Well, you know what, I would be guilty of this. I bet if someone said, you know, if I was talking to a dude online and he said that he had a 'tash, I would right away picture Thom Selleck in his pants.

You totally would.

Right? And not Hitler or anyone else with a mustache.

Oh Lord. Right? Yes.

You just would. So I would picture what I would want.

Three Men and a Little Fuhrer. You wouldn't want to mix up the cast, would you? Smashing Security. Episode 140: Love, Pins, and 8chan with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 140. My name is Graham Cluley, and I'm Carole Theriault. Hello, Carole!

Hello, Mr. Cluley.

How are you doing? All right? Awesome. Well, you'll be the judge of that. We are joined this week— you are awesome, Carole. Sorry, that seemed a bit—

No, I live to be judged by you.

I think maybe it's time for me to be the Penelope in our relationship. I should be nice to you for an episode.

And can you hear the dulcet tones of Maria Varmazis?

Varmazis. No accent.

Varmazis.

There you go.

Hello, Maria. Hi.

How are you doing? Good, good.

Great to have you back on the show as always. Thank you. You've been a bit busy, haven't you? You did a little bit of work for Darknet Diaries. You popped up in a recent episode of that.

I did. It was so much fun. I'm so glad I got to be a part of that. And hopefully I'll be writing another one soon. Keep your ears out.

Very cool indeed. Carole, what have we got coming up on this week's show?

A huge thank you to this week's sponsors, LastPass and Recorded Future. Their support helps us give you this show for free. Now on today's show, Graham reveals how an online bank mismanaged customer PIN codes. Maria chats all things 8chan. That sounds fun. And I'll be looking into how to avoid the nasty sharks lurking in the online dating pool. All this and heaps more coming up on this episode of Smashing Security.

Now I want to send you guys back through time, through the mists of time, all the way back to 2011 when there was a chap called Daniel Amatei and he released some research that he conducted in conjunction with an iOS app which he had released for Apple iPhones.

This is a bona fide app that went on the iPhone?

Yes, it was a legitimate app in the iOS App Store called—

Approved and all that, okay.

Yep, called Big Brother Camera Security. And what it would do is you would run that app and you'd put your phone down somewhere you did in normal life. The different thing was that if someone else tried to pick up the phone and unlock it, they would enter a PIN code or passcode. It would take their photograph, and obviously if they got the number wrong, it wouldn't let them in.

Yeah.

And who was it, pray tell? Oh, I see Graham's big face on my screen trying to get into my phone, that type of thing.

I don't know why you're saying my face is particularly big.

Well, I'm imagining because your eyes are quite small, you'd be holding your phone quite close to your face and then it would be— So, no, okay, well, there's two things.

First of all, you said my face is very big, and now you're saying my eyes are very small. Could it be that my eyes appear small because of my big face, or my face appears big because of my small eyes?

I don't know. I'm not an expert.

Maybe one or the other is perfectly in proportion, Carole. Maybe you just need to be a little less personal on the podcast.

All right.

Sorry.

Sorry for hurting your feelings.

Well, I do have feelings, you see.

Just being honest.

Okay. All right. And what Daniel did was he also surreptitiously, without telling his users, which annoyed Apple a bit, to be honest, he would anonymously collect those passcodes. And he was keeping a record of them. And so he collected 204,508 PINs.

Not PIN numbers. Not PIN numbers.

Don't say it!

Don't say it!

Because someone pedantic will be in touch about that if I did.

So he was— this was no bueno. You're not supposed to do that. That's not cool.

You shouldn't do it.

But how does he know whether the PINs are correct or not?

Well, he doesn't at all, of course. So someone just puts in 2468 and he's like, "Got another PIN." What he knows is whether that PIN is the right PIN for his app. I've sworn not to say PIN numbers. He doesn't know if it's the right PIN for the phone. But people would enter the PIN assuming it was, for instance, their phone. And I'm sure many people would have used the same PIN for the app as they would have used for the phone, because that's just human nature.

And who's going to try and memorize two PINs now? We can't even get them to use unique passwords. You think they're going to have a separate unique PIN? Which screen am I on? Let me do the different PIN.

Nah. So what I found interesting 8 years ago was he released his figures as to the most common passcodes or PINs which were being used.

Okay.

And he found the number 1 passcode— can you guess it for people?

0000?

Oh, that was number 2, actually. The number 1 was 1234. People have been a bit smarter than that.

Wow. Yeah.

Okay. Number 3 was 2580. Can you guess why it's 2580?

Straight down the middle.

Absolutely. Straight down the middle. Then it was 1111 and then 5555. And then an odd one, 5683. Do you know why so many people use 5683?

I'm looking at my phone right now. I can guess.

Go on.

So if you're right-handed and you have your phone in your right hand, these are all numbers you can hit easily with your thumb.

So not quite. Okay. You need to look at the letters. There are letters written on the numbers on many people's phones. And 5683 can spell love. And so that was the 6th most common. That was the 6th most common.

Are you hoping that people have it as hate? Snipe.

Well, you know, I'm talking about 8chan later.

Now, there were some other interesting findings in his research. One was that all of the numbers between 1990 and 2000 were in the top 50. And if you included 1980 to 1989, that was all in the top 100 as well.

So they're using years of birth.

Exactly. Years of birth, years of graduation, or something like that. So if you did want to crack into somebody's phone, there is this rather handy list of the most common numbers which people use. And of course, these are numbers you should avoid, just as you should avoid using 123456 as your password. Now, I was thinking about this research when I heard what happened at the Monzo digital bank this week. So Monzo is an increasingly popular digital bank here in the UK. And it's purely run from your mobile phone. It's one of these challenger banks. There are all these brand new banks which are popping up saying, hey, we're going to appify the whole banking experience. They don't have any bricks and mortar branches. They don't even have you logging in via a website. It's all done via an app. Now, Monzo admitted earlier this week that they left the PINs of a subset of their customers exposed in a file to their internal engineers, and those PINs were exposed for something like up to 6 months.

