Fitness apps exploit TouchID through a sneaky user interface trick, tech giants claim to have a plan to banish passwords, and you won't believe who was behind a sextortion scam that targeted over 400 members of the US military.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by ferret-loving ethical hacker Zoë Rose.
Follow the show on Twitter at @SmashinSecurity, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Zoë Rose.
Sponsored By:
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Links:
- Military criminal investigative organizations crack down on sextortion ring targeting service members — NCIS.
- Scam iOS apps promise fitness, steal money instead — WeLIveSecurity.
- Mastercard, Microsoft to Advance Digital Identity Innovations — Mastercard press release.
- China's Surveillance State Should Scare Everyone — The Atlantic.
- Mastercard and Microsoft to jointly develop universal digital ID technology — IT Pro.
- A Victorian point and click adventure game — Bertram Fiddle.
- Bertram Fiddle: A Bleaker Predicklement Trailer — YouTube.
- Oura Ring sleep and activity tracker.
- Learn how Oura ring works.
- Marriott warns of hack. 500 million Starwood hotel guests' personal data could be exposed — Graham Cluley.
- Marriott breach: What to do when hackers steal your passport number — CNet.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. I would imagine these people weren't connecting with these women and entering on an online romantic relationship because they both shared a love of jigsaws. I think the initial— it could have been, it could have been.
ZOE ROSE. I mean, if you want to catfish me, you just have to be obsessed with ferrets. Okay, but you'd probably have to be a brunette because I'm not a huge fan of blondes.
GRAHAM CLULEY. Okay, all right, thank you.
CAROLE THERIAULT. Well, there you go, this show takes a new turn.
UNKNOWN. Smashing Security, Episode 107: Sex-Torting the US Army and a Touch ID Scam, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 107. My name is Graham Cluley.
CAROLE THERIAULT. I'm Carole Theriault.
GRAHAM CLULEY. Hello, Carole!
CAROLE THERIAULT. Every episode you mangle my name.
GRAHAM CLULEY. What have I said? Carole.
CAROLE THERIAULT. Carole.
GRAHAM CLULEY. Carole Theriault. Yes, Carole Theriault. And we're joined by a special guest, someone who hasn't been on the show before, have you? It's Zoe Rose. Hello, Zoe.
ZOE ROSE. Hello. Well, according to the recorder, I'm actually Zoe, but—
CAROLE THERIAULT. That's right.
GRAHAM CLULEY. Our web-based recording software can't handle extended characters properly. And so it's—
CAROLE THERIAULT. Isn't it an umlaut?
ZOE ROSE. It is.
GRAHAM CLULEY. Yeah. Yeah. It's messed it up, hasn't it?
ZOE ROSE. Yeah. It's just a dash. I usually get a box Sometimes an X.
GRAHAM CLULEY. Do you find sometimes that your, the extended character in your name actually causes problems when you're creating accounts online?
ZOE ROSE. Yes. So sometimes programs accept the extended character but can't handle it. So instead of using it and like just showing it up, probably it shows up the first time, but in the backend it's actually this really messed up thing that I don't even recognise. And so What happened recently, I was writing an exam and in the system, every time I logged in, my name got longer and longer. And it ended up being like a full sentence, like it looked like a full sentence. It was huge.
GRAHAM CLULEY. So we met at a security conference in Seville where we were both speaking, but why don't you explain to people what you do for a living?
ZOE ROSE. I guess my unofficial title is ethical hacker, where I basically was hired at this current organization to, for my hands-on experience, my ability to look at humans and human behavior and do a bit of social engineering, but for good, to help raise awareness and build balanced cybersecurity programs.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. So we have a fantastic lineup today. Graham, you are talking about the US military and how they've gotten duped by somebody.
GRAHAM CLULEY. By sexy ladies, yes.
CAROLE THERIAULT. By sexy ladies. And Zoe, you are talking all about iOS apps not being always perfectly clean from bad stuff.
ZOE ROSE. Correct.
CAROLE THERIAULT. And I'm talking about how much we hate passwords, but don't worry, someone has a solution for us all.
GRAHAM CLULEY. Passwords are pretty cool. If you've got a good password manager, passwords are all right.
CAROLE THERIAULT. Yeah, absolutely. Password managers make everything much easier, don't they?
GRAHAM CLULEY. Yes, it's true, we love password managers, and we believe that your company could really benefit from running an enterprise password manager. Password manager like LastPass as well. Protect your organization. Make sure that all of your staff are using sensible, secure, unique passwords and have proper management about their password security. Go and check them out at lastpass.com/smashing, and thanks to LastPass for supporting the show. And welcome back. Now, chaps, can you imagine how lonely it must be If you're a serving member of the Army or the Navy or the Air Force and you're away for months and months on end on the other side of the world, must be miserable, mustn't it?
CAROLE THERIAULT. Especially if you're fighting for something you don't necessarily believe in.
