This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

CAROLE THERIAULT. For listeners that aren't as au fait with security, Graham is being facetious.

---

GRAHAM CLULEY. I am being a bit facetious, that's true.

---

UNKNOWN. Smashing Security, episode 370, The Closed-Loop Conundrum, Default Passwords, and Baby Reindeer with Carole Theriault and Graham Cluley. Hello, and welcome to Smashing Security, episode 370. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. And this week, Carole, we're joined by a special guest, someone who's been on the show many times before. It is Duck, Paul Ducklin.

---

CAROLE THERIAULT. Hello.

---

PAUL DUCKLIN. Hello, everybody. Thanks for having me back. You're welcome.

---

CAROLE THERIAULT. We love having you here, Duck.

---

GRAHAM CLULEY. Hi, Duck.

---

CAROLE THERIAULT. We have to get our skates on because we have a few hard stops. So should we just—

---

PAUL DUCKLIN. I dare you to tell the listeners why Graham has to run away. I just can't believe it.

---

GRAHAM CLULEY. I won't be putting skates on.

---

CAROLE THERIAULT. He's running to stay still. Before we kick off, let's thank this week's wonderful sponsors, Kolide, Sonrai, and Vanta. It's their support that helps us give you this show for free.

Now, coming up in today's show, Graham, what do you got?

---

GRAHAM CLULEY. I'm gonna be asking, what's the fault with default passwords?

---

CAROLE THERIAULT. Okay, what about you, Duck?

---

PAUL DUCKLIN. I have, ending the curious title, closed-loop calamity. Are we coasting to catastrophe?

---

CAROLE THERIAULT. And this is the time of annual reports. So we're gonna look at them with the cyber eye. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, question for you. What is the first rule of passwords?

---

PAUL DUCKLIN. There are no passwords. Oh no, sorry, that's a film. Basically, you should start with 1, 2, 3, 4, 5, and every time you think someone's guessed your password, you add 6, then 7, then 8, and just keep on going until it's long enough.

---

GRAHAM CLULEY. That might work, I suppose. I think a lot of people think it's to have a strong password. A lot of people say, oh, you gotta have a password that's hard to crack. I don't think so. I think the first rule of passwords is don't reuse passwords. Don't use the same password in different places.

---

CAROLE THERIAULT. Yeah, I'd agree with that.

---

GRAHAM CLULEY. Yeah, biggest problem of all is that most people use the same one everywhere.

---

CAROLE THERIAULT. Yeah, but Cluley, if people had one password being cat and the other one being dog and the other one being bird, I'm not sure you'd find that great.

---

GRAHAM CLULEY. Well, those aren't great passwords either.

---

PAUL DUCKLIN. No, Carole, I see where Graham's going with this, because I have heard a lot of people say, you know what, I've memorized this super complicated password. It's so hard, no one will ever guess it. Therefore, it's okay to use it 15 times.

---

CAROLE THERIAULT. Yeah, that's true.

---

PAUL DUCKLIN. And of course, if any one of those gets cracked, then it doesn't matter how complicated it is. Once the bad guys know what it is.

---

GRAHAM CLULEY. Absolutely. Once you've been breached one place, then obviously that can be used to unlock all of your online accounts where you're also using the same password. By the way, that's a piece of advice which we've given many times before. This thing about the hackers, first thing they'll do if they grab a password database is they'll try and use it to unlock others.

I remember I once received a legal letter from some chap who claimed that that was his idea and I wasn't allowed to repeat it. He said, rather like not repeating a password, he threatened me. He said, I'm the person who invented that you can't reuse passwords, so no one else is allowed to say it.

---

CAROLE THERIAULT. I wear blue shirts. What the hell are you doing? Yeah.

---

GRAHAM CLULEY. So obviously we do recommend having a strong password, one that's hard to crack. You know, make it really tricky. Maybe put an exclamation mark on the end. That's the golden rule, if you want to make a password hard to crack.

But more importantly than that, don't use the same password. Well, there is good news because new legislation rolled out in the United Kingdom means that you can say goodbye to your smart fridge having the same password as your email account and your bank account.

---

CAROLE THERIAULT. Do people do that?

---

GRAHAM CLULEY. Oh, yes, of course, Carole. I mean, if you've got a password on your email account or on your bank account, you're going to use the same password, surely, to secure your fridge or your video recorder, your CCTV camera. Wouldn't that make sense?

I mean, people are using the same password everywhere. Have the same dumb password.

So if your fridge comes along and it has a default password of admin, you might as well change your bank password to that, mind you. You might as well change your email password to admin as well, if they let you do that, because, you know, it's using the same password everywhere. That's what people do.

---

CAROLE THERIAULT. Yeah. For our listeners that aren't as au fait with security, Graham is being facetious.

---

GRAHAM CLULEY. I am being a bit facetious, that's true. But the killjoys in Westminster, they've rolled out this new law that means manufacturers are banned from serving up default bad passwords on IoT devices.

---

CAROLE THERIAULT. Oh, that's very cool. I didn't see that.

---

GRAHAM CLULEY. It is cool. I'm calling it killjoys, but yeah, it is cool. Of course it is.

Listeners, if you've got a long memory, you'll remember Mirai. This was the Internet of Things worm.

Made a name for itself. It has claimed it infected 300,000 or more internet-connected devices, things like video recorders, CCTV cameras, routers, fridges, all kinds of stuff, rather than conventional computers that are traditionally recruited into a botnet.

And then the Mirai botnet launched this massive DDoS attack, denial of service attack, knocked websites off the internet, made them inaccessible. All because coded inside Mirai were 60 dumb default usernames and passwords.

And we're talking really, really dumb. So you might have a username of something like root and the password would be root or the password would be 1111 or 1234 or 12345. Or one, you can see where I'm going with this.

---

CAROLE THERIAULT. Why wouldn't anyone think of 2468, you know?