Oh.

Which is a bit of a problem. So it wasn't a hack. These weren't accessible to the outside world, but their own engineers could access people's PINs.

And they had to divulge this information because it was a PII leak.

Well, potentially very damaging, right? Because they are not to know whether they've got a rogue apple in their— amongst their staff.

Apple cart?

Yeah, I'm trying to think what is a— they don't know if they have a rogue employee. They don't know if they've got a bad guy, right?

Right.

Who's going to actually try and use that information in some way. So they did the right thing. Within hours of discovering that, they updated their app, they pushed out an update to their Android and iOS users. They also deleted all of the numbers. They acted, I think, pretty well. But there was something like 500,000 people whose PINs— I very nearly said PIN numbers— were potentially exposed. And of course—

Well, were exposed, right? Internally for 4 or 6 months.

Well, they were exposed internally. They were exposed internally. That's right.

Yeah. I mean, maybe it was for research purposes. They were trying to say these top 20 PINs, we're not going to let people use them in our app.

It would be nice to think that, wouldn't it? But it sounds like instead it was just being stored in an internal log and the numbers were being collected if people had chosen via the banking app to— there's a button for, say, remind me what my card number is or cancel a standing order. And it was if people did that, then their PIN was collected and stored in this file. But it wasn't meant to be as accessible by anything like as wide a number of staff inside the company.

Ah, yep.

But I am actually quite impressed by the response. I think they've been quite rapid and they've been quite transparent. And I wonder how often this might happen inside other financial institutions. And because there's nothing externally seen, they don't even know that any of the engineers ever realized they had access to this data. As far as they know, they've seen no evidence that anyone accessed it, but they still came clean. They said what happened, they fixed the problem really quickly. And I suspect in many banks they wouldn't do that.

Would it be the same tune if Apple had done this?

I don't know if Apple would've responded the same way, but I think if they respond quickly and transparently and share proper information about what occurred, then that's going to be quite comforting. You turn what's potentially a bit of a disaster into something which actually increases your confidence in the firm instead.

I think it's still worrying though that banks can make these mistakes. You want them to have all the fail-safes in place to try and protect information. Absolutely, and it's a lot of both your financials, your money, and all your personal information.

Absolutely. And apparently they checked the 500,000 accounts. They didn't see any evidence of any fraudulent activity based on the PIN number. They've informed people via email and some people complained that they got this email rather than an in-app notification because they found the email itself just a little bit unusual. They thought, could this be a scam? But it basically said to them, go to an ATM to change your PIN, which is going to be a nuisance for people. And people don't want to do that if they've already got the convenience of a banking app and just purely everything being conducted by an app. The fact that you have to go to an ATM to change your PIN is going to be a nuisance. And I wonder what PIN those customers will choose and whether they will be unique, because like I said, we're always talking about the need not to reuse passwords, but how many of us are reusing PIN numbers. And if I put my hand on my heart, I think I've got more than one card.

Smashed Security. There you go. I don't. Well, you're just better than I am. No, no, no, I'm just, you know, I'm not saying, wow, I'm cool, but I actually, I never have.

I think I do. I know I have some different PIN numbers. Oh, I just said it.

You did! Oh my gosh.

You should be doing shots. You should be doing shots every time you say it.

Drunken Smashing Security. App smashed.

That's the after-dark version.

I'll have a swig of tea instead. How about that? But you know, I think I do have two cards which share a PIN.

Well, get that changed there. Chop, chop, dude.

I am going to have to change it, aren't I? And the other thing is, isn't it weird that we have all these ATM numbers, these numbers we use at ATMs, which are only 4 digits and have no funny characters and no letters? And we're limited to that where there's only 10,000 combinations for that PIN. It's so bizarre, isn't it?

It seems so quaint now. It does.

Yeah, but it does have inherent two-factor in that you need to have the PIN and the card to make it work. Not actually with, not, I suppose not with your tap and goes anymore.

Yeah, well, these days they quite often don't ask you for a PIN to be entered at all, do they? I mean, here in the UK, I think it's under £30 you can pay.

In Canada, I think it's $50.

Oh God, I don't know. In the States, I don't use— I have an ATM card and it's the only one I have. I tend not to use it. I'm all about credit cards.

Well, at the current exchange rate, Maria, £30 is about equivalent to $500. And we're going to be that way for a while. So that gives you an idea of how it compares. So here's my advice to people. Think about your PINs, not your PIN numbers, your PINs. Make sure that they're unique, swig. Make sure that you're not reusing them. Make sure that you're not choosing one of these ones, which is really easy to guess. Don't choose a year like 1973, because it's too easy.

The year Graham wishes he was born in. Ooh!

Wouldn't it be interesting, by the way, if Monzo had released those 500,000 PINs?

Oh, hilarious! I would have loved to see that.

No, but they could have done. If it's just numbers, right? They could have said, this is the preponderance of pins, and we could have compared it with Amatei's work back in 2011.

Yeah, I'd like to see that.

To see if the world has actually moved on. I suspect many people are still using maybe unusually high preponderance of certain numbers, which are still being used as dates.

Yeah, but they'll be different numbers, right? Because everyone's date of birth and all that has changed and probably moved up 10 years.

It's going to be a lot of 2000, 2005, or whatever.

Yeah.

No, no, those are not millennials. Those are Gen Z.

After 2000, it's Gen Z.

Yes. Right. Millennials came of age around the millennium. Speaking of—

That means that Gen Zs are 19 now.

That's right. That's right.

I remember reading that.

It's so cool that we have young guests sometimes on the show, isn't it? To bring down our demographic and—

I've got arthritic knees and a mortgage, but I'm super young.

Yeah. Don't put me in your old bucket.

Anyway, I think, you know, obviously it's good that it's been hacked. It's good that they've apologised. It's good that they took action fairly quickly on this. So it's not necessarily the usual kind of disasters which we talk about on the podcast.

We're giving kudos for once. Yeah. I mean, obviously we don't want things to happen.

