costco is reliably around 50 to 60, isn't it? So this is the— this exactly. I mean, things must be desperate if you're going to trust Yahoo with your essential communications.

Ironically, that's about the demographic that you— Costco for their toilet rolls.

Yes, it could be, couldn't it? But it's true. If you go to Costco's, I'm not sure I'm saying that right. Let's call them Costco. If you go to Costco's website, you can actually find a list of some 50 or more Yahoo addresses that they were telling their partners and customers to use.

Oh, so they were saying to customers, hey, our email's down, email me, an account manager, email me on my private email at blah blah at Yahoo.

Yeah, they set up all manner of different offices. Some of them may be for ports in Panama. Some of them may be on the other side of the world in China, wherever. Just lots and lots of different Yahoo addresses which they wanted people to use instead, and of course for you to trust them. So they're using Yahoo addresses, their phones are down, their website's down, email is messed up. It's chaos. That's not unusual. And when ransomware strikes, it's not unusual to call on desperate measures using a Yahoo email address. That's a lesson that was just learned the hard way by the Alaskan borough of Matanuska Susitna.

Have you been practicing that all day?

No, I wish I had been. I tried to go on YouTube to find out how to say it.

Matanuska Susitna. Yeah, I guess you say Susitna. Yeah, it's the Susitna. Matsu, I believe it's commonly called. What do they have to do with Costco?

Well, this is another case of someone being hit by ransomware. They also got hit in late July by a type of ransomware called BitPaymer. Also sometimes called fried eggs. I don't know if it's called fried eggs because basically you've— what's the bacon joke? You've lost your bacon. What's the phrase?

I don't know. What's had your bacon? Is there a bacon? I just think if you're going to do jokes, Graham, you should just know the punchlines.

Yeah.

I don't know.

You're literally halfway there.

It's just—

I know, but it kind of matters the last few steps, right?

It's the other half that matters. Yeah, that's what I've done.

So Matsubara got hit in late July by ransomware called BitPaymer, also sometimes called Fried X, not the kind that you have for breakfast. That's X as in the 24th letter of the alphabet. Yes, you can be impressed later. And it forced it also to disconnect from the internet, turn off their VoIP phones, email systems went down, and they started the process of wiping infected computers, resetting passwords, rebuilding systems.

Chaos again.

Again, and they kept in touch with the public via Facebook as well, so there is some good which can come out of things like Facebook. In all, at Matsu in Alaska, 650 desktop PCs have been affected, and more than a week later, they are still cleaning up. Now, there was an interesting quote by someone who works there who said, look, without the computers and files, you know, our employees, they worked resourcefully. They grabbed out typewriters from old cupboards and they started typing out memos to each other. I don't know, CCing, maybe they got the photocopier going as well. They wrote by hand receipts, and this is the one I particularly loved: they got out lists of people who'd taken out a library book and were overdue, and they were doing all of that by hand as well. So the really essential things—

As long as they were focusing exactly on the hard issues at hand.

This is what they were handling.

Well, there's not a lot going on, I guess, 35 miles north of Anchorage. How dare you?

I can't believe as Canadian. I mean, they are your close cousins up there.

I deign to say that in a lot of places in Canada, not a lot's going on. You know, I don't think that's an insult.

Hence you came over here. So a number of different organisations are getting hit by ransomware and it's causing this kind of impact. COSCO, who I was speaking about earlier, they aren't the first shipping giant to have been affected at the hands of ransomware. There was another high-profile victim a year ago, the Dutch shipping giant Maersk, which is thought to have spent $200 million overcoming the outbreak it suffered, which is pretty significant, I'd say. They got hit by NotPetya. They reinstalled 4,000 servers, 45,000 PCs, and 2,500 applications over the course of 10 days. They completely rebuilt their network in just 10 days, which is pretty impressive stuff. And I'll link to a video of their chairman describing how they recovered from NotPetya.

I just can't believe it's not overkill, you know.

Well, if something hits as badly as it did Maersk, and it looks like the Costco infection isn't as bad as that, then in some ways you do have to sort of start again from scratch, don't you? Because you've got to restore from backups. You don't trust the computers. You've got to reinstall them. Yada, yada, yada.

Yes, well, the fact that they were able to do that in 10 days suggests they definitely had very good backups in place.