---

GRAHAM CLULEY. I think they do, Carole.

---

CAROLE THERIAULT. Oh, right, okay. I just thought I was really being, I thought I was being super clever.

---

PAUL DUCKLIN. Well, it doesn't really matter with default passwords, does it? Because the one thing you can be sure of, and you can find these on regular sites, let alone on underground sites, is that the crooks have a list of pretty much every default password ever chosen by any manufacturer or any vendor for any device.

They're readily available and you just pick the obvious one. Obvious ones like the admins, as Graham says, or the root, root, root, to a root, nothing.

---

GRAHAM CLULEY. Yeah, it's awful. What happens is you buy a gadget, you get a little instruction book, which typically you throw out even before you've installed the gadget. And inside that instruction book, it will tell you what the default password is for setting up the system.

There's lots of gadgets which are still using the same password everywhere. And this was a brilliant and convenient system because if you happen to lose the instruction book, there was a good chance, as Duck says, that you could just either guess the password or search for it on the internet, because someone will very helpfully have published the instruction book online or created a database of what the password is for your router's admin interface, for instance.

---

CAROLE THERIAULT. Okay, so let's assume I'm— Hi, Mom. My mom listens to the show. She's not a computer expert.

---

GRAHAM CLULEY. Hello, Mom.

---

CAROLE THERIAULT. And she probably has a smart fridge. So it would come with a booklet and it would say the password for this smart fridge is, you know, whatever, XYZ, or, you know, password, whatever it is.

---

GRAHAM CLULEY. Yes. Right.

---

CAROLE THERIAULT. Why should she change it?

---

GRAHAM CLULEY. Well, because if it is internet connected, then there's the potential that a hacker might be able to exploit it and log in and turn off the fridge or mess around with the settings or order too much milk or use the CPU inside there to do something else mine cryptocurrency or attack somebody else and get you kicked or your mum kicked off the internet. Right.

---

CAROLE THERIAULT. Okay. You heard it here first, Mum.

---

PAUL DUCKLIN. I the way a lot of the better router vendors are doing it where you get the router. Mine has a little tile that you can slide off the back and it has a unique password unique to your router printed on it.

So even if you don't go in and change it, at least you've got something that's completely different from everybody else's. And you can take that little tile of plastic and put it in a drawer somewhere in case you ever forget it. Not only is there not a default, if you don't set one up, you get a half-good password to start with. And I wish more people would do that.

---

GRAHAM CLULEY. That's a great system. Sometimes what they also do, these devices, is they'll tell you this is your initial password when you first turn it on, but they then force you, or sometimes they ask you, but they could ideally force you to then change your password immediately afterwards.

And make sure that it isn't a commonly used password or isn't a password that's easy to crack and tell you to write it down somewhere where you're not going to lose it.

---

PAUL DUCKLIN. That's a good idea, but I— A, it's a bit more expensive because you have to have that extra code to pop up the thing that says, right, before you can use this device, you have to choose a password.

---

GRAHAM CLULEY. There are also devices which may, for instance, say, okay, your password is going to be the MAC address— the last X number of digits of the MAC address, which isn't necessarily that good either. So it might mean you have different passwords, but it may mean that anybody in the vicinity might be able to determine what the MAC address of your device is.

So again, you want to encourage people to change them.

---

PAUL DUCKLIN. Does this new law, Graham, actually address that kind of idea of people choosing what are essentially non-default passwords, but they're so stupidly chosen, for example, using a MAC address, which is broadcast publicly of necessity by design, and therefore is not suitable to be the basis of some kind of algorithmically derived password? Because it seems that that might satisfy the law, and then you'll go, oh yeah, well, I put a different password on every device.

But if they're predictable, then they're kind of, that's just a special sort of default, isn't it?

---

GRAHAM CLULEY. Yeah, I'm not sure that the legislation is actually granular enough to cope with that sort of situation. What they're saying is that common or easily guessable passwords like admin or 12345 will be banned to prevent vulnerabilities, to prevent people hacking in. They're asking that all devices should have unique passwords, but obviously in that scenario we've just described, the password may be unique, but isn't necessarily going to be difficult to determine despite that. Manufacturers also being told they will have to publish contact details. So if there are any bugs or issues, they can be reported and dealt with.

---

CAROLE THERIAULT. They need a law to tell them to do that. Drives me nuts.

---

GRAHAM CLULEY. Well, you know, what drives these things is often actually a bit of a beating with a stick, isn't it? So there is the penalty, which is that they are going to fine people, or have the ability to fine people. So the fines, it could be a maximum fine of £10 million, that's about $12 million, or 4% of global revenue, whichever is higher.

---

CAROLE THERIAULT. You see, GDPR has changed how—

---

PAUL DUCKLIN. Wow.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. Now, whether it would be that, that's the maximum. Need to see whether regulators will actually be prepared to do that. Oh, the other thing, the other rule, by the way, is that manufacturers have to be open and retailers will have to be open with consumers as to the minimum time they can expect to receive important security updates. And I think that's a really important one because there are so many devices being sold on the high street which may only receive security updates for another couple of months or may already have expired and be no longer officially supported, but that's being sold on the cheap. Now, this has happened often with smartphones.

---

PAUL DUCKLIN. And certainly with the very cheap devices, that's a huge problem. And particularly with the white boxing of goods, where actually the person that you think is the manufacturer isn't. They've just had a generic device with some slightly reworked—

---

CAROLE THERIAULT. A sticker.

---

PAUL DUCKLIN. Well, sometimes the actual packaging, maybe the little plastic molding is changed, which is actually worse in a way, because it's not obvious that you're looking at your device and then you see a picture in a news story saying, here's a device which had truly terrible security. And you look at yours and you think, no, mine's blue, that's red, mine's fine. So they can actually look quite different, but inside it's absolutely the same.