But if they do happen, then clear up your mess quickly and say sorry for it and do what you can to fix it afterwards.

Bravo. Yeah, I agree.

Yeah. Fantastic. So there you are, a nice positive story, because I worry that some of the other things we might be talking about today may be a little less uplifting.

Ria, what are you bringing to the table today?

Oh, God. All right, so— I'm struggling with this story a lot because a number of people asked me slash us what we thought about this topic. And it's one that frankly, I'm not really sure I want to talk about, but people have asked and I think we should try to hash it out.

What is it?

We have to talk about 8chan.

I don't know very much about this, so I am so glad you're talking about this. So educate me, Maria.

Okay, so I'll give a very, very high level. I really don't want to dive into it too much because it's really depressing.

It's a vile corner of the internet.

A vile corner of the internet that is basically radicalizing a lot of white nationalists into mass killings. Some of the users of the site have gone on to do the mass shootings in New Zealand and the United States, and they posted manifestos there. This is where they're being radicalized, basically. It was there were certain levels of the internet where there were edgelords, some dark parts of Reddit, and then they went to 4chan, and then 4chan wasn't edgy enough for them, and then they went to 8chan. It was that kind of thing.

Actually, that was one of my questions. Were these guys not basically welcome on 4chan because 4chan said, actually, that breaks our rules now, and 8chan was created so that the more, you know, for lack of a better term, edgier, horrific stuff had a place to live.

Yeah. I mean, the granddaddy of them all is 2chan in Japan, and then it became 4chan in the States, and then 4chan became 8chan. And there's 16chan now. Yeah, it's chans all the way down.

Hang on, I'm going to go and buy some domain names right now. So 32chan, 64, 128, 256, 512.

And then you get a bite chan or something. So since this is a site where a lot of people are posting manifestos and being radicalized, there's been a push for a while from the greater public to get these sites offline.

Yeah.

So one of the main pressure points was specifically 8chan's CDN, their content distribution network, which basically means that 8chan can't get DDoSed. So it gets a lot of traffic going to it and Cloudflare makes sure that it's still accessible. So even after the massacre in Christchurch, where the shooter posted a manifesto on the website, on 8chan. Yeah, I'm trying not to say the name too much because—

Oh, sorry, sorry.

But yeah, so it's okay. Cloudflare insisted that they didn't want to get involved in politics and that their job is to continue to be a terrible website CDN no matter what, because you take down one website— and they'd already done this once for a white nationalist website— you start— the dominoes start to fall, basically.

And Cloudflare has often found itself in a little bit of hot water around this, hasn't it? Because it has washed its hands over the years of all kinds of criminal websites. Yeah, 'cause they keep saying, "This is not our job to make that determination." Right. They're kind of approaching it from a, "We're a utility."

Are they utility? Are they a critical infrastructure part of the internet?

Yeah. It sounds very similar to the same stuff that Facebook and Google say. Like, "Look, we don't really have to monitor our news or what's said because we're not the gatekeepers of that data." Right.

Our job is just to make sure that sites are available. What's on those sites is none of our business. And their other angle is basically, if we don't help keep these sites readily existent, they're going to go deeper underground, and then it's going to be harder for law enforcement to find them and keep an eye on them. Yeah, I'll be honest, I'm not sure about that one because I think law enforcement has a lot of tools in their tool belt, and I don't think a CDN is something they need as much. But that's just a guess. I mean, I don't really know. So after this weekend's two mass shootings— sorry, I can't even say that— both of which, again, manifestos and lots of activity on the aforementioned terrible website, Cloudflare finally decided that I guess now enough was enough.

So were people hounding them beforehand?

Yes.

You know?

Yes. Ever since New Zealand. There's an organization I'm familiar with called Sleeping Giants, which basically is a very left-leaning political action group that puts pressure on businesses that support websites like this and puts pressure on their advertisers to also remove advertising. So they— I know for a long time Cloudflare had been on their radar as something that they needed to drop support for this.

I have to say, for some years I've had a rather uneasy feeling about Cloudflare, and I haven't liked some of the websites which they've been helping to keep online, including websites which, for instance, were running DDoS booting operations. So they were basically sites which were designed to help bring other sites down. So they would launch DDoS attacks from a site. So they would host with Cloudflare and then potentially try and attack other Cloudflare customers.

Wow. And Cloudflare would do nothing about it.

And Cloudflare wouldn't really be prepared to do anything.

It's all business for them, I guess. Yeah. "We will evaluate this in the coming days.

Yeah.

And it did leave a rather unpleasant taste in the mouth.

So this story's still developing right now as we're recording this. I'm sure it's gonna keep developing, but Cloudflare pulled their support for Terrible Website on Monday, or on Monday morning, I believe, or at least that's when I heard about it. And this story is still developing right now, but ever since Cloudflare dropped their support, it became a game of whack-a-mole for the Terrible Website to find a new CDN. From what little we know so far, the Chans are not lawless and do have moderation, especially in regards to DMCA," the basically the content takedowns and the content which is illegal in the United States. "Ultimately, we believe that the best disinfectant for darkness, however, this is for —" sorry, let me say that again. So they would find a new one, and that one would then kick them out 'cause they were like, no, hot potato, we really don't wanna deal with you guys. And also, their original domain registrar, 2Cows, also dropped them. So again, why was 2Cows supporting these guys all this time? Yeah. "Ultimately, we believe that the best disinfectant for darkness, however, this must absolutely occur within the bounds of the law." I think their angle was, again, we don't want to get involved, or a utility, or utility-like service. So yeah, but anyway, they were also on the hunt for a new domain registrar. So by the time people are hearing this, I'm sure the story is going to change again. However, as of the time of this recording right now, they are currently with a CDN that, of all things, seems to be based in Germany.

I'm shocked about that.

Yeah, because that CDN based in Germany also supports a well-known white nationalism website that Cloudflare also kicked off. Yeah, yeah. So German CDN helping a white nationalism website is a little — so it's not super clear right now if that's going to stay that way because I believe that that CDN is still debating whether or not that they need to kick them off again. It seems like they're debating it. But I thought it would be interesting just to read a statement from the CEO of the company.