So good for them. And I think they put a lot of people onto it and worked jolly hard as well. Now, Costco, they say that they have now recovered completely. It took about 5 or 6 days after they were first hit by the ransomware. But considering the severe impact that Maersk suffered after it was hit by ransomware last year, I think that means Costco is either very, very lucky that the ransomware didn't spread further, or it's very, very mistaken about the nature of the infection they might've suffered. Things might be very much worse than we imagined.

Oh, it's not unusual for a company to tell us that things are a lot easier and better than they actually are.

You know, not at all. And I think it's important to remember that even though there are other threats like hacking US politicians or supply chain threats or crypto mining, which are maybe taking some of the spotlight in the headlines right now, ransomware does remain a problem. And this particularly pernicious, aggressive type of ransomware, which scoots through your network like Billy-O, can be particularly damaging for organizations.

The worm has returned.

Yeah. And the impact is maybe your boats don't sail or maybe your production plant ceases operation. And you know, you are just hemorrhaging money as a result before you even begin trying to do the cleanup.

And also they, you know, whoever's hit you knows that your IT department is heavily tied up in trying to fix this problem. And so if you were minded to attack along a different line, you know that you've probably got an easier chance because they're going to have their hands full with cleaning up the ransomware infection. I mean, you know, 10 days, you know, during that 10 days their hands were really full with this.

Yeah.

So, you know, if you'd wanted

So you might very well do. But I kind of love this image though from Matsu in Alaska of them getting the typewriters out of the cupboards and writing everything by hand. It's almost like, oh, who are we going to get to help us do this? Let's get a whole bunch of hipsters in who love using typewriters.

to attack in a different way,

I used to love typewriters. I love that ding at the end of every line, you know, as you moved it along.

you might pick that as your window. It's amazing they still had typewriters. I mean, I just—

Well, you know, you don't throw them out 35 miles north of Anchorage. It's all frozen tundra, practically.

There's nowhere for them to go.

You might try and create a funeral pyre for the typewriters, but it just won't light. Is that the problem?

Oh, there's no— People love typewriters. You could tell. I guess the shipping costs from Anchorage are a bit heavy.

I've just got this image of a guy, some crusty old guy in there, sort store's department wearing probably one of those green visors. Do you remember the green visors? And a shirt with those elastic bands around the sleeves.

I love those. Yeah.

And somebody rushing down and going, quick, quick, Norman, we need the typewriters! Him going, finally, finally, we need the library book patrons list now! And he goes, this enormous cupboard, he opens, blows the dust off and opens it up, and it's full of typewriters and 8-tracks and all this stuff that he's been saying. Yes, my day has come! Get the carbon copy sheets out!

Yes!

I knew it would come only all with a Canadian accent.

Obviously everything's funny with a Canadian accent.

Well, America and Anchorage.

Oh yeah. Oh, true. True. Guys.

Sorry.

It's all right.

Sorry.

I'll let it slide.

Some geographic pedantry there.

Oh yeah. Just a country or another.

In my mind, Norman was Canadian. That was the issue.

Yeah. Norman is Canadian.

Norman is the rest of the company.

He just works in Alaska.

All right, Carole.

Actually, Graham.

I'm a technology journalist, not a geography teacher. Damn it.

So Geoff, what's your story for us this week?

Well, I'm still slightly obsessing about the Dixon's Carphone breach, which it was reported today is worse than they thought. Ten times worse. Rather than a million, it's around ten million.

That's a big difference, isn't it?

It is.

I'm not very good at math, but is that a thousand percent?

No, is the short answer.

With these breaches, you never know which way it's going to go. TalkTalk, for example, said initially it could be up to four million customers, turned out to be 150,000. And it's this sort of data breach version of play your cards right, you know, higher, higher, lower, lower. But no, this has turned out to be, as I say, in the order of ten million.

Today, just a month or two ago, it was 1.2 million or so.

About a month after it was initially revealed. And so obviously they found some more skeletons hidden in the closet. I have to say though, I just have some real concerns and confusion really about what Dixon's Carphone are saying about this publicly. So, and I kept this on my phone, I'm going to read it out because I was intrigued by this. This is when the breach first happened and this is from the statement on their website. I'm going to read this out, and even for non-tech security type people, I'm fairly sure as I read this out, you'll start to spot the confusing bit of this. Okay, so here we go. This is June 15th, this is from — our investigation has found 1.2 million records, which we now know obviously was fewer, far fewer, but 1.2 million records containing non-financial personal data, name, email address, address, have been accessed, right? It now goes on to say we have no evidence that this information has left our systems. Mm-hmm. So this information has been accessed, but they've no evidence that it's left our systems.