---

GRAHAM CLULEY. So I was concerned about this because obviously a lot of these devices are manufactured in China and you have to wonder, would you ever get the fine paid? But it's not just manufacturers who have to abide by these rules, but retailers as well have to be open with consumers regarding, you know, when you're going to get security updates. So if you imagine that lots of people might buy stuff from— there's a company called Amazon that I know people used to buy things from. Was it 4% of global revenue? I'm not sure that they'd ever be forced to pay that much, but maybe they're going to have to clean up their act a little bit regarding some of these goods which are just repackaged, but actually the same thing yet again.

---

PAUL DUCKLIN. But aren't a lot of those online markets just acting as brokers? You go and buy it and they say, oh, you didn't actually buy it from us. You actually, we were just providing a place. You have to sue the other guy. We were just providing a place for you to buy it.

---

GRAHAM CLULEY. Well, I think this new law in the UK sounds like a good step. Our Minister for Cyber, Viscount Camrose.

---

PAUL DUCKLIN. Sounds like a sort of Second World War aircraft.

---

GRAHAM CLULEY. He says that the UK is the first country in the world to do this. So there we are. We are leading the charge.

---

CAROLE THERIAULT. Do you know what law I'd like to see? I'd like to see a law that says products that fail to comply with the marketing stuff that we've put on our website faces the 4% of global revenue, because that's how people are choosing to buy stuff, right? They watch videos, they read stuff and they go, "Oh, this looks pretty good. I'll pay X amount of dollars for this."

---

GRAHAM CLULEY. I think we need to be very careful about that, Carole, because we advertise ourselves as a helpful and hilarious take on the week's tech snafus. Now, fortunately, there aren't many people other than our lovely patrons who are actually giving us money for this. So we may not be applicable to that kind of law. Duck, what have you got for us this week?

---

PAUL DUCKLIN. Well, as I said, I rather mysteriously want to talk about something that I call closed loops in cybersecurity checking. And the core of the story is something that I wrote about on my own website a couple of weeks ago, which is a story that I really thought, "Golly, I can't believe this."

I wrote about it on my old site with a picture of Franz Kafka's book Der Prozess, The Trial. You know, it's a famous book where this guy gets called by a corrupt regime to a trial. And he figures, "Well, I could ignore it, but I'm really going to have to go there." And they won't tell him what the charge is. They won't even tell him where the trial is.

He has to go and it's just this weird bureaucratic process of this closed loop spiraling around him. And it's obviously a way of drawing into this web of corruption. It's given us that adjective Kafkaesque, which a lot of journalists complain is overused these days by people on the internet.

But here's a story from the US of two guys. One's called William Woods and the other is called Matthew Kearns. Now, they met apparently way back in 1988 when they were working together on a hot dog stand in Albuquerque in New Mexico.

And it seems that this Kearns fellow decided that he wasn't going to be hanging out with this guy that he's working on the hot dog stand with forever. So it'd be quite a cunning idea to learn enough about him and learn his life story up to that point and just keep it in the back of his mind so that if he moved around the country and he needed a spare identity, he could just pretend to be this guy.

---

GRAHAM CLULEY. Whoa.

---

PAUL DUCKLIN. And that is exactly what he did. For decades, he moved to Oregon, he got married under this other guy's name, he had a child who still has this other guy's surname 'cause that's how the kid was registered.

---

GRAHAM CLULEY. Wow.

---

PAUL DUCKLIN. He got a birth certificate from yet another state. I think he went to Kentucky and managed to get this guy's birth certificate. And he ended up, would you believe it, as a system architect responsible for IT security and system design at a hospital in Iowa, although he's working from home.

---

CAROLE THERIAULT. Under this false name.

---

PAUL DUCKLIN. Under this other guy's name. And he took out, if you don't mind, $200,000 worth of loans under this guy's name. I imagine he probably figured this other guy maybe wouldn't realize.

And it turned out sadly that William Woods at that time was homeless. So he's unlikely to wander into the bank and say, "Hey, I want a loan" and find out that he can't get one. But somehow he got wind of the fact that someone was impersonating him.

So he did what everyone is recommended to do. Don't let it fester. Go and try and get it sorted. Went into a local branch. I think he was living in California at the time. Went into a branch of that bank and said, "Hello, I'm William Woods. I may be homeless, but—"

---

CAROLE THERIAULT. A thousand cops show up.

---

PAUL DUCKLIN. I've got these loans against my name. I'd like to get this sorted out. Apparently what the bank did is they said, just a moment, sir. No, this is weird. This is like someone who's reporting a lost passport being asked to present the passport to prove that they're allowed to report it lost. They asked him the security questions that had been set up on this bank account, the validity of which he had gone into question.

---

GRAHAM CLULEY. Oh, for goodness' sake.

---

PAUL DUCKLIN. So of course he couldn't answer them. And you imagine maybe he wasn't in the best of mental health at the time. So the bank decided, well, he must be the fraudster. The next thing they did, it seemed they went, well, we'll double check. So what did they do? They looked up the phone number associated with the bank account and they called it. And the fake William Woods answered and said, I am William Woods. There's nobody in California who's entitled to do that. And basically convinced them that the other guy was the fraudster. He got arrested and of course he wouldn't give up this air quotes fiction that he was William Woods.

He said, no, that's my birth name.

---

GRAHAM CLULEY. That's me.

---

PAUL DUCKLIN. That's me. And they said, you're mad. And they sent him to a mental institution. He was hospitalised and he spent something like two years without his freedom until eventually he took— it's not an easy way out, but apparently in California you can agree to be treated by the court as if you're guilty. It's called nolo contendere or something. I do not wish to contest this. So the court can process you as if you're guilty. So you can go through the system instead of just awaiting trial, but you don't actually admit guilt. So you're still allowed to appeal afterwards. And fortunately, afterwards, he managed to contact this hospital and explain the situation.