Is this a statement from the CDN?

This is the domain registrar for these guys.

So people who've replaced 2Cows?

Correct. So this is a statement from the CEO. It says, and this is what he says: "Freedom of speech and expression are fundamental rights in a free society. We enter into a slippery slope when we start to limit speech that makes us uncomfortable. The censorship we've seen across major social media platforms as of late has created a vacuum. Our services fill the ever-growing need for a neutral service provider that will not terminate accounts based on arbitrary reasoning or political pressure. Our philosophy is if the customer is not breaking the law, they are protected under our umbrella of services."

It seems this is the same kind of thing that Cloudflare was saying, really. It's just different wording.

There is some weasel wording, I think, but that's my — that's clearly an opinion here. But there's a little more specific to any of the Chan sites. "The company in question that I'm not going to name, the registrar in this case, did not solicit this business. We have not made a definitive decision about whether to provide DDoS mitigation or content delivery services to them." I think it's both a registrar and a CDN. I think it's an umbrella company.

Okay.

Right.

No, that's a terrible statement.

That's a terrible statement.

And I don't think you disinfect darkness, you turn the light bulb on. This has lost something in the translation.

But they're German, they're German.

No, well—

Well, we're not sure if they are.

Not sure, that sounds very American to me. But what Cloudflare—

Oh, now I understand why it doesn't make sense.

What Cloudflare had been also saying is basically, as long as they're following the letter of the law and they're not doing anything wrong, because posting a manifesto and saying you're going to kill a bunch of people is not illegal to say in the United States. Basically, as long as they're not hosting illegally ripped MP3s, we can't do anything about it.

Yeah, right. So if you uploaded an MP3 of Britney Spears, then they'll deal with it. But if it's a manifesto for killing Hispanics, then it's totally okay. It's fair game, right?

Fair game, right? Because it's not breaking any laws.

But also it's an international kind of operation, is it not? Like, I'm guessing they're going to have servers everywhere.

Yeah. Cloudflare specifically had said yesterday that only half of their customers are in the United States. So the rest of the world is their other half.

But I guess my point is on the legality of it, right? Do you follow the letter of the law in the States or do you follow the letter of the law of where information is posted on a server in whatever country that might be? You know, that may be weaselly. I'm just saying this because it doesn't apply just to the States.

See, I don't think the law should come into this. I think if you are running a company, you have the right to decide who you want to be your customers or not. You have the right to say, even though you haven't broken the law, we don't think we'd like you as a customer. You know, we're quite happy with the customers that we do have. And that's what I would like to see companies like Cloudflare do rather than having to defend themselves legally or use these sort of arguments or get into the weeds of who they should have as customers or not. I think it should just be their decision to say, you know what, you're not really the right fit for us.

That's what Cloudflare did too.

Good luck, go and find someone else.

Eventually, after four shootings.

And after years and years, Carole.

Yeah. And basically their angle was not, this

Yeah.

So what we're saying here is they had years of people saying, guys, you really shouldn't be doing this for these guys. And they just ignored it until now. Just now, this was the needle.

is morally reprehensible. It was more like they're

And there are plenty of other sites which are still supported by services like Cloudflare, which definitely are not for the general good of the internet.

more trouble than it's worth. Right.

They could just have a sort of, if you want to use us as a service, you have to agree to our terms of use. And there are certain types of sites they could say, which we don't want as customers. And if you turn out to be not operating inside those terms of use, then you will get kicked off. Plenty of services do that.

Yeah, I 100% agree. I like to have

Yeah, I think a lot of these companies that were created, especially in the early days of the internet, the idea was, again, thinking of yourself like a utility that everything's fair game. And I think we're at a really important inflection point now where there has to be a decision that companies make. Do they really want to operate that way knowing everything that comes with it?

everything be transparent and you want to be

You know, there's a responsibility there maybe they need to be thinking about, or do they want to adopt more of a terms of service or code of conduct? It doesn't seem like a lot of companies know what they want to do yet. So Cloudflare sounds like they've made two exceptions ever and they've booted now two sites of all the bazillions that they've been CDNing.

honorable. That's how you gain my trust.

And it's the same conversation that we're hearing again with social media sites too. I cannot believe I managed to bring Facebook into my thing, but I did. It was going to happen every time.

Every time.

Every time.

It's Facebook.

Just got it in there. But yeah, we're— I'm so curious to hear where that goes. I'm also a little afraid because I'm always trying to keep in the back of my mind that the worm can turn. So this is my journalistic side of me is I get where the fear comes from on the part of these services, because I mean, these are really easily morally reprehensible sites that are radicalizing people to murder others. Like, that's an easy call. But then I know their fear is that the dominoes are going to start falling. And I get that because especially right now in the States, things being extremely polarized, you start wondering where does that go? And then what kind of things are going to be censored or booted next? And I'm super lefty liberal. So of course I'd love a lot of things that I don't agree with taken off the internet entirely. But then of course, you know, our president said on the news the other day that we got to start censoring websites and video games. And I'm like, wait a second, those might be the things that I like. So it's—

I guess he'll back off now. He'll back off.

Oh, I'm sure now that I've spoken out, as soon as he hears this, he's like, Maria said no.

Maria said no. It's—

She's tremendous. She's tremendous. Yeah, I appreciate that vote of confidence from the president.

Carole, what's your story for us this week?

Well, question first. Have either of you ever online dated?

Yes.

Yes. Yes.

Yep.

Well, not me and Maria together.

Oh god, no!

I mean, it's not how we get our guests, Carole.

Do any of you have a good story?

That's how I met my husband. Aww.

Is that how you met your husband?

Aww. That's how I fell in love with my first husband.

See, I didn't have a very good time. I did it for a very short time, and it was really a disaster. Because I kept finding people I worked with tangentially.

Sorry about that, Carole.

Sorry.