Yes. I mean, how does

You would notice though, right, if it was huge amounts of data being hoovered away from your system. You might have an event log somewhere that tells you that.

that — how does that actually work?

You might, but I mean, fundamentally, if the information's been accessed, yes, one way to do it is to exfiltrate it from the system. You might notice a huge amount of data going out, but fundamentally, if it's been accessed, it's been accessed.

If it's been viewed at the very simplest level, viewed, yes, the information has come to someone else's computer screen.

Yeah, it's compromised. Yeah.

And it's come out.

Yeah. So I was slightly confused about that, and now I'm even more confused now by the current message from Dixon's Carphone, which is talking about the credit card data that was stolen. So the 1.2 million, which is now ten million records, is name, email address, and so on. And what they've said is there's actually also 5.9 million credit card details have been taken. It's me saying, you know, I came into your house, I opened

Oh!

And what they've said is that these cards are protected by chip and PIN. That's the reassuring bit. Yes, the card details have been stolen, but they're protected by chip and PIN. the fridge, I licked all the food, but I've not tasted any Now, well, that applies when you go into a shop, doesn't it? I don't — I mean, chip and PIN when you're online, that doesn't happen. of it. It's weird. It makes no sense.

I'm not asked to insert my credit card into my floppy disk drive, if I had one, when I make an online purchase.

I've tried, doesn't work. And so, and here's the real kicker. Here's the real kicker. So A, the cards aren't protected as far as I'm aware by chip and PIN online. But B, today I set up a new Amazon account with a new email address. I gave the Amazon account a surface address, which was nothing to do with me. It was an ex-employer of mine, so it's a surface address that's not tied to me. I then took somebody else's credit card— don't worry, it's a relative, they gave me permission— I put their card details in, which doesn't match my name and doesn't match this surface address I'd given to Amazon, and I started ordering stuff. So you're not only not protected by chip and PIN, but if anybody's got these credit cards— people say, oh, they haven't got the 3-digit number on the back, you don't need it— oh, and guess where I got the goods delivered to?

Tell us.

I'm going to get the goods delivered to an Amazon locker somewhere, so there's no record of the address.

This book you're writing, Geoff, is this actually a dummy's guide to doing cybercrime?

Yeah, because we don't want— we're not doing that on this show.

Look, I'm not happy about this either. I know what we're about, as to why you can put in fake details. Now admittedly, with this, I didn't click the Buy Now button because I didn't want to spend loads of money on my family's credit card. But you can enter these details in, so it just perplexes me when you get tweets like this, you get Dixons Carphone saying, hey, you know, don't worry, it's all protected by chip and PIN, which makes no sense. And then you think, well, if they get the credit card number, they can just enter it into places like Amazon and make purchases.

And for those people who don't live in the UK, Dixons Carphone, which is the parent company of Currys, Dixons, and many other high street well-known names, they're a big deal here, aren't they? They're a big company. Many, many people will have bought things from them.

Yeah, they're the McDonald's of tech, I guess.

They have, yeah, they have millions of customers. And in fairness, they're one of the very few sort of technology retailers that are still around on the high street. So they have not just an online presence and also Carphone, of course, you know, mobile phone retailer and sales place. So it's not just sort of white goods and fridges and freezers and that kind of thing. So as I say, for this, I just feel the communication about what's happened has been slightly baffling. And frankly, in this day and age with GDPR and with the level of tech savvy I think people have got, I'm surprised if people will not be confused by that.

Well, I must admit, I'm confused because we said a month or two ago, when they first announced that there'd been a breach, they said over 5 million payment card details had been taken, albeit not the chip and PIN information. And then in the announcement we've had this week about the many, many additional personal details which come out, they said, but we can confirm no payment card information has been taken. Initially, I thought, oh, maybe they made a mistake in their initial announcement that no payment card information would be taken, but I think they mean in connection with these additional millions and millions of users. Is that right?

That's how I understand it as well and how I read it as well. Yeah.