They said, look, we're going to call in the cops. And a cop in Iowa had this fantastic idea. Well, what we'll do is we'll take this guy that the guy in California says is fake. And we'll take the birth certificate and we'll go to the person he claims is his father and we'll do a DNA test and we'll see if the other guy seems to be his son. Bingo.

---

GRAHAM CLULEY. Okay, sorted out. Okay.

---

PAUL DUCKLIN. And only at this point did the Kieran fellow actually realise the game was up and confessed that he basically lied this other chap into prison and taken away two years of his life. And he's now facing decades. He hasn't been sentenced yet. He pleaded guilty, but, you know, he's facing some massive sentence, not so much for the fraudulent loans, but basically for lying this guy into prison.

---

CAROLE THERIAULT. It's really scary.

---

PAUL DUCKLIN. It's quite terrifying that he was—

---

CAROLE THERIAULT. Yeah.

---

PAUL DUCKLIN. Basically by putting all these fantastic automated checks and balances that are possible only because we're in the internet age, the mobile phone number that's associated with the account, the security questions, by doing all the heavy security, but by applying it in a flawed way. Clearly, if someone comes in saying somebody set up an account in my name, then calling up the person who claims to own that account, it's never going to resolve it properly. Now, that doesn't mean— so you use a different way of checking whether the person who's turned up is the fraudster or not. Surely. So eventually, this was sorted out.

But there are a few tips that I've got that can help you deal with this.

---

GRAHAM CLULEY. Oh, please, please. Because I don't want to go to jail for two years if there's another Graham Cluley out there.

---

CAROLE THERIAULT. You Google yourself enough, Graham. You'd know right away.

---

PAUL DUCKLIN. The problem with tips for things like this is that there's not much that William Woods, the real William Woods, could have done about it. So my first tip is not, if you ever get a job at a hot dog stand, be suspicious of anyone else, because he couldn't control this. Somebody had gone off and then some years later had decided to use his information.

So the first two tips really are actually for people like the banks — don't build this kind of closed loop into your system where a potential flaw in the system can simply spiral and make the thing worse and re-re-reconfirm it. And also, actually test your own contact and validation processes.

---

CAROLE THERIAULT. It's so obvious, right?

---

PAUL DUCKLIN. A real-world role play where somebody actually phones up and tries to go through the process and notes, is it asking somebody to present the passport they're saying they lost?

---

GRAHAM CLULEY. Yeah.

---

PAUL DUCKLIN. Am I going to ask this person questions that if they're telling the truth, they cannot possibly answer by definition? So that's really not for the individual — that's for, you know, if you're building a system like this, don't do it on the cheap.

But as an individual, all I can really recommend, given that you can't stop somebody else suddenly deciding, hey, I'm going to pretend to be Graham or I'm going to pretend to be Carole or whatever, is firstly, I recommend that you do try and keep as much physical evidence as you can, actual real evidence with which you can corroborate things like your identity, where you live and your personal history. And if you lose the documents, then do your best if it's possible to replace them and keep a record of when you think you lost them, just so you have something to give some credibility to your story if you need to challenge somebody else who's claiming to be you, whether they actually have your documents or not, or if they just made it up.

---

GRAHAM CLULEY. Hmm.

---

PAUL DUCKLIN. The second thing is, and I think this is an easy mistake to make these days, is when you're keeping evidence of your identity, avoid keeping it only in cloud or online archives. Have a physical copy that you keep yourself somewhere, even if you need to rent something like a safe deposit box at the bank, old school, to do it.

Because after all, if somebody does take over your account, then not only can they see all your stuff, but after they've copied it, they can then go and erase the history of who you were, which would make it much harder for you to re-establish your credentials in the future. And thirdly, I strongly recommend that you find out and practice, if need be, how the recovery process works for any of the really important services in your life.

---

CAROLE THERIAULT. Whoa, that's really hard though. That's really difficult, don't you think?

Because I mean, you can read about it and they say call us, you know, just get in touch. I've recently been through this — I lost my wallet two weeks ago. So I've been through this and, you know, there's not a lot of information until you get into the system because you have to call them and then talk to them, right?

And I'm not sure how they would take to people calling up going, could you just walk me through it just in case I've lost my stuff?

---

PAUL DUCKLIN. You're right, that's a good point. You can't phone up and pretend to have lost your password because then you would— that is fraud. What I really mean is don't leave it until you're in a panic to go and try and find out what to do, because there's a sort of flip side to that tip, which is when you have lost something, be very, very careful about responding to correspondence you get about compromises on your account, because that's an old trick that cybercriminals use. They will say, "We have detected fraud on your account, we have found your wallet, your passport has been handed in," whatever it might be. Please contact us.

And they will include the contact details in the message they sent you. And when you're in a panic, when you're feeling nervous, when you're not quite sure, it's easier to fall into that kind of almost a honeypot trap than if you've actually gone and found out the information in advance.

It's easier if you do need to phone up your bank or if you do need to go into the branch and say, "Look, what do I do if I lose my card?" And actually have someone tell it to you face-to-face. You can't do that if it's 2 o'clock in the morning and you're in a panic, or if you're far away and you've lost your card and you want to do something right now.

---

CAROLE THERIAULT. Sage advice.

---

GRAHAM CLULEY. Well, it's an extraordinary story. I can just add one final tip, which is if it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck. But it might be a guy you used to work on a hot dog stand with.

And that, I think, is something we can all— I've even tuned it specifically to you for that one, Doug. I hope you appreciate it.

---

CAROLE THERIAULT. Did you?

---

GRAHAM CLULEY. Carole, what's your story this week?

---

CAROLE THERIAULT. OK, so as I said earlier, it's the glut of annual reports. They're all hitting the headlines now. This is because 2023 ended 5 months ago, and experts out there have had time to review their findings and pull together media-savvy reports to help us better understand what's going on out there.