GRAHAM CLULEY. That's got to suck doubly. Well, yeah, that wouldn't be much fun. But you know, you're away on active service for months at a time. You're not seeing your loved ones. You're finding it hard to maintain a long-distance relationship. You know, maybe your partner has got off with the milkman or something like that. You're just feeling generally disconnected from the world, aren't you?
ZOE ROSE. Yeah, and people, we need We need connection, we need collaboration and communication.
GRAHAM CLULEY. And one of the ways in which people are trying to fix that problem is they might turn to the internet and social media, because even if you're serving these days, you're probably taking some internet-enabled device or a smartphone with you in an attempt to keep in contact. So you're using the internet, using social media while you're away serving your country. But beware, take heed of my words which are coming, because investigators have just broken up a criminal ring, which has targeted over 400 members of the US Army, Navy, Air Force, and Marine Corps via social media forums and online dating sites.
CAROLE THERIAULT. A criminal ring which were targeting people in the Army. So you're saying these poor, lonely soldiers, not only they have to contend with everything that they have to contend with, but they are also being targeted.
GRAHAM CLULEY. That's right. And so what this investigation has done, it's an investigation, by the way, called Operation Surprise Party.
ZOE ROSE. I love it.
CAROLE THERIAULT. That's a fun title. That's jolly.
ZOE ROSE. That's the best part of being in security is choosing the titles, I think.
GRAHAM CLULEY. Yeah, working out the code name or the name of the operation. Operation Surprise Party is an 11-month investigation carried out by NCIS, the National Criminal Investigative Service. NCIS, I believe, have their own TV show, don't they? It's like CSI. Where they're doing sort of naval criminal—
CAROLE THERIAULT. Oh, NCIS.
GRAHAM CLULEY. Oh, is that how you say it?
CAROLE THERIAULT. That's how I've always thought. I didn't have no idea what you were talking about until I saw it.
GRAHAM CLULEY. Oh dear.
CAROLE THERIAULT. No, no, it's cute. It's cute.
GRAHAM CLULEY. Are you saying I'm not on fleek and I don't know all these? I don't know all the current phrases. Okay, NCIS. That sounds much more likely. Yes. So NCIS, they've just busted open this criminal ring.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. And what was happening was this. The bad guys were posing convincingly as attractive young women.
CAROLE THERIAULT. Convincingly.
GRAHAM CLULEY. Yes, well, exactly. Otherwise it wasn't going to work.
CAROLE THERIAULT. Exactly. How do you convince someone of attraction?
GRAHAM CLULEY. Well, let me explain. They weren't actually doing this face to face in real life. They were doing this over the internet. And so they managed to fool people into believing that they were genuinely the people whose photographs that they were using. Because what they were doing was they were trying to hook the hearts of lovelorn military members, and they managed to steal $560,000 from over 400 members of the military.
ZOE ROSE. That's called a honey trap, isn't it?
GRAHAM CLULEY. Exactly, or catfishing.
ZOE ROSE. Yeah, yeah, yeah.
GRAHAM CLULEY. The interesting thing is, well, how did it work? How did this scheme work? Well, let me explain to you exactly how it worked, and you can try and work out how it worked. Tell me how it worked. Right, well, the bad guys would connect with a member of the US Army or Navy or Air Force posing as an attractive female. It was typically that way. It sounds as though most of the victims were men. As far as I can work out. But with the base—
CAROLE THERIAULT. I love how the word attractive is in there. Like, that's not, you know, personal choice.
GRAHAM CLULEY. It's just like, what, they don't like blonde, blue-eyed— No, no, I haven't said blonde hair and blue-eyed. Who says blonde hair and blue eyes is attractive?
ZOE ROSE. Society?
GRAHAM CLULEY. Well, some members of society. Other ones like brown-eyed brunettes or ginger-haired girls or blue-haired girls.
ZOE ROSE. I think gingers are much better. Oh, there you are.
CAROLE THERIAULT. Great colour.
GRAHAM CLULEY. So the thing was that I would imagine these people weren't connecting with these women and entering on an online romantic relationship because they both shared a love of jigsaws. I think the initial— it could have been, it could have been.
ZOE ROSE. I mean, if you want to catfish me, you just have to be obsessed with ferrets. Okay, but you'd probably have to be a brunette because I'm not a huge fan of blondes.
GRAHAM CLULEY. Okay, all right, picky.
CAROLE THERIAULT. Well, there you go, this show takes a new turn. I'm very excited.
GRAHAM CLULEY. The point is this: so if you're trying to target Zoe, then yes, okay, you have to be into ferrets and you have to be a blue-eyed blonde— no, sorry, a brunette. See how rubbish I am at these? A brownette. But what happened was this, right? So they're lured into this online romance and the inevitable happens. Saucy photographs are exchanged. Now, have you worked out how at this point they make their money?
CAROLE THERIAULT. I don't know how that works. It's like, hi, hi, want to see my boobs? Sure. Is that really— is that how it works these days?
ZOE ROSE. No, I feel like— I feel like— haven't you seen the memes online? It's like, it's send nudes. That's all they do.