Yeah.

But it's already confusing and irritating and, you know.

Which is odd because they're so helpful when you actually go into the store. The customer service.

Yes.

If you go in and ask them about computers and stuff.

Words fail me when I try and explain how wonderful their service is.

I can't begin to say how, what a pleasant experience it's been.

I've got a really low threshold for detecting sarcasm. Is this— was all of that sarcastic or not? Please tell me.

You'll never know.

But actually, since the demise of Maplin, which was the other high street UK electronics retailer that I mourn the loss of every time I need it.

Yeah, me too.

Yeah.

There was a part of me that really wants Dixons Currys sort of high street presence to survive. But I say, it's not been a good time for them. Yeah. I know I'm a technology journalist, so I sort of obsess about this stuff, but I just think statements like that come out and you just think, that doesn't give me a huge amount of faith in your ability to explain things and to feel like you're dealing with a kind of honest source of information with this.

They were more nerdy.

And think about it, Dixons are the places where now a lot of people are gonna be buying their smart IoT devices, right? And what is the supply chain on that? And where did you get it from? And which route? And they can't manage being able to explain this old hack. It does leave you worried for IoT devices.

Oi, Dixon, sort it out, all right? White, your section's over. Sorry, Terrio, over to you.

Oh dear. And breathe. Okay, I am talking about this great piece that I saw this morning, a piece of investigative reporting from Motherboard. So it's all based on California. The authorities there arresting a 20-year-old Bostonian college student named Joel Ortiz, and they're currently holding him on a bail of $1 million. Our little friend Joel is quite a big catch for California. He's accused of stealing more than $5 million in cryptocurrency. Now, Joel did not hack exchanges, and he didn't go after the everyday crypto investor either. Joel had another plan entirely. His game was to identify crypto and blockchain high rollers and then wrangle meet and greets with them at conferences.

So actually physically meet them?

Yeah.

People who had lots of cryptocurrency?

That's right.

All right. Okay.

So the plan was to get enough info off his targets to pull off that old chestnut, the port-out scam, in order to get access to their email and crypto accounts.

This is the SIM swap thing?

That's right.

This is where a scammer dupes your phone company into porting your number to a new phone, and in this case, one in the scammer's control.

Oh, interesting.

We talked about this in a recent show. I don't know which one though. Also in that episode, we talked about how you can safeguard your phone against these threats. So do check it out.

Answer's in the show notes.

So the advantage of meeting face to face is he can say, oh, where'd you grow up? You know, are you married? What's your wife's name? He can get all of that.

What's your porn star name? If you were to choose a password or a PIN code, what would be some of your favorite ones?

Joel was particularly active at the New York Consensus conference in May. Consensus is a blockchain tech summit run by CoinDesk. In one of at least 3 attacks that reportedly happened during Consensus, Ortiz is accused of swiping $1.5 million from a cryptocurrency entrepreneur, including nearly a million that he had crowdfunded in an ICO.

So at this conference, he allegedly stole $1.5 million through these SIM swap scams.

From one single, from one single.

So he must have got their number and chatted them up and then rung the phone company posing as him or something?

That's right.

Crikey. Okay.

And got the number transferred to a device within his control. Here, let me walk you through how the cops caught him, and I think the story comes out quite well here. So first thing, cops get wind of something fishy when a blockchain investor says his phone number was stolen. Ortiz is said to have hijacked this investor's phone at least twice, reset email cryptocurrency passwords, added his own two-factor Google Authenticator app to further lock the victim out, and even harass the guy's wife and daughter demanding bitcoin. So the cops hear all this and they say, "Right, okay, we're gonna get a warrant for AT&T phone records for the victim." And focusing on the days where the scammer was in control of the phone number, not the actual victim, they found that the device making these calls during that time when the scammer was in charge of the number were made on an Android. Now, the victim never used an Android, so ipso facto, the phone was likely used by the scammer.

You would think if this guy's managed to steal $1.5 million, he could have afforded an iPhone rather than using some shitty Android.

I don't know, they're pretty expensive these days, Mr. Cluley. Now, I thought this was quite interesting, this bit, because I wonder if that means that cops can sidestep the hassle of proving the requirement for a warrant because they have the victim, the owner of that data, permission to troll through the phone records. Do you see what I mean?