---

PAUL DUCKLIN. Have you got any reports for next year yet? Because that's the other trick, isn't it? You go, hey, we'll get ahead, we'll do our predictive report.

---

CAROLE THERIAULT. And because this is Smashing Security, I'm going to focus on the future of scams. But this is no, you know, hahaha matter.

Recently reported in The Guardian, UK fraud more than doubled in 2023 to £2.3 billion, marking it one of the top years for scams in the last two decades. And even UK banks have warned of an epidemic of scams.

Barclays said last year that more than 70% of scams were happening on social media, online marketplaces, and dating apps. No surprise really, London and the Southeast of England remain the biggest UK fraud hotspots with a 43% increase in reported cases.

---

PAUL DUCKLIN. Why do people say things like that? You just look at the population density of the United Kingdom. Yes.

---

CAROLE THERIAULT. Yes, that's what I'm thinking too.

---

PAUL DUCKLIN. Seriously.

---

CAROLE THERIAULT. But so what are these scams, right? I thought I'd take a little peek at recent media reports on just what to look out for now that it's 2024.

Now I took out the ones like impersonation scams and phishing scams and romance scams because we talk about that all the time. But here are a few terms that I was less familiar with and maybe our listeners are too and maybe you guys are too.

Have you heard of the term ghost brokers?

---

PAUL DUCKLIN. I'm just seeing a— oh, is it a 1980s film flashing before my eyes?

---

CAROLE THERIAULT. This is City of London Police warning young drivers about the ongoing threat of ghost brokers, scammers who sell invalid car insurance policies.

---

PAUL DUCKLIN. Oh, that kind of broker.

---

CAROLE THERIAULT. At unrealistically low prices. So after making a sale, the scammers send their victims fake insurance documents, or they might even take out a real policy but falsify the details such as the age or the address or the history to bring down the premium. And most victims of ghost brokers, of course, don't even realize that they've been scammed until they need to make a claim, which of course doesn't go through. And these things apparently tend to be canvassed on social media and word of mouth. But I'd never heard that term. So ghost brokers, that's one.

---

PAUL DUCKLIN. That's quite terrifying, isn't it? Because in the UK, driving without valid insurance is actually quite a serious crime. You can go to prison for it. You certainly get a massive fine and can get banned from driving. And technically, I guess it's not really an excuse to say, well, I bought this policy and now it turns out it's invalid. Your duty is to know that. But how do you tell?

---

CAROLE THERIAULT. Exactly. So read your Ts and Cs very carefully and also maybe call them directly.

---

PAUL DUCKLIN. So this where somebody literally, they sent you a policy, but when they applied for it— and it's a real policy— but when they applied for it, they actually lied about who you were. They said you were older and you lived in a safer postcode, or it's completely fake, right?

---

CAROLE THERIAULT. It's completely fake, so it doesn't exist at all. So you might call the original insurance broker and they go, we haven't heard of you, we have nothing on you here.

---

PAUL DUCKLIN. Plus there are 3 Ms in our company name, not 4. But yeah, how do you know? I don't have a car anymore, but when I had a car, you just get this thing through the mail and it's a certificate and it looks— I mean, these days it'd be 10 minutes' work with a scanner to make a fake one. It never occurred to me in the past that I should then phone the company up with a number I got myself and say, "Can I just confirm this?" That I exist, yeah. That this is real. Yeah.

---

GRAHAM CLULEY. Wow. What other scams are there, Carole?

---

CAROLE THERIAULT. What about quishing?

---

GRAHAM CLULEY. Oh, I know that one.

---

CAROLE THERIAULT. Do you? Okay, tell me about quishing.

---

GRAHAM CLULEY. I think it's QR codes, isn't it?

---

CAROLE THERIAULT. Yes.

---

GRAHAM CLULEY. Yeah. So people are slapping up QR codes places, and apparently youngsters are pointing their cameras at QR codes and then clicking on the links. It can't be that big a deal really, can it, compared to traditional phishing? I'm not sure.

---

PAUL DUCKLIN. But there are some places where you kind of rely on those codes, Graham. Like in some cities and towns in the UK now, you can no longer pay for parking with a credit card or with cash, right? So drivers go to the parking thing, you know, where you used to put in your credit card or used to put in a £2 coin, and it just says pay by phone. You go, I haven't got the app. There's a QR code and it's— ah, they're stuck on the machine because they're kind of new.

---

CAROLE THERIAULT. Exactly.

---

PAUL DUCKLIN. Yeah, on top of the one that's stuck on the machine is another one stuck on that takes you to a site that looks like the real deal. You know, you're away from your car, it's technically illegally parked. I can see why people would go down a rabbit hole with that. Okay.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. And it became quite popular during COVID because you'd often go— if you went to restaurants and bars, you know, between lockdowns, that's how you would get your menu, right? You'd have QR codes on the table. So people got really familiar of all ages, Graham.

Maybe you didn't, but most people got really familiar with QR codes during that, and they trust them. Number 3, cloaking.

Cloaking. This is where malicious adverts are able to get past a social media firm's review stage because fraudsters have hidden their intentions.

So when the advert is first placed on Facebook, the link goes through to a harmless page, one that doesn't try to con you out of your cash. But once it has been approved by the Facebook dudes, the fraudsters then put a redirect that instantly takes people somewhere else.

---

GRAHAM CLULEY. Yeah, this is something cybercriminals can do. If they sent out a malicious URL, it could be that it's a one-time only.

And when a security researcher, for instance, goes to check it out later, or your guy in the IT department, it takes someone somewhere completely safe. And they think, well, you didn't have to worry about that.

It looks like it really goes to the legitimate site.

---

CAROLE THERIAULT. Mm-hmm.

---

GRAHAM CLULEY. And maybe it didn't initially.

---

CAROLE THERIAULT. Yep. Another one, tapjacking.