CAROLE THERIAULT. Send nudes and then I'll speak with you.
ZOE ROSE. Yeah.
CAROLE THERIAULT. Don't even— let's not even type. It's too hard to type. I mean, to be honest, show me your junk.
ZOE ROSE. Pretty much. I mean, I'm— I don't know how to date, so don't ask me.
CAROLE THERIAULT. But I've just been out of the world too long.
ZOE ROSE. I don't think I've ever been in it. I've always been dating.
GRAHAM CLULEY. So you might imagine that what the bad guys then do is that they blackmail the people they've been speaking to, saying, "Haha, we've got pictures of your—" Would that be that productive though?
ZOE ROSE. Because I mean, some people would just be like, "Yeah, that's cool." Well, you wouldn't necessarily want it sent to your mother or to—
GRAHAM CLULEY. You know what, I feel like my mum would be like, "Yeah, I made that." So we have, of course, seen many situations where sextortion occurs. Someone catfishes you, they get pictures of you and they say, "Haha, we are going to send this to your online contacts and your Facebook friends and your family and, you know, your— the people who you work with, and it's going to be embarrassing for you unless you give us money." But that isn't what they did here. What happened here is that the bad guy would then contact the member of the US military claiming to be the young woman's father and saying that the young woman was underage. Oh, shit. That's brilliant.
ZOE ROSE. Because you know what? That's like—
GRAHAM CLULEY. I think the word you're looking for there, Zoe, is evil. It's not It's not brilliant, it's evil.
ZOE ROSE. But it is brilliant though if you think about it because they don't really have to prove they're underage. The minute you say that, everyone's like, holy shit, stop everything and freak out because like they have to get rid of all the images, they have to like do disclosures. Like even being an ethical hacker, I can find illegal stuff online but the minute I find anything about children, I have to report it or I'm in trouble. I mean, it's evil, yeah, but it's like is a brilliant approach.
CAROLE THERIAULT. It's brilliantly evil. Graham, where did you meet this ethical hacker? So this happens to them, that the panic just must be unbelievable.
GRAHAM CLULEY. They get contact by someone who they believe is the father and they're going, oh my goodness. Yeah. Or worse, I'm in a spot of bother here. And also the bad guys would get in touch claiming to be a police officer. Saying that they were demanding money on behalf of the family in exchange for not pursuing charges. Wow.
CAROLE THERIAULT. I'd just be like, out of your jurisdiction, dude.
GRAHAM CLULEY. Well, you would imagine that someone who's working for the military might think, well, you know, maybe I would toughen this out, but I wonder what would my commanding officer think?
ZOE ROSE. I suspect they'd be dishonourably discharged, wouldn't they? I would imagine so. I would hope so.
CAROLE THERIAULT. Yeah, they think they've got like pictures of kids in compromising positions on their phones, right? Yep.
GRAHAM CLULEY. Okay, so— Nasty. Yeah. So the plan was the catfished military members, you know, would be so frightened obviously of the damage to their careers, damaged relationships, etc., over possessing what they now believe to be illegal images of juveniles, that they would pay up. And plenty did. As I said, over $560,000 was stolen by this gang. Now, what's interesting I think is Who was behind this dastardly scheme? And this is where it takes a complete twist to the surreal. Okay. Because the people who were perpetrating this were prisoners. Prisoners? They were inmates in South Carolina's jail system. Wow. And they have— That's brilliant.
ZOE ROSE. They have all— they have— there she goes again. They must have the best phishing campaign ideas.
CAROLE THERIAULT. That's it.
GRAHAM CLULEY. They're just locked in their cells for hours and hours thinking, how could we make some money?
CAROLE THERIAULT. Time rich. Time rich. Well, yeah.
ZOE ROSE. And that's how you become most creative, right? Yeah. Having a proper sleep schedule.
GRAHAM CLULEY. Oh my goodness. So what Operation Surprise Party has uncovered is over 200 people in the prison system. Shut up. With some civilian assistance as well. So there were people on the outside as well who were working on this. There's been a bunch of arrests.
CAROLE THERIAULT. But who would be doing the online bit? But who— they don't have phones, or they do have phones?
GRAHAM CLULEY. Oh no, they have phones. Am I just being naive? Many of them have access to computers. Some of them have to pay for it, for the official access, and there's all kinds of scams being done by corporations there as to how much prisoners have to pay to get online access. But you also get smartphones smuggled in as well. Anyway, so there have been hundreds of arrest warrants, summonses for people involved in this, and charges.
CAROLE THERIAULT. I'm surprised someone's already in jail. Well, exactly.
GRAHAM CLULEY. Isn't it fascinating that the criminals are already there? I think we may have to send someone in actually to find out, mightn't we? Graham, I vote you. I vote you. I'll enter the South Carolina prison system. There are apparently another 250— another 250 additional people still being investigated and could face possible future prosecution. So this was huge. And I imagine the prisoners were all sort of like, gobbing off to each other, telling each other what they were doing. And so it's like all of them, it's like, no, no, no, I don't want to go around the exercise yard for an hour. I'd rather go to the library for a while and be on the computer. Thank you very much.