Well, yeah, I mean, it's—

Yeah, I steal your phone number, Geoff, right? And then I do a port-out scam, call your provider and get your number swapped over to my phone. But then you still own the data. You still own that phone number, I think, in terms of identity.

So you'd be able to say, yeah, sure, no problem, cops.

You can have access to my stuff. Just call my provider. Here's a written—

Because the transfer of control of the mobile phone account across to the alleged crook isn't a genuine transfer. You've been fraudulently convinced. So you still— and also, yeah, you still own the account. You're still the actual real owner of the account.

Exactly. Yeah. So that was interesting. Anyway, so that's the first thing they do. So now they know that there was an Android used. So the cops then send Google a search warrant for data connected with these Android phones. And they're using the IMEI number as the identifier, right? They find out that there's a Gmail and a Microsoft Live account. They get another warrant. They send this to Google to search through that Gmail account. And this is where they found evidence of criminally inclined interest and evidence that linked that account to Joel Ortiz, our crypto port-out scammer. Then, right then, the cops serve warrants at the crypto exchanges. Coinbase, Bittrex, and Binance were all targeted. These warrants revealed that Joel had more than $1 million worth of crypto stashed somewhere. Now they'd been able to recover about a quarter mil, but the authorities aren't sure where the rest of the money is being stored. So it's not being stored on the exchange, but there is obviously a paper trail there of how much money is tied to him.

Has to be said, I mean, if you're transferring those quantities of money out, if you went to a bank and tried to do that, obviously not having £1 million at my disposal, I've never done this, but really?

Oh God, it's so fun. It's a daily activity for me.

I suspect I'm going to have to start getting paid for these podcasts. I suspect if you went to a bank, they would demand quite a high level of evidence of verification. It's interesting from the sounds of it that some of these bitcoin exchanges are quite prepared to transfer a million and a half of currency out. And it seems he's got around the checks. Yeah, that was done by the authorities. And I don't know again how he's been doing it. Ah, it could be.

Or where he's storing that cash, where he has a physical device.

Yes.

So now the cops go, okay, the guy's got lots of money, we have evidence of him running a Gmail account where he looked for stuff online that wasn't, you know, with phishing and all this— same things we do as journalists as well. So the cops go full circle and they head back to AT&T with a warrant. They now want to know how many victims Ortiz potentially duped. So what they ask for is the phone numbers that are linked to the handset's IMEI over the last few years. And guess what? They find 40 numbers that had been linked to that physical device, Ortiz's phone.

Oh, so he's been swapping other people's numbers onto this same Android device for—

He's got two Android devices, so two individual IMEI numbers, and that's basically been the paper trail for the authorities.

So when you set up a number on a device, whether you've taken it over legitimately or illegitimately, the phone provider gets the IMEI number as well as the— this is the phone, the actual handset's unique identifier, as well as the phone provider's. Yeah, exactly.

The arrest happened— 20-year-old Bostonian Jules Ortiz was arrested at LAX on his way to Europe. He was reportedly flashing a Gucci bag as part of a recent spending spree, which they think are tied to some of the cashes he's been able to steal. He is facing— so he's 20 years old, right? He's facing 28 charges, 13 counts of identity theft, 13 counts of hacking, and 2 counts of grand theft. And his hearing is August 9th. There's loads more details on this on Motherboard, so it's really worth checking out. Check out our Smashing Security episode notes for links. Well done, him. His parents must be very proud. I was thinking, I wonder, is the money lost forever?

Well, the advantage is they would've— yeah. The advantage is they probably used the blockchain to spot what wallet address it was transferred from and to.

Basically, all cryptocurrency is lost forever. The general rule is as soon as we, you or I, buy any cryptocurrency, the price will plummet and be worth nothing. That's just the way our luck works.

Oh, I know. I think I'm quite lucky, actually.

Have you got any cryptocurrency, Carole?

Aren't we going to Pick of the Week soon?

All right. After this break, let's hear from our sponsors. Many of us have worked in big companies, right? And we know that it only takes one person to make a boo-boo to allow the hackers in. Imagine running a company, hiring new staff, and worrying that one of them might bring their bad password habits into the office. Horrendous nightmare! That's one of the reasons why businesses small and large need a password management solution like LastPass Enterprise. LastPass brings a vast array of features for enterprise users, including company-wide policies, reporting, user groups and roles, and new support for Microsoft Active Directory. As an administrator, you can create highly secure passwords for your new starters right from the onset. Means no snafus. Listeners can check it out for themselves by visiting lastpass.com/smashing. No more password snafus, no more boo-boos, just LastPass.