And some of them sported, in some instances, clothing and poses that if you found them quite enticing, maybe it would make your heart thump. But for me, seeing them, these people out of context in this way, was incredibly— shot. I mean, I can never unsee it, right?

Okay, sidebar, I remember the photograph. It wasn't me, it was somebody else.

I think, yeah, it was leopard print curtains and someone crawling towards the camera. Oh no, like a tiger, kind of tiger, tiger-like, kind of like going, you're delicious. And I had to go to work the next day and see this person and no, and the great reveal is it was the CEO of the company.

And that wasn't even the one.

Did the pay rise happen, Carole?

There was this other one where there was this guy, I think he was a pathologist or forensic pathologist or something. Ironically, after I talked to him, I realized he must be super suited to the job because his jokes were best served to those that are occupied by death.

He didn't have a photograph of himself on the site, on the job, did he? Not on the job.

That would obviously... Back certainly when I did online dating, it was brand spanking new, I think, back then. And today it's the norm.

Oh yeah.

So stat time.

Yeah.

What percentage of singles globally do you think have used online dating apps?

Oh my goodness.

In the last 30 days, like a 30-day period?

70%. Close to 100%.

40%. But still super high. That's global.

That's global. That's low.

And 75% of all online daters are apparently under the age of 30. That doesn't surprise me.

No, it doesn't surprise me.

65% apparently are men, 35% are women, or 35% claim to be women.

That does mirror the experiences I've heard from my guy friends who are like, where are the women on these things?

I think there's been a lot of advancements in the pleasure aid technology sector. I think so.

I don't think the—

Pardon, what? Could you repeat that one? No.

Maybe less women are on these sites because they're worried about being duped by scammers and assholes alike. Right. And they wouldn't be wrong because just Monday this week, the FBI issued a public service announcement warning of romance and confidence frauds once again. They say they've seen an increase of 70% in financial losses from 2017, 2018. So up to $362 million last year. And they said they had 18,000 reports. I am sure it's hugely—

Way more than that.

Exactly.

Way more than that. Can I tell you a little story related to this?

Oh, yes, please. Hang on. Let me get my popcorn. Tell us your story, Maria.

Well, I believe I can talk about this publicly. My brother works for the State Department. Okay. And he was actually stationed in Lagos, Nigeria for two years. And pretty much a lot of what he had to do was basically rescuing Americans who would fly to Nigeria trying to find the guy... Like the man who said they wanted to marry them. No. Yeah, and there was... it's a lot. It's a lot of people. And he would have to be the one to break it to these folks. And they were not all old ladies who were really lonely. It was a lot of people who legitimately thought there was somebody waiting to marry them somewhere in Nigeria. And it was pretty heartbreaking.

Now, was your brother single at the time? Was he able to use this to his advantage, these heartbroken women? 'Cause that's the kind of thing I'd do.

Was he phishing himself going, she's back?

It's not all women, it's not all women. And two, that would be super unethical.

Yes, yeah, absolutely, absolutely. No, absolutely, I definitely wouldn't do that.

And my brother's a gentleman.

Okay, so other than women that we mentioned earlier—

What's so damn funny, Graham?

I'm just picturing myself in that situation. But anyway, let's get— No, I'm definitely—

You in that situation?

I definitely would have been honorable.

Graham is completely unethical and would have been Bolton.

I think maybe the first time you'd laugh, but after 20 times you'd be like, this is really sad.

Yeah.

And then after 100 times you'd be like, holy shit, this is horrendous. Horrendous. Yes.

Horrendous. I'll put my serious face on here.

So I was going to ask you guys, I was going to ask you who are the most likely targeted victims other than women? Because that's a pretty broad statement.

I would think other than women, men.

Right, exactly.

It's going to be more likely than pets, isn't it? So it's going to be men.

Well, the FBI said elderly are very vulnerable here, and widowers, right?

Oh, bless them.

And I think that makes sense because it's a good thing, Graham, actually, you're not on these sites anymore, you know, because you'd be ripe for the pickings with your, you know, advanced age, right?

And weak seniority.

Your wife is still very much with us, is she not?

I mean, no, I'd be a dead man for sure.

Yeah.

Now there's a lot of complexities on online dating because on one hand you want provide enough information that you stand out from the billion of other people they're looking for love. But the more specific information you provide, the easier it might be to be duped by a professional scammer, right? Because you're kind of saying to them— for example, if you have sadly— if you've widowed and you put on there widow, I think that would be something that might be very attractive for someone looking for someone who might be lonely or in a place where they wouldn't be able to be as, you know, clear-headed as normal. And also on online dating, you lose a lot of visual and audio cues like body language and facial tics and verbal cues, right? If you're not a seasoned user, this is interesting actually. You'd think, I always would have thought that the more you're online, the more likely you might fall for something, just the law of probability. But in fact, it seems it's the other way around. So those that are seasoned users seem to be able to go, aha, I smell something fishy here.

Yeah.

Whereas, you know, if you haven't been online for a long time and then you've lost a loved one and you decide, hey, I'm going to throw myself out in some old—

Because there've got to be so many tricks that people use on these online dating sites and their profiles and their photographs. Even if they aren't a scammer, there are many people who are actually scamming in a different kind of way because they're using that picture of when they were slim and hot and had all their own hair or stood in front of a Lamborghini or a jet ski.

They may look like a stud, but they're actually 30 to 50 feral hogs. You never know.

Oh, you know, but I would be guilty I bet if someone said, you know, if I was talking to a dude online and he said that he had a 'tache, I would right away picture Thom Selleck in his prime.

You totally would.

Right? And not Hitler or anyone else with a mustache.

Oh, Lord. Right?

Yes.

So I would pick—

Three Men and a Little Führer. You wouldn't want to mix up the cast, would you?

How do you know it's not Charlie Chaplin? I'm just saying. He'd be turning down Charlie Chaplin.

Okay, so I've pulled together a bit of vetted advice here, okay? To help us watch out for the sharks in the internet.