ZOE ROSE. I'm just trying to think of all the upskilling they're doing. Like, that's brilliant. I mean, when they get released, if they ever do, they could be really good ethical hackers. I mean, it would be kind of sketchy.
CAROLE THERIAULT. Contact Zoe, guys.
GRAHAM CLULEY. So Zoe, what story have you got for us this week?
ZOE ROSE. Yeah, so I've got also a scam, but it's a bit different. Nowadays we have apps for pretty much everything that run our lives. Um, we have organizer apps, apps that help us clear our minds and de-stress, track our eating, help us find friends and possibly partners, speak new languages. But also we have apps that help us with healthier lifestyles.
CAROLE THERIAULT. Many, in fact. Yes, too many, I say.
ZOE ROSE. But anyway, There's also this strange belief that for phone security, Android versus Apple debate, uh, it's always clear-cut and it's easy to understand, but it's not actually that easy. I get that question a lot, and my statement is usually, you know, the process of getting into the Apple Store versus getting to the Android Store by default does weed out some things, not everything, but does kind of help.
CAROLE THERIAULT. Because they have this walled garden thing.
ZOE ROSE. Yeah, like they have to follow specific processes. It takes two weeks to even get through. Like there's quite a bit to it. Yeah, yeah, yeah. Yeah, but one Reddit user actually found that that doesn't necessarily mean every app in the Apple Store is safe. Really?
CAROLE THERIAULT. Yes. Oh no. I know, it's a shock, isn't it, Kryll?
GRAHAM CLULEY. I know, I'm gonna have a seat. I hope you're sitting down, yes.
ZOE ROSE. There was an app that incorporated into the design the requirement to scan your fingerprint to access your health records. And whilst you didn't have to scan your fingerprint, if you waited and it said, "Okay, continue," it would ask you again. And so logically, you know, from user experience and user, you know, design, you think that means it's an authentication for the app. Absolutely. But what it actually was is you were then permitting that app to charge you £99.99. So a very expensive fitness app.
GRAHAM CLULEY. So it told you to place your fingerprint on the, on the Touch ID sensor on the iPhone, and then it suddenly rapidly switched to an in-app purchase, and your finger was still there.
ZOE ROSE. Within a second. My apps don't switch and open that quickly. I wouldn't be able to fall for this scam because my phone's so shit. But anyway, um, but, um, so luckily for this Reddit user, they didn't have a card on file. But if you're like me and signed up for your Apple ID years ago, you had to have a card or even just a gift card. And so most people do have their cards built in because 'cause it's easy to purchase that way. Which is so much more convenient.
GRAHAM CLULEY. It would be a complete pain if you had to enter your credit card number every time you wanted to make a purchase on the App Store.
ZOE ROSE. Exactly. So yeah, so it's that whole usability versus security issue. And in this case, the usability kind of enabled these, I don't know if you call them hackers, but these malicious actors to get quite a few purchases.
CAROLE THERIAULT. The users must be so pissed off. Yeah, because— Does Apple pay them back?
ZOE ROSE. Well, that's the thing is that I read an article on it and it's like, you can contact Apple to request a refund. But it doesn't actually say anybody did get a refund or if you could get a refund.
CAROLE THERIAULT. So I'm actually quite curious. Right, it's not like there's a big road, like this is what you do. Yeah. Everyone who's been affected, we're here to help you.
GRAHAM CLULEY. I have asked for refunds on apps before. Have you? Oh yeah. Either because I just decided I didn't like the app very much. It's just like, oh, you know, wasn't a very good game, for instance. And Apple has never questioned it. They've just automatically done it. I think rather like Amazon, they think, you know, We'll take this on the chin, we'll refund you, no questions asked.
CAROLE THERIAULT. But so long as our algorithm says that you haven't done it more than 2 times a month.
ZOE ROSE. But the thing from my point of view is that's the purchase of the app. What about purchases in the app? Can you get refunds on that?
GRAHAM CLULEY. Well, those are, yeah, those are still purchases through the App Store process. So it's not money which goes directly to the creator of the app because of course Apple wants its share, doesn't it? 20 or 30%, or who knows how much they skim off. So you can get those back through the same method as well. And sometimes you can say, oh, I purchased this by mistake, which I think would probably be the correct choice in this particular case. But you should also probably tell Apple that this was an app which was acting in an inappropriate fashion.
ZOE ROSE. So they did actually notify Apple, and it's since been taken off. Um, they actually identified two separate apps that were— seemed to be made by the same creator that did the same thing. But the interesting part, like it gets more interesting than that, is when I go and look for a new app, you read the reviews. And when I advise people looking for a new app, I say read the reviews. But what I don't clarify, and what I probably should, and what I personally do, is I read the negative reviews. If you just go on there and read the positive reviews, you can see fake reviews where they did actually receive multiple 5-star star reviews. And so as a normal typical user, you might not, you know, go further than that. But when I go and read reviews, I actually look at the negative reviews and see why they chose like the 1 or 2s.