---

GRAHAM CLULEY. Tapjacking. Oh, hang on. Is this something to do with tap in to pay?

---

CAROLE THERIAULT. No, this is a weird one.

---

PAUL DUCKLIN. Is it like clickjacking on a mobile phone where you don't actually have a mouse?

---

CAROLE THERIAULT. Okay, so this is where scammers hijack your smartphone screen, forcing you to perform actions on your phone without you realizing. So it works by showing an overlay on your phone screen which appears clickable, but in reality it's an image which prevents you from seeing what you're actually clicking on.

So imagine in a mobile game, for example, you may appear to be engaging with the game's elements. But in fact, your clicks are making in-app purchases or signing you up to subscriptions via an invisible screen underneath the overlay.

---

PAUL DUCKLIN. Hmm.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. This is according to Which.

---

PAUL DUCKLIN. So it is what we used to call clickjacking in browsers.

---

CAROLE THERIAULT. Yeah.

---

PAUL DUCKLIN. Now, aren't mobile phone operating systems these days supposed to stop that happening in the same way that browsers on laptops? Took that approach that one app isn't supposed to be able to paint over the top of another for exactly that reason.

---

CAROLE THERIAULT. It depends where you get your apps though. So if you're not getting them from the actual Apple App Store or the Google Play Store or wherever, you know, legitimate place you get your apps, maybe you're at more danger of this.

The final one, AI and deepfake scams, of course, as we discussed last week, it's election year, not only in the UK, but in more than 40 countries around the world. As more than half the world's population goes to the polls, incentives for bad actors to misuse AI have, you know, probably never been higher.

You could probably say that every single day. In January, The Guardian reported discovery of more than 100 deepfake videos on Facebook impersonating Rishi Sunak, and these phony clips reportedly led to web pages mocked to look like the BBC News articles, which promoted an investment scam.

So we've heard about these all the time. So all this makes for bleak reading, but there is a sliver of good news.

These losses are likely to be cut down when the government Canada's new fraud strategy, which places a blanket ban on cold calls offering financial services, comes into play. So in 2024, victims of APP scams must be reimbursed by their banks or payment processors for their losses.

---

GRAHAM CLULEY. What's APP?

---

CAROLE THERIAULT. So APP scams is authorized push payments. So where victims are tricked into sending money directly to a criminal.

---

GRAHAM CLULEY. Interesting. Okay.

---

CAROLE THERIAULT. And according to UK Finance, which produces an annual report, yet another one, £239 million was lost to APP fraud in the first 6 months of 2023, with more than 100,000 recorded cases by UK banks and building societies. This is according to Forbes.

Ah, the UK government has also recently launched a Stop Think Fraud campaign. Have you seen this?

---

GRAHAM CLULEY. Stop thinking and defrauded.

---

CAROLE THERIAULT. It's "stop, exclamation mark, think fraud." Okay, the advice really, but same as always.

They even say there are many types of frauds with new ones appearing all the time, and there are psychological tactics fraudsters commonly use. These tactics have as a sole aim of making people act before they have time to stop, think, and check if it's genuine.

---

PAUL DUCKLIN. Well, the US Public Service has had that stop.think.connect tagline that they've trotted out for years in, was it Cybersecurity Awareness Month? And it's one of those things that I've always liked because it's when you do things in a hurry that you're more likely to make a mistake, whether that's calling the wrong number when you've lost your bank card because you're in a panic and calling the crooks by mistake, or responding to something that you think your buddies have posted, but actually they haven't because their account was hacked.

So I think that's great advice for everything. You don't always have to reply to everything the second you see it online, apparently.

---

CAROLE THERIAULT. Yeah, no, I totally agree. Now, there's links in the show notes here to this page, but they go into some detail for how to spot a phishing email, a fake text message, phone fraud, fake online adverts, fake websites, doorstep fraud, and postal fraud.

And all these things are things that we, the public, potential victims, need to do simply in order to keep us safer online. But I found a really, well, crazy one, just beyond the pale for me.

So it's centered around AI scams, and it's based on McAfee research. And the idea is for people to listen breathing patterns.

Apparently AI is shit at breaths. So according to The Sun, who reported this, a McAfee spokesperson said another marker of possible fake is when the speaker doesn't appear to breathe.

AI tools don't always account for this natural part of speech. And they say it's subtle, it's subtle.

But when you know to listen for it, you'll notice when a person doesn't pause for breath.

---

PAUL DUCKLIN. I don't think that's going to be terribly effective if you look at how good sound filtering has become.

---

CAROLE THERIAULT. Agree.

---

PAUL DUCKLIN. You know, on Zoom meetings where you can set the automatic background level correction, it's got pretty jolly good these days. So you tend not to hear a lot of the tapping and the breathing and the— I nearly said farting— that goes on in the background.

So I wonder whether that's really practicable.

---

GRAHAM CLULEY. And then there are people who just speak very quickly, you know, they're "yeah, but no, but yeah, but I was doing this, I did, and I'm gonna take this happen," and they don't hardly pause for breath.

---

CAROLE THERIAULT. Are you suggesting I'm one of those people?

---

PAUL DUCKLIN. I didn't make that inference, Carole, if that makes you feel better.

---

CAROLE THERIAULT. Let's move on quick.

---

GRAHAM CLULEY. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Now you can assess risks, secure the trust of your customers, and automate compliance for ISO 27001, SOC 2, and more with a single platform. And that platform is Vanta. Vanta's market-leading trust management platform helps you continuously monitor compliance alongside reporting and tracking risk.

Plus, you can save hours by completing security questionnaires with Vanta AI. Join thousands of global companies like Atlassian, Flow Health, and Quora that use Vanta to automate evidence collection, unify risk management, and streamline security reviews. Smashing Security listeners get 20% off Vanta. All you have to do is go to vanta.com/smashingsecurity to claim your discount. That's vanta.com/smashing. And thanks to Vanta for supporting the show.