Yeah, to all three of us who are not dating anymore. This is great.

I don't know if you know this, there's some listeners also here.

Oh wait, wait, goodness sake, people are listening to this? I just thought it was us just bullshitting on a microphone.

Now if you guys are new to online dating, or you know someone who's new to online dating, right, you want someone that really understands how the internet works to help you create your profile and set your online settings. And have them give you a little turn. You may even want them to review your connections to make sure there isn't a whiff of, you know, something yuck about them. And, you know, don't— like we said earlier, if you're widowed or divorced, just say that you're single on these sites. You don't need to say at the top of your profile and broadcast everyone in the world that you were once in a long-term relationship. So just keep that private until, you know, you actually get to know someone. And this is a good one: scammers rarely use their own photographs. So doing a reverse image search on images is a great way. So basically, someone might steal an image from a catalog or a stock photo something and slap it up as their own picture. And you might kind of go, oh, that's, you know, he looks like he's a hot doctor. Oh no, he's not, he's just the model for lab coats from Pharmakon.

Oh, come on.

Any plane tickets, hotels, and dinners would be booked under her name, and his supposed enemies, as she called them, would be thrown off his trail.

That's oddly specific. I'm wondering if there's a story there.

Okay, how much do you think he defrauded her of? There isn't.

Okay.

And obviously the big one, don't lend people money, but this is the one that everyone falls. So I went looking for a recent example, right, online.

Oh my goodness. $100,000. Yes.

And I will read excerpts from this ABC News article, and I want you guys to ding, ding, ding when you feel you see a red flag. Okay? was as a diamond dealer and he worked for a company called LLD Diamonds that kept him traveling constantly, so they had to date long distance.

Ding, ding, ding. Yeah.

Okay. Maria, you've got your dinger. Have you got that hand right? Okay. Should I have a different noise myself?

I think we'll be able to tell the difference of your voices.

Okay, I'll have another hookah. Okay, okay.

I just pulled out a few little snippets from the article just to see if there's anything that made you think, oh, that would make me sit up and, you know, think there's something fishy going on. So a 29-year-old Norwegian master's student living in London said she was swept off her feet on their first date, which included a private jet ride to Bulgaria.

Oh, that's a ding ding. Come on, really? Bulgaria?

Well, hang on. So she actually got a PJ flight to Bulgaria? That doesn't sound like a scam to me. That sounds wonderful.

So, even if He said he was an Israeli millionaire who called himself the Prince of Diamonds.

Rather than the Prince of Bel-Air, right? Okay.

My red flag is why Bulgaria? You have a private jet. You can go anywhere from London.

they look like

Hey, what's wrong with Bulgaria?

There's absolutely nothing. It's just not everybody's— Most people's first pick would be the Riviera or somewhere not Bulgaria.

Thom Selleck, stay away.

At that point.

Yeah.

Maybe it was because of his title, the Prince of Diamonds, because he told her that his job was as a diamond dealer, and he worked for a company called LLD Diamonds that kept him traveling constantly, so they had to date long distance.

Ding ding ding!

Yeah, she said they sent each other love notes over text, video declarations, and voice recordings. She said they sent each other love notes over text video declarations and voice recordings. She said he would always allude to an element of danger in his job that kept him away, always on his private jet. She said he would always allude to an element of danger in his job that kept him away, always on his private jet. So it's not like, you know, he should find him on a commercial. So it's not like, you know, he should find him on a commercial.

He said, please take that off the internet.

And it was not long before he made a big ask, begging her to extend her line of credit for him. It was a paraglider she was holding on. Okay, so what to do if you're a victim. Okay, what to do if you're a victim of romance scam. And it's important to report these things. Okay, I know it's embarrassing, I get it, I get it, I get it. But think about it, some of these guys have done this to hundreds and hundreds of people, and if only one of those people reports it, the authorities don't have much leverage to work with if they actually get their hands on these people.

The other thing I've heard, Carole, is that some of them aren't just asking you for money, but they're trying to trick you into moving funds for you. So they basically romance you to turn you into a money mule, where they're transferring funds through your account to them.

And also, sometimes they get information on your extended family, and then they can socially engineer your extended family. Especially if they look like Thom Selleck. So, yeah.

So things you want to do, you want to report the activity to the online dating website, right? Because they may have received other complaints from other users, because often they're not just working on you at that time, they're working on a few of you, right?

Not that I have personal experience with this, but I do.

And you want to report the activity to your federal internet crime complaint center or your local FBI office or your local— I can't imagine local cops would do anything, but at the same time, they will. For example, in the UK, you would do it to Action Fraud, right? You would at least have them— it would be on a database and at least that could be searched should they ever get caught.

Because the key thing is, if one of these guys does get caught, the authorities need evidence of plenty of victims to really chuck them in the slammer for a long time.

Yeah, local police in the States, it's similar. You need a reporter, they'll write up a report for you, and sometimes they'll refer you to a service that can help you. But yeah, they can't personally usually do anything, there's no capacity for that, but you'll get a paper trail, which is what you need often for this.

Yeah, and you definitely want to tell if you've lent money, you want to tell your bank or financial institution immediately upon discovering any fraudulent or suspicious activity. Now, this gets difficult if you have been lured in to do a suspicious or fraudulent activity. I get that. But at the same time, if you've been duped into doing it and you weren't aware at the time, I still think it's worth them knowing what's going on. Yeah, because at least they can stop or reverse the transactions.

You never know. The banks will usually often ask you, do you have a police report to back this up? So you have— yeah, you usually need all of that together, unfortunately.

Exactly. So it's not fun out there dating.

No, I imagine it's— I imagine it's not that much fun if you work for the Bulgarian tourist board and you've had this terrible slur upon your name.

I think Bulgaria is a beautiful, wonderful country, for the record. Just not my—

Have you been?

Technically, yeah.

Technically, I've been in their airspace. Yes.