CAROLE THERIAULT. Do you know which ones I like best?
ZOE ROSE. What is the 2s, 3s, and 4s?
CAROLE THERIAULT. Yeah, those are quite good. Yeah, because they're always like, eh, you know, it was okay, nice box. Yeah, you know, a bit tinny.
GRAHAM CLULEY. I don't know. Zoe, Zoe, Zoe, can I ask, before deciding to come on the Smashing Security podcast, did you check out our reviews?
ZOE ROSE. You know, I really like your accents, and so I feel like having a conversation with you would be quite lovely. No, I didn't. I'm a terrible person. I know.
CAROLE THERIAULT. Ignore him. Ignore him.
GRAHAM CLULEY. Carole, what's your topic this week?
CAROLE THERIAULT. Despite password managers lifting the burden, there's still many hoops we've gotta go through, right? There's the two-factor authentication, long unique passwords everywhere, the old accounts we haven't deleted, and we go through all this to keep our private identities like private. So when two industry giants decide to pool the resources to address this problem, I perked up. Giant number one, whose Richie Rich rate class rivals Apple and Amazon's ridiculous financial heights, we have Microsoft. They haven't they just said they're around a trillion dollars in value as well. And giant number 2 tells us that it's for everything that money can't buy. Do you remember that slogan, Graham?
GRAHAM CLULEY. Everything that money can't buy. Yeah.
ZOE ROSE. Is that Mastercard? That's right. Yeah.
GRAHAM CLULEY. I thought money can't buy you love. Can Mastercard buy you love?
CAROLE THERIAULT. Yes, it can, because you can buy flowers and apparently that works. Oh yeah.
GRAHAM CLULEY. No. Not for Zoe. Give her a ferret on a stick.
ZOE ROSE. She'll be happy. Yeah. On a stick? That sounds quite horrible. I'm also allergic to flowers, so that probably won't help. Oh, that's very sad. I know, and my last name is Rose.
CAROLE THERIAULT. The irony. Oh, Avril, we think of you. We have these two giants, right? Tech and credit. And they're joining forces to rid the world from the pain of passwords. Now, according to the press release issued on Monday from Mastercard, these guys feel our pain. They feel that we have a It's a huge burden upon our shoulders to remember all these passwords in a world that's getting ever more complex. And it's nice of them to think about us, don't you think?
GRAHAM CLULEY. Very philanthropic of them. Yes, very caring.
CAROLE THERIAULT. And they really want to come up with a solution. So they say in the release that today's digital identity landscape— they really said that. That's really a term they used. They say it's patchy and inconsistent. I mean, what are these guys up to?
ZOE ROSE. I really wish that it was patched, actually.
CAROLE THERIAULT. That's the main problem. So Mastercard explains that a universally recognized digital identity could, quote, unlock new and enhanced experiences for people as they interact with businesses, service providers, and community online.
ZOE ROSE. So, so they're basically saying the one problem that a lot of people have with password managers, not me because I like password managers, but the one problem in that centralized single point of failure is is they're going to enable that but on our own identification to make it easier to potentially—
CAROLE THERIAULT. It's even bigger than that, Zoe. Close your eyes if you would, everyone, unless you're driving. Do not close your eyes if you're driving. And imagine a future when filing taxes and applying for passports or receiving government payments becomes frictionless. Opening a bank account and getting a loan or a mortgage approved is speedy and easy. You have heavily personalized shopping experiences that sound Sounds awful to me, but people seem to want it both online and in stores. And everything gets to cooperate, so email, social media, streaming service, and rideshare platforms, they all get to interact.
ZOE ROSE. So, so OPSEC is dead?
CAROLE THERIAULT. They're suggesting you use your real identity effectively as your password. Hell no. A single sign-on to things both real as well as digital. Start their tweet with voting, driving, applying for a job, renting a home, getting married, and boarding a plane. What do these things all have in common? You need to prove your identity. So they are really going for it here.
ZOE ROSE. I'll be honest, I like not having to prove my identity sometimes. Like, if I go to the bar or the pub and I get some rando being like, hey, how are you? Um, I give them a random name, and often, often it's dependent on what day of the week it is. So if it's Wednesday, it's like Wendy, you know, which causes a lot of awkwardness when I see them on a day a separate day of the week.
GRAHAM CLULEY. This is why you introduced yourself to me as Thor when we were in Seville, is it? I could pass for a Thor, couldn't I?
CAROLE THERIAULT. I was perusing Reddit this morning and this girl said that she was being, you know, aggressed or harassed by some guy in a bar, so she started barking at him and he left her alone.
ZOE ROSE. I love it. Oh, that's brilliant. I need to meet this woman.
CAROLE THERIAULT. She sounds like the woman of my dreams. I upvoted.
ZOE ROSE. I upvoted. But yeah, it's nice to be able to do things without about having to identify. Like, um, like Reddit, for example. I like that I don't have to sign in. Exactly, me too.