Hey, Clue.

Hey, Carole.

Did you listen to my little bit about MetaCompliance and their e-learning?

Oh yeah, I heard that earlier in the show.

Yeah.

Did you? Yeah.

Okay.

Well, have you signed up yet?

Well, no, I've been doing the podcast, Carole. I haven't had time to sign up for it, have I?

Well, women know how to multitask. Surely you can get a move on and sign up. We get 10% off. Just go to smashingsecurity.com. You should know that website. Slash MetaCompliance and enter the code smashing with a G.

Smashingsecurity.com/MetaCompliance. Enter the code smashing. Terrific.

With a G. Cool.

And welcome back. Can you join us on our favorite time of the show, the part of the show that we like to call Pick of the Week?

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. It doesn't have to be security related necessarily.

Please, for the love of God, don't be this week.

Mine is not security-related, Carole.

Yay!

Mine this week is a podcast. Often you're choosing podcasts. Well, I'm going to choose a podcast this time.

Okay.

And it is a podcast which comes from slate.com, and I've really enjoyed it. It is called Slow Burn. And have you heard of it?

Ah, yes, I've listened. Yeah, I have. Long time ago, but it's great.

Oh, sorry for being behind the times. Slow Burn's first season was all about Watergate and the fall of Richard Nixon and being I'm just a young whippersnapper. I mean, I can barely remember Watergate. Didn't really know what was going on. Didn't know very much about it, but this is the inside story and it's absolutely fascinating.

Graham, you're the one who told me about Slow Burn about a year ago.

Well, now I'm recommending it because they are starting season 2 very soon, Carole.

Cool.

Which is going to focus on a chap very close to your heart. Going by the name of William Clinton and his entanglement with a young intern named Monica Lewinsky.

Brilliant. I sat in front of the television during that whole— I was riveted.

But I want to say one thing to the American people. I want you to listen to me.

I'm going to say this again. I did not have sexual relations with that woman, Ms.

Lewinsky. I never told anybody to lie, not a single time, never. These allegations are false, and I need to go back to work for the American people.

Thank you.

Would it be fair to say, Carole, that you have a little bit of a crush?

God, no.

Oh.

Not on Billy.

Not on Millicent.

No, not on Millicent either, no.

Anyway, I will put a link in the show notes. I'd highly recommend it. It's very interesting. I know I'm obviously listening to a lot of political podcasts at the moment. I can't imagine why. And maybe slow burn, sometimes you may reflect as you're listening to the impeachment of Richard Nixon, what this might say about the current situation which we're in as well. Who knows? A little bit of politics for you there. But I'm going to switch now to Geoff to ask Geoff, what's your Pick of the Week?

Oh, right. Of course.

My Pick of the Week, I read an amazing article on the Daily Beast website by a guy called Geoff Maysch. This was about the defrauding of the McDonald's Monopoly promotion. But it's just a fascinating story. It's not tech, but fraud-related stuff. Did you read about this? Yes. It is a rip-roaring yarn. And the cast of characters is, yeah, intriguing.

No, I did not.

McDonald's for years, I don't know whether it's still running, but they had a tie-up with Monopoly where they would give away Monopoly cards, and if you collected them, you could win. And there were some big prizes. I mean, the top prizes were $1 million. So you could do quite well. The guy who was in charge of security, an ex-police officer at the place where the cards were being printed, kind of got greedy in the end. But what was fascinating— I mean, it's an amazing story about how he tries to run this because of course he can't— yes, he's got the winning pieces, but he can't go in and claim it because it's like, well, hang on, you're the head of security.

If only they're dressed up as the Hamburglar, then they wouldn't have been identified. They missed a trick there. I don't think he's a superhero, Carole.

I don't think it's for

I don't know what that means.

So he starts creating this network of people and saying, well, do you know anybody who could do this? And do they know anybody? So he passes it down a chain, but of course the money is coming back to him. He's taking a cut of every time somebody, you know, fortunately claims one of these wins. But what I loved was what got them in the end was increasingly the people he's relying on, they're always a bit dodgy and increasingly they're just dodgy losers. And with these folks, whenever they got a win, McDonald's would say, hey, do you want to star in an advert or promotion? Yep.