---

CAROLE THERIAULT. If a security software company said they could help you reduce the permissions attack surface in your cloud by 92% with a click of a single button, what would you say? Smashing Security just made achieving least privilege easy with the Cloud Permissions Firewall, a scalable solution that easily restricts excessive permissions from human and machine identities, quarantines unused identities, and disables unused regions and services without any disruptions.

Even better, the solution maintains this level of risk reduction by automatically enforcing least privileged policies as new identities are added to the environment. What's better? The fact that you can test drive Sonrai's Cloud Permissions Firewall for free for 14 days. Just visit smashingsecurity.com/sonrai. That's smashingsecurity.com/sonrai. That's S-O-N-R-A-I.

---

GRAHAM CLULEY. You've probably heard us talk about Kolide before, but did you know Kolide was just acquired by 1Password? Well, that's pretty big news since these two companies are leading the industry in creating security solutions that put users first. For over a year, Kolide Device Trust has helped companies with Okta ensure that only known and secure devices can access their data.

And that's what they're still doing, but now as part of 1Password. So if you've got Okta and you've been meaning to check out Kolide, now's a great time. Kolide comes with a library of pre-built device posture checks, and you can write your own custom checks for just about anything you can think of.

Plus, you can use Kolide on devices without MDM, like your Linux fleet, contractor devices, and every BYOD phone and laptop in your company. Now that Kolide is part of 1Password, it's only going to get better. Check it out at kolide.com/smashing to learn more and watch the demo today.

That's k-o-l-i-d-e.com/smashing. And thanks to them for supporting the show. And welcome back and join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something that could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.

---

PAUL DUCKLIN. He's not breathing, Carole. He's not breathing. Must be scamming.

---

GRAHAM CLULEY. It doesn't have to be security related necessarily.

---

CAROLE THERIAULT. Better not be.

---

GRAHAM CLULEY. Well, my Pick of the Week this week, occasionally I've had the odd nitpick of the week. I thought maybe people are getting fed up with my nitpicks, so maybe I should actually share something truly joyful. And in a conversation I was having with my partner, oh, how the nights fly by, how we have fun, when we began to discuss, and I wanted to share with you as well, collective nouns.

What a wonderful thing. I got into a spot of bother with her because I referred to a gaggle of women who I had seen, which apparently is an offensive term. And so this got me looking into—

---

PAUL DUCKLIN. What, because you're calling them geese?

---

GRAHAM CLULEY. Yes. And apparently—

---

PAUL DUCKLIN. Quack, quack.

---

CAROLE THERIAULT. I love your partner so much. These things finally.

---

GRAHAM CLULEY. And I knew the gaggle of geese would upset Duck. But the—

---

PAUL DUCKLIN. No, geese are my cousins, my totem, partial totem.

---

GRAHAM CLULEY. Right, okay.

---

CAROLE THERIAULT. Yeah, and they honk, don't they? Honk!

---

GRAHAM CLULEY. Anyway, it's very personal. It got me looking into the origins of the word gaggle in reference to women and so forth. Goes back to the 1600s or something. But I also came across a wonderful list of other collective nouns, which tickled me so much that I wanted to share them with our listeners.

So I'm going to share them with you right now. I'm going to share some of these. So, for instance, we have an absence of waiters.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. A rash of dermatologists.

---

PAUL DUCKLIN. You notice how none of us was breathing there, Graham.

---

GRAHAM CLULEY. A clutch of car mechanics. A lot of auctioneers.

---

PAUL DUCKLIN. Oh dear, that's quite— I quite like that.

---

GRAHAM CLULEY. Very clever. It's very clever. A mass of priests.

---

CAROLE THERIAULT. A murder of crows.

---

GRAHAM CLULEY. Murder of crows. Yes, that's a good one. A horde of prostitutes. I thought that was very clever.

I always thought it was a congress of prostitutes, but it's a horde apparently. Depression of weather forecasters. Anyway, I can tell that you two are just as amused by these and delighted by these as I am.

---

PAUL DUCKLIN. I want to know what the collective noun is for these lists of collective nouns. That's what I've been waiting for.

---

GRAHAM CLULEY. A waste. A waste, I think.

---

PAUL DUCKLIN. A congregation of collective nouns. A conglomeration. A convocation.

---

GRAHAM CLULEY. Well, what a wonderful thing it is that we have these fascinating collective nouns. And I wonder if we have collective nouns which are similarly entertaining in other languages. I presume we do, and we're completely unaware of them here in old Blighty.

---

CAROLE THERIAULT. Well, we're also completely unaware of their words that they use.

---

GRAHAM CLULEY. No, but they could translate them. Maybe listeners, maybe some of our, you know, Swedish listeners, for instance, could get in contact with us and say, we have a very amusing collective noun for saunas or something like that. Or, you know, which they would be able to share with us.

And then my sides at least would be aching with merriment if some of our listeners were to share them. So I very much liked it. And that is why collective nouns is my pick of the week.

---

CAROLE THERIAULT. Are my pick of the week?

---

GRAHAM CLULEY. Potentially. Duck, what's your pick of the week?

---

PAUL DUCKLIN. Well, I wasn't sure what to do because I thought of a whole load of things that had annoyed me and I thought, well, they're not really picks, are they? And I guess, you know—

---

GRAHAM CLULEY. You can have a nitpick. You are allowed to have a nitpick. Pick these days.

---

PAUL DUCKLIN. Yeah, I know. But I think after your— how can I put this— the famous company beginning with A experience from you, I thought maybe I'll try and get something I really liked and was upbeat. Now, the problem is that it is a pick of the week because it happened in the last week, but there's a 1 in 4 chance roughly that it would happen anytime I was on the podcast.