No, no, I've been, I've been to the nation of Bulgaria, while doing a road trip along northern Greece. We crossed over briefly, so I've been briefly, but not on vacation. But it's a wonderful country. I have Bulgarian friends. Please don't hate me, Bulgaria. Your cheese is the best and yogurt's great.

Okay, I think you've covered yourself there.

Please don't send me hate mail. We went through that.

Maria loves Bulgaria, hashtag it.

Your yogurt especially is amazing. Yeah.

If you're baffled by threat intelligence and how it might be able to help secure your company, the Threat Intelligence Handbook from Recorded Future is the book for you. It'll tell you what threat intelligence is and what it isn't, and you'll learn how other firms are applying threat intelligence inside their organizations. Grab it now for free at smashingsecurity.com/intelligence.

Quote: Most business security breaches are the result of one thing: sloppy password practices. Effective enterprise password management is a must to ensure that your employees are properly protecting their accounts. That's my co-host Graham Cluley. This is what he says on the LastPass Enterprise page, and most of you know how much I hate to admit when he's right, but he is. Sloppy passwords are a huge contributor to security breaches within an organization. The way to manage that is get a password manager, and the one we recommend is LastPass Enterprise. Check it out at lastpass.com/smashingsecurity. On with the show.

And welcome back. Can you join us on our favorite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

Better not be.

And my pick of the week this week is not security related, huzzah!

Yay!

It is a TV show which I have been binging on, and it is available on Amazon Prime. It's just come out. It's called The Boys.

Yes! You've seen it too? Yes.

Hasn't it just come out?

Yes.

It came out two weeks ago? Three weeks ago?

Now, I think, Maria, you may know more about this than me, but I believe it was originally a comic book.

It was, yes.

And it has now obviously been televised, televisualized. It is a violent, foul-mouthed, subversive, laugh-out-loud funny movie about superheroes who are bad superheroes.

Oh, it's a movie?

I thought it was a TV show. Oh no, it's not a movie. It's a TV show.

It's a TV show. Oh, sorry.

Don't believe what I say. It's a TV show, 8 episodes. And I don't like superhero things normally. They just leave me sort of cold.

You don't like anything.

No, I like plenty of things actually, Carole, but I don't like superhero stuff. I just find it all that Spider-Man sort of nonsense. The Spider-Man, the animated one recently.

Do you like peanut butter?

It's fantastic. Peanut butter, yeah? No, I don't like peanut butter. Oh, you don't? No. Are you just gonna list things I don't like now? Just to prove a point. Cheese. Cheese is great. But so anyway, back to The Boys, because cheese is not my pick of the week. The Boys is great because these are superheroes who are bad people.

Sounds like you're talking about your testicles.

They are—

Wow.

They are—

This is the way you said, "The Boys are great." The Boys—

The Boys?

Let me tell you about The Boys.

So The Boys is a collection of people who are not superheroes who've realized that the superheroes are bad people who are getting away with all kinds of bad stuff. The superheroes known as Supes are run by some international conglomerate who are icily run by Elizabeth Shue, if you remember Elizabeth Shue.

Yes, I love Elizabeth Shue. She was a star in the '80s, '90s.

Yes, she was.

She's looking very adorable.

She's very good in it, and she's also a bit sexy, I think. Oh, you like her?

She's on your list too? You like number 8 and Elizabeth Shue? Okay.

And Simon Pegg is in it as a supporting role, and Karl Urban, who you may remember, was Bones in some of the modern Star Trek movies. Now, his accent, I believe he's actually New Zealander.

Is that what it is? Because he was messing me up. The whole time.

He is messing me up. He's one of the weak links for me because although he has some of the funniest lines, he's pretending to be British and he both doesn't sound British.

He phases in and out of different accents and it was totally fucking with me. I couldn't—

Yeah, he doesn't look British either. There's been no British man ever born who looks like him.

He's too good looking.

He's too good looking, too hunky.

And so I'm obviously not thinking of the right person.

I find him rather jarring, but other than that, it is a very, very funny show. It's not for kids.

No, please don't watch this if you have a kid. No.

It's quite gory, but it is clever and funny, and I'd really recommend The Boys on Amazon Prime.

Do you find this guy good-looking, Simon Pegg?

I wasn't saying—

This is good-looking?

No, I said Elizabeth Shue. I said— I didn't say Simon Pegg.

Well, you said he was too good-looking to be English.

No, Karl Urban. Karl Urban. Simon Pegg is English.

Simon Pegg's quite super English.

Simon Pegg is very English, but playing an American in this, and quite convincingly.

And he did a good job. Okay.

As far as I can tell.

Yeah, I missed the jump to the next person. That's why I was like, what? He's not from New Zealand.

Simon Pegg is an American also messed me up, but he did a good job. But Karl Urban's accent, I was like, I kept trying to place it and every time I thought it was like—

It's all like, it's a bit like, you know, Two Smoking Barrels and all the Lock, Stock kind of thing.

Yep.

But it's just sometimes a bit weird. It's a bit Dick Van Dyke slash Damon Albarn.

I know he's blubbing about it.

Yeah, it's— Regardless of that, really great show. Go and watch it, The Boys. And that is my pick of the week.

Excellent.

It's on my list.

Maria, what's your pick of the week? Carole, just because something's got camel in the name doesn't mean it's

My pick of the week's a quick one. It's called camelcamelcamel.com. And— Oh. Yeah. What's that reaction?

Is this rude?

going to be rude.

No, it's an Come on. No, it's— this is, this is pure service for our listeners today. Wow, I don't even think I can recover from that. I'm just gonna— Amazon price tracker. Good lord.

What is camelcamelcamel.com? Because I've never heard of it.

Yeah, it does sound rude. No, it's not. It's an Amazon price tracker. So I know everybody hates Amazon now, are not supposed to use it, but sometimes you must. And in my case, I'm looking to upgrade my audio rig, because this is the 21st time I've been on this show, if you can believe it. And I feel like— yeah, I know, it feels like only the 4th or 5th.

You're always so fresh, like a daisy.