He's a scientist who goes in a teleport

you. I don't think it's

It means literally he's going to flick people's

And they'd go, yeah, I really do. And so they appearing on telly. And then eventually somebody at McDonald's went, hang on, that's the brother of the guy who won a few weeks ago in the same area. And there's photos of these fraudsters appearing on McDonald's promotions saying, I won $100,000, I'm so happy. And it's just an amazing story. But what's incredible about this is I hadn't really heard of this.

Yep. They should have thought it through. Well, nice story. We'll put a link to the show notes to that Daily Beast article where people can read some more about it. machine and ends up with wings.

too highbrow for you.

ears. He's going to encourage them.

It all— the trial happened around the same time as the 9/11 attacks. So the whole thing kind of got a bit buried. Nobody— and it didn't get as much publicity as it was going to get. About it.

Carole, I bet you've got a good pick of the week for us.

Well, I was going to talk about Sacha Baron Cohen's Who Is America series, but it's kind of, I don't know, I'm just worried. I want to see a few more episodes before I do it because it's pretty close to the knuckle, isn't it?

It is, but I really am enjoying it.

I know. What is it? There's been two published so far.

No, three. Three so far. Three.

Yeah, yeah, I haven't seen the third. So instead, I'm going to go down the superhero road for downtime distractions. All scientists are superheroes, you know that. So I'm no means a superhero connoisseur unless it's Geoff Goldblum in The Fly. And yes, I did say gold bum.

I'll back down.

I'll back down. Same with Spider-Man, scientist. I watched an episode of this thing called, what's it called, Cloak and Dagger. It wasn't my bag at all. But this is. It's called Legion. It's an FX psychedelic sci-fi thriller, and it's pulled together by Noah Hawley. He was the creator of the FX Fargo.

Hugh Bonneville? This is Lady Mary.

Hello. Hello. I'm a mutant. No, it's Dan Stevens. And I don't know, I think he plays the Crawley, Crawley or something.

His friends? Surrogates for all the little broken parts of your psyche. The exciting lives they live are your dreamscape. And you know what else? I'm not even real. And what's coming is— well, what's coming is very, very real. Cool.

So anyway, good cast, it's intelligent, it's slightly existential, it's got a dab of horror, and it's smart and it's great.

So watch it. Where can we find this show, Carole, to watch it?

You can find it on Amazon, and I think you can find it on FX as well.

Okay, we'll see.

But I don't think it's part of Prime. You actually have to fork out for it.

What's the name again? What's it called again? It's called Legion, and it's just started. I think it's finished its second season very recently.

I find myself tantalized, Carole, by And on that shocking bombshell, it's about time to wrap up the show. your pick of the week. Geoff, if people want to follow you and find out more about you, what should they do?

They should go to Twitter and follow me. It's @geoffwhite247 and it's Geoff G-E-O-F-F. Geoff White.

Fantastic. And you can also follow us on Twitter at Smashing Security. No G. Twitter won't allow us to have a G. You can pick up t-shirts and stickers and mugs and things like that at thesmashingsecurity.com/store. And thanks for tuning in. If you like the show, please leave us a rating on Apple Podcasts. It helps people, new people find the show and discover us, which is terrific.

Did you see we got a great one? I think just today, actually.

Did you see a nice review? Yeah, nice review talking that, you know, we're creative and fun and informative and addictive by someone, @adstar7878. Oh, there you go. So, yay. And he says he's going to flick 20 people's ears unless we immediately—

We know what that means. Yeah. I thought it was a euphemism.

Not everything is a euphemism.

Just remember that.

Go to smashingsecurity.com to check out past episodes. Until next time, cheerio. Bye-bye.

See you later, guys.

Bye. Adieu.

Toodaloo. Farewell.

Au revoir.

Auf Wiedersehen. Adieu. Whatever. Okay, I'm gonna press stop.

Because listeners can visit lastpass.com/smashingsecurity. I can't even talk. Listeners can visit lastpass.com/smashing.

Slash.

That's what you've written. Slash.

You said slash.

It's very hard to do LastPass slash smashing. You try it.