CAROLE THERIAULT. I see two mega issues here. I'm sure there are more. So one is you can change your password, but you cannot change your identity. So it's a when, not if, it gets compromised.
ZOE ROSE. And then what? Well, and look at the whole Equifax situation. All of those Americans, like, that really, really caused lifelong issues with credit ratings, with everything, social insurance.
GRAHAM CLULEY. How are they proposing this is going to work, Carole?
CAROLE THERIAULT. Very sketchy so far on the details on that one. So watch this space.
ZOE ROSE. I figured it out. Tell us. Magic.
GRAHAM CLULEY. Well, because I know the UK government, I was at a conference a year or two ago, have been pushing hard for a sort of single sign-on for all kinds of government things which you may want to do. And there has been thought about rolling this out across other organizations. Organizations as well.
ZOE ROSE. And there's, and there's that, that one company that I heard of a while ago called like Sovereign or something like that, that had the same kind of idea where it's like a centralized location and you can permit certain services to have temporary access to only the information you need, for example. Yeah, which sounds great, but yeah, I don't know, I'm still I like passwords though. So, so also the other thing is, um, if I go to the US, used to be that I could like decline giving my password, but if it was like biometrics, like that's not something I, you know, now I think they can still ask my password, but still this sounds like the same thing. Like it's, it's kind of enabling both me, but also anyone else that wants to stalk me or, you know, exactly because everything gets tied together.
CAROLE THERIAULT. So right now we, we almost have more freedom because The databases are disparate and uncorrelated. If you think about the Chinese social credit score system and its plans to tie together citizens' social profiles with their bank accounts and their transport and their salaries, and that everything goes through the single system, huge amounts of information come together. So it means that they can say to you who you should and shouldn't marry, right? The systems can tell you, yes, loan this person money or don't loan them money.
GRAHAM CLULEY. But I think there will be people considering the security implications and, you know, Oh, well then, you know what?
CAROLE THERIAULT. I should just stop talking. No, they've got this covered. They've got it covered.
ZOE ROSE. Well, but I'm, I'm thinking of, I'm thinking of, um, the Grindr app. Like, brilliant idea, dating for gay men, or to meet other men, not necessarily dating. Brilliant idea. Clearly was designed with the idea of security and privacy, you know, designed with the right intentions, and yet it was still misused in the US for a man to be physically and verbally abused in his home and robbed, and in Cairo for the police to target gay men— not necessarily arrest them for being gay because that's not illegal, but to target them and arrest them for other reasons. So I feel like no matter what they implement, I would be quite cautious. Um, and it's scary. It's really scary because I can change my password. I can't change who I am. I've tried.
GRAHAM CLULEY. Let me be devil's advocate just for a second. Okay. So we've said that, you know, oh, we don't really like the sound of this compared to the password managers that we're using. 'Cause we all, you, all three of us use password managers and we've— for the average person on the street who is currently reusing the same password on multiple websites, same one on their Gmail as on their eBay as on their Amazon, et cetera, et cetera. Yes. Then maybe something like this could be more secure.
ZOE ROSE. But in the other side, But if you think about it, if their password is compromised and their account's compromised, often they can go to the bank and get, you know, the anti-fraud stuff. They can get their— you know, but they can't change who they are.
CAROLE THERIAULT. So— Don't you find something scary, Graham, about the idea that your personal beliefs and interactions are jumbled up with your work and your systems and your taxes and your bank? And, you know, if your personal beliefs or race or religion or identity or clothes shows or whatever, Doctor Who, become not so popular one day, won't this be a handy tool to red flag you?
GRAHAM CLULEY. Doctor Who isn't that popular this year. Or chess, for example.
ZOE ROSE. I love Doctor Who.
GRAHAM CLULEY. No, this year, Zoe, it's not been as good. The writing's really deteriorated.
ZOE ROSE. Yeah, but the actress is brilliant. I'm not—
GRAHAM CLULEY. I haven't got a problem with her. I think it's great that they got a female Doctor.
CAROLE THERIAULT. I'm sure she's very grateful that you have no problem with her.
GRAHAM CLULEY. She is.
CAROLE THERIAULT. She's been in touch. She's high-fiving.
GRAHAM CLULEY. I got an email from someone in prison who—
CAROLE THERIAULT. Now, look, I agree with you. I don't think this is why Microsoft and Mastercard got together to propose this idea of a single sign-on identity. But it does seem to me like serious oversight not to discuss the potential catastrophic downsides to this in exchange for this streamlined future.
ZOE ROSE. Yeah, it's just scary.
CAROLE THERIAULT. And you know, to your point, Graham, so when I was doing some research on this story, I just, you know, looking at headlines, just going through, you know, all the headlines that were on it, they were all very positive about this. And then I'm thinking, that's interesting, you know. I mean, I suppose they pay a lot of money in ads as well. So maybe—
GRAHAM CLULEY. Oh my goodness, you're so cynical.