Like a daisy. I feel like it's time for me to upgrade my audio rig from this very basic microphone that I've got now, and I want to try and save some coins. So a friend of mine, Guillaume, told me about this website, and I'm using it to track the prices over time of some of the stuff I'm looking to buy, and it tells you, it shows you over time what the prices are and when they might drop. And then it also gives you a price watch alert option. So if you're looking to buy something when it hits under a certain number, it'll send you a little thing. Right. Yeah.

So I'm looking at this right now. So what you can see is you can see what the top products are, which— so the ones which have reduced in price the most over the last week or the last day.

How handy. And it's not just the United States. A lot of electronics and stuff.

And you can also look at specific items and look back on the history on the price. This is great.

It works in Canada, the UK, France, China, Japan, everywhere. Yeah.

So you can see, oh, at the moment this quite a low price for this compared So this is good news for everyone apart from Geoff Bezos, I guess, because this is our way to sort of use technology against him.

Also not very good for the rest of the world of the people who are actually building the stuff that have to compete with the prices that Amazon insists upon selling.

to what maybe it normally is. They've chosen to sleep with Amazon, haven't they, Carole?

Well, that's what you're doing as well by buying the stuff. Just saying. I do it too. I'm not judging.

As we said, we're not supposed to use Amazon anymore. I guess we all collectively decided that. But sometimes you still kind of gotta. So, you know, why let them have more of your money than they need to?

Right.

Yep.

Right. CamelCamelCamel.com.

The Camelizer.

Not rude at all.

Not rude in the slightest for once.

Ro, what's your pick of the week?

Well, mine is a podcast and it's called The Conviction. Released by Gimlet. Now, it came out earlier this year. I'm not on trend like you guys, right? But it came out, I think, in February, and I only just got a chance to listen to it this week, which I did during a single 5-hour cleaning frenzy. And it totally has my thumbs up for the whole thing.

You weren't cleaning up after a murderer or something?

No, no, no, just kind of decluttery stuff, you know, get rid of the 8 billion books that we have in our house.

Marie Kondo, told you.

Yeah, see, someone else asked me that, and I remember it was Pick of the Week once, wasn't it?

It was.

I did watch some of an episode back then, but I thought they were way too— the people were just shockingly messy.

I was like, wow.

Okay, so anyway, back to the spot. The main guy that they're kind of featuring is called Manuel Gomez, or Manny, and he is a larger-than-life character. So the whole story is set in the Bronx, and it's about how a Black teen and this private detective Manny fight for the kid's bail. And what ends up happening is rather surprising.

This is a true story.

This is a true story. Yeah, it's this guy Manny is what makes the show, right? And you know, he reminds me of that guy, the main guy in Staircase, that Netflix documentary.

Oh yes, whose wife fell down the stairs. Was she murdered?

Did he murder her? What happened? And so this guy Manny is so sure of himself. He loves the spotlight. He's always right. He's a little bit wide, you know, but he also seems to have quite a heart. And it's just weird and gripping.

So, Carole, you have— you said that they're fighting for bail, but what are— why do they need bail? What are they—

I don't really want to give it away, but basically, I will say a kid gets into trouble with the cops in the Bronx. Maybe what happens to him isn't 100% fair from everyone's point of view. And this journalist, Saki Nafo, who hosts the show, went and did some digging on it. And he has the most relaxed tone. I swear to God, it must be 4 AM when he's recording. You can imagine him. He almost sounds bored. But in a way, it's a perfect foil for Manny Gomez, who's kind of larger than life. And if you had two of those characters, you just might get overrun with it. So it works really well. I think it's clever. And I think I hat tip the team who put it together because it's tight. So The Conviction, Gimlet Media, available wherever you get your podcasts. Check it out. 6 episodes of joy.

Nice.

Fantastic. Well, thank you very much, Carole. And that just about wraps it up for this week. Crow, when you said this guy Manuel Gomez in the podcast is larger than life, was that in relation to the size of his eyes? Maria, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that since you're not on any dating apps? Or was— I just want to know, is this sort of— is it again proportional to the size of his face? So if you're on infosec.exchange on Mastodon, I'm @Maria. And if you're on Twitter, I'm @Mvarmazis. You just seem very obsessed with this sort of size thing. Super duper. And we're on Twitter as well at @SmashInSecurity, no G, Twitter allows to have a G. You got a link here. And we're also on Reddit, where you can have discussion about the show up there. Go and find us on Reddit. And we're also on Patreon now, so if you want to support the show, just go to patreon.com/smashingsecurity and you get bonuses and extra content and all kinds of goodies like that.

Yeah, huge thank you to this week's Smashing Security sponsors, Recorded Future and LastPass. Their support helps us give you this show for free, so check out their offers. And thank you, listeners, the sunbeams of our lives, wouldn't you say? Thank you so much for tuning in. It makes our week. Check out smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.

Until next time, cheerio. Bye-bye. Bye.

Mwah.

That was a Maria smooch for everyone.

Yeah, he seems proportional.

Yeah. Okay.

I'm clicking. Okay. Well, he looks like a normal sort of chap. Middle-aged sort of fellow.

He's so wide.

Oh, he's wide. What, you mean physically?

No.

Or he's just like, I'm wide.

He's like, hey, hey, hey.

He's from New York, Crow. They're all like that. Hey, hey, what you doing to me?

I'm not a cop. Stop talking to me. Talk to me. I'm an investigator.

You think I'm funny? You think I'm funny?

Those references are all 40 years old, you guys. Just letting you know. Oh my God, we're old, Maria. No, have you been to New York in the last few decades? Yes, but you know what?

You haven't, you haven't heard this guy. Just go listen. Just go listen.

Those voices I just heard are not what I think of when I think of Bronx. Just saying.

Can you do us one? Can you do us one, Maria?

I cannot do, I cannot do impressions.

Oh, just, just picture it.

I will complain really well, but I can't deliver. That's how I am.

All right, my darlings, I'm gonna go. I have to go work my butt.

Yes, you do. We're gonna work your butt.

Go do your thing.