And that was simply that I went out this last full moon. Which was within the last one week, and you turned into a werewolf. Okay, no, I love full moons, going, you know, going out in the middle of the night, particularly if you go on a bike ride. It's quite nice because, you know, you could— you get to see more wildlife. But it was, it was just a— it's a fantastic thing if you don't do it.

You know, you go around about midnight, and it was a miserable day. It was cloudy, it was dark. I thought, oh well, I'll just go out and see. And as I walked out, the clouds parted and then I went to a little nature reserve that's near where I live and I walked around and it was amazing.

It was actually bright enough to see in color, which you don't normally get at night. You normally see black and white.

---

CAROLE THERIAULT. Wow.

---

PAUL DUCKLIN. And then I walked around for a bit, nearly fell in a pond, but that's another story. And literally as I turned into the driveway to my flat, the clouds closed over and it went dark again and I just thought, Well, nicely done.

---

GRAHAM CLULEY. Well done, duck. Well done.

---

PAUL DUCKLIN. So if you haven't had a full moon experience, maybe next month, give it a try. Assuming there's no clouds where you are.

---

GRAHAM CLULEY. Okay. Beautiful. Lovely. It's almost poetic, actually. Carole, what's your pick of the week?

---

CAROLE THERIAULT. For my pick of the week, I have chosen a harrowing— we decided, my husband and I, that this is the word— harrowing Netflix series called Baby Reindeer.

---

GRAHAM CLULEY. Oh.

---

CAROLE THERIAULT. If you're the type of person that only likes sunshine and rainbows in your shows, this is not for you, okay?

---

PAUL DUCKLIN. Baby Reindeer.

---

GRAHAM CLULEY. Mm-hmm.

---

PAUL DUCKLIN. Is this a sequel to Seal Clubbing International or something?

---

CAROLE THERIAULT. No, no, no, no.

---

GRAHAM CLULEY. This has been a very controversial program.

---

PAUL DUCKLIN. Oh, really?

---

CAROLE THERIAULT. It has been. And I, of course, I don't read the papers, so yeah, I had no idea.

---

GRAHAM CLULEY. I haven't seen it, but I've read the news stories, yeah. Mm-hmm.

---

CAROLE THERIAULT. So you have to imagine a struggling stand-up comic working behind a bar at a pub in London. And a middle-aged lady walks in one day boasting that she's a high-flying lawyer and yet strangely unable to afford to buy herself a cup of tea.

And feeling sorry for her, our Glaswegian university graduate Richard Gadd offers her a cup of tea on the house. And this act of kindness flips Gadd's life into a weird and complex hellscape because the lady turns into a pretty serious stalker.

So for over 4.5 years, Gadd says he received 41,000 emails and change, more than 740 tweets, letters totaling 106 pages, and 350 hours of voicemail messages from this woman who he kindly offered a cup of tea. And Gadd ended up writing about his experiences.

It won an Edinburgh Comedy Award and then was transferred to the Soho Theatre in London for an 8-week run before ending up on Netflix. And it stormed Netflix with more than 13 million views in the last fortnight and reaching number one on the Netflix charts in 30 countries, including the US and UK.

And Gadd wrote and directed the 7-part miniseries in which he stars as the character Donnie Dunn, which is based on his experiences. Now, as you say, Graham, there's been loads of hype because Gadd says he fully disguised his stalker's identity, but it seems he didn't do a good enough job as the internet sleuths decided to work out who she is.

There's also harrowing and disturbing scenes between Gadd's character and a known comedy writer, which the internet PIs were determined to find out who it was. And it got ugly to the point where West Midlands Police stepped in into the fray after a string of false accusations and threats were made on social media against a prestigious theater director.

But all this blah blah, put that aside. I think it is important television.

Because I've rarely seen a male character present themselves with such vulnerability. I, like most women, have experienced not so nice things in my past, and I found the writing and reactions rang really true.

So, it's described by The Telegraph as a show that sucks you into a very troubled mind, and comedy as personal catharsis is taken to a whole new level. And I would agree with both those statements.

I think it's worth a gander, but only if harrowing viewing is in your wheelhouse. So that's Baby Reindeer on Netflix, my pick of the week.

---

GRAHAM CLULEY. Why is it called Baby Reindeer?

---

CAROLE THERIAULT. I can tell you, but it's kind of— they explain that in the final episode.

---

GRAHAM CLULEY. Oh, well, don't tell me then.

---

CAROLE THERIAULT. I can tell you that she calls him that. She keeps calling him Baby Reindeer.

---

GRAHAM CLULEY. Okay.

---

CAROLE THERIAULT. But there's a reason is disclosed at the end.

---

PAUL DUCKLIN. Go on, tell us. We just— we'll put in spoiler alert.

---

CAROLE THERIAULT. Mm-mm. I got in trouble with so many listeners when I've given away some things. Nuh-uh. Sorry, Duck.

---

PAUL DUCKLIN. So is the collective noun for what happened to this chap a deluge of doxing?

---

GRAHAM CLULEY. Well, that just about wraps up the show for this week. Duck, I'm sure lots of our listeners would love to follow you online and find out what you're up to. What is the best way for folks to do that?

---

PAUL DUCKLIN. The easiest way to find me is pducklin.com or paulducklin.com if you want to use my full name. And you can find me on that thing now known as X @duckblog. And I am P Ducklin on LinkedIn.

---

GRAHAM CLULEY. And you can follow us on Twitter @SmashingSecurity, no G, Twitter allows to have a G. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Pocket Casts.

---

CAROLE THERIAULT. And massive thanks to our episode sponsors, Sonrai, Fanta, and Kolide, and of course to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 369 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio, bye-bye.

---

CAROLE THERIAULT. Bye-bye.

---

GRAHAM CLULEY. Bye.

---

PAUL DUCKLIN. A blast of buys.

---

CAROLE THERIAULT. Last of 5.

---

GRAHAM CLULEY. Beautiful.

-- TRANSCRIPT ENDS --