CAROLE THERIAULT. Well, I don't like this idea of single sign-on.
GRAHAM CLULEY. I think there's a lot of issues in it. Is this because you're almost 50? Is this what's happening now?
CAROLE THERIAULT. I am so far off. You're all 50, sir. How old are we now? How old are we becoming soon, mister?
GRAHAM CLULEY. What, we together? If we add our ages up? Let's move on. Yes, shall we? Shall we? Many of us have worked in big companies, right? And we know that it only takes one person to make a boo-boo to allow the hackers in. Imagine running a company, hiring new staff and worrying that one of them might bring their bad password habits into the office. Horrendous nightmare! That's one of the reasons why businesses small and large need a password management solution like LastPass Enterprise. LastPass brings a vast array of features for enterprise users, including company-wide policies, reporting, user groups and roles, and new support for Microsoft Active Directory. As an administrator, you can create highly secure passwords for your new starters right from the onset. That means no snafus. Listeners can check it out for themselves by visiting lastpass.com/smashingsecurity. No more password snafus, no more boo-boos, just LastPass. And welcome back, and you join us on our favourite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week.
CAROLE THERIAULT. You have to do it too, Sophos. I do? Jeez, Graham, she's never even heard the show.
ZOE ROSE. You know what, but I'm pretty, so that gives me social points, doesn't it?
GRAHAM CLULEY. It's— it's— well, you've got a lovely voice. We can't tell if you're visually appealing via a podcast. Oh, they can.
ZOE ROSE. They'll look at my social profile and they'll be like, oh, she's amazing.
GRAHAM CLULEY. Just say Pick of the Week.
ZOE ROSE. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. It doesn't have to be security-related necessarily. Could be. Well, mine definitely isn't security-related this week. Very good. You may remember in a past episode of Smashing Security, I recommended a game which was available for iOS, and it's on Steam, and it's on the Nintendo Switch and other things like that, called The Adventures of Bertram Fiddle. Well, There is now episode 2 out, and last weekend I played it. Episode 2, A Bleaker Predicament.
CAROLE THERIAULT. I'm actually quite happy about that because I really loved that game. I actually played it.
GRAHAM CLULEY. It was a great fun game. They're calling it the greatest adventure game of 1884. Like its predecessor, it is available for the iPhone, the iPad, Steam, which means you can run it on Windows and Mac. But as I said, my son and I, we were playing it this weekend on the Nintendo Switch. It's a very funny point-and-click adventure game. Not too tricky, not that long. I mean, we finished it in a weekend.
CAROLE THERIAULT. It's got some rather witty puns in it, if I remember correctly.
GRAHAM CLULEY. There's a lot of double entendre, which kept you entertained.
CAROLE THERIAULT. And was your son going, uh, why are you laughing, Dad?
GRAHAM CLULEY. No, he just found the words funny without realizing quite what was being said. But it is very amusing, and it's British, and it's done by an independent game producer called Rumpus. I think they're based down in Bristol, and more power to their elbow, I say, because I really like Bertram Fiddle, and I think you might enjoy it as well. And that is why it is my pick of the week.
CAROLE THERIAULT. Excellent! I like it. I really like it.
ZOE ROSE. Zoe, what's your My pick of the week actually is a device, and whilst it is not necessarily security-related, it will help you become a better tech because it's helping you with your sleep. So I attended a keynote by Timur Arina— I might be saying that wrong, I've really apologised to him. He discussed this interesting trend where we become more and more reliant on technology, and we started to acquire wearables that help us be human again, essentially. They help us to be human? Yeah, well, because as we—
CAROLE THERIAULT. They say go to bed, eat, answer the phone, defecate.
ZOE ROSE. There are definitely things that I do not realize that I should know because it's a human thing. Like, I don't have an appetite because I just don't, so I don't remember to eat. I actually have to have technology to remind me to eat. I have to have technology to help me sleep because I have really, really severe insomnia.
CAROLE THERIAULT. Feel free there on that one.
ZOE ROSE. Yeah. Whilst they're very fundamental and you should know how to do them, like get up and walk around for a minute and then sit back down, don't sit on your computer and work on your phishing campaigns for 16 million hours.
GRAHAM CLULEY. Yeah. So tell us about this ring. What does it do?
ZOE ROSE. To give you a context of why I like the ring so much before I tell you exactly what it does is I've had an Apple Watch and I've had other tools and stuff, and I find them too interactive because I'm constantly getting updates. And the most annoying was in September 2017, I was hospitalized for a lung infection because I have very, very severe asthma, and my bloody Apple Watch told me to breathe. I was— oh my God, yeah, I was like, I am trying to, that's why I'm here, you—
CAROLE THERIAULT. yes, you're trying to recuperate. Breathe, breathe. Yeah, I was so angry.
ZOE ROSE. I stopped wearing it.
GRAHAM CLULEY. Yeah, yeah, I bet, I bet. Yeah, I bet.
ZOE ROSE. But anyway, so why this is my pick of the week is actually it's a wearable that's very minimalistic. It's called the Oura Ring. And it sits calmly on your finger and it monitors your sleep. It monitors while you're active and while you're inactive and helps you identify, uh, not just your sleep.
CAROLE THERIAULT. It's very pretty, I have to say, it's very pretty.
ZOE ROSE. Also your deep sleep, your REM sleep, and all of that. You, you, you do have to put it on a charger, but I think it lasts quite a few— if I remember, it lasts quite a few days because remember, it's— there's got—
CAROLE THERIAULT. there's no screen on it. Yeah.
ZOE ROSE. Oh, remember the old Nokias? Oh, I love the Nokias. I kind of want to buy one. You know, I kind of want to buy one of the new ones just to support, but I don't, I don't think they're quite as— yeah, I know, right?
GRAHAM CLULEY. So the main positive for you with this is that it doesn't irritate you basically because it's not doing the notifications, it's not distracting you.
ZOE ROSE. Yeah, it's like, it's like improvement to my life through a passive as I need it. And it helps you sleep better. And it looks cool.
CAROLE THERIAULT. And you have to put it on a particular finger? It can go any finger?
ZOE ROSE. Yeah, so they— beforehand when you purchase it, you purchase the ring but also a free sizing kit. So they send you that first. You can choose which size you want, and then you send it back.
GRAHAM CLULEY. Oh, I see. So even if you had a particularly fat finger, or if you wanted to—
CAROLE THERIAULT. Oh, you worried, Graham?
GRAHAM CLULEY. I'm just checking. It is definitely finger, is it? That's— it's not— it wouldn't— Anyway, Crow, what's your—
ZOE ROSE. I mean, where else would you put it? He's suggesting it might be a cock ring.
GRAHAM CLULEY. No, no, no, no, no, no. I see you have toes, your big toe. Big toe.
ZOE ROSE. In that case, I suspect that your blood flow monitoring would be quite inaccurate. So I don't suspect it would be that useful. Moving on.
GRAHAM CLULEY. Carole, what's your Pick of the Week?
CAROLE THERIAULT. My Pick of the Week is certainly gonna bring us back to Earth. 'Cause, okay, basically, let me admit something, okay? I had trouble this week. I couldn't find a good Pick of the Week. So basically, took the story that I was thinking of doing that I didn't do. So it's basically—
GRAHAM CLULEY. you're having a second crack at a security story. I know, I know.
CAROLE THERIAULT. I've never done— it just was a kind of cool thing, okay? It was just a cool article. So we all know about the Marriott Hotel chain, the whole data breach, 500 million user accounts last week. Big fat ouch for everybody and the guests and everybody. But there was an interesting article on CNET that took an angle I hadn't thought about before. What do you do if your passport number gets stolen?
ZOE ROSE. Ah, yes. I read this one. It's interesting.
CAROLE THERIAULT. Yeah, because a lot of hotels, particularly those in Europe, right, require the guests to relinquish their passport so they can record the number. And so I was thinking, huh, I wonder how big a deal it is. The article— I'll save you a click— says don't worry, the passport number is not the same thing as your actual passport. Thank God we have one of those, because if you lose your passport or if your number gets stolen, you can order a new passport. With a new number. Isn't it nice to have a piece of identity that can change if it's stolen? Isn't that nice? So maybe my pick of the week is passports. If you think that your passport was stolen, so basically you want to make sure before you do anything, was it stolen or was it not stolen? And if it was stolen, your recourse is to order a new one. Yes, that's out of pocket, that costs money, and but you do get a new number. So for those that are worried, that's what you do, because there's about 500 million of you out there that are affected by this, probably.
ZOE ROSE. The one thing I thought was interesting about this one is who's responsible for that? At the moment, I don't think there's any way to do that, but if they're causing— if their lack of security controls are causing millions of people to have to renew their passports or get new passports, and the increase of work on the passport company, like, shouldn't they be held responsible for that? Because Because if a ton of people have to get new passports and they would all have to be urgent, they'd have to be more expensive, they'd have to require more staff. And over time, especially now this time of year, people want to go visit their friends.
CAROLE THERIAULT. No, you'd cross-sue Marriott for it. And then maybe Marriott would cross-sue the government for telling them to have to keep this information. I mean, wouldn't all these problems go away if people just stored less info?
ZOE ROSE. Well, that was the other thing I saw in another article was if you cannot secure this information, reliably, if you can afford to do this, then don't take it. Exactly! Actually, I don't think that was an article. I think that was my friend's tweet.
CAROLE THERIAULT. I think I just stole it. Well, he/she's right.
ZOE ROSE. I'm a terrible person. It was Iain's tweet.
GRAHAM CLULEY. I have to question, however, I have to question, however, the whole value of a passport at all, because I was once in Vancouver with a colleague of mine who lost her bag containing her passport, and she managed to— and she was flying back to the UK. And she managed to get through Heathrow Airport. Is she super cool? She's very cool. With just her business card and the words to the man at the passport desk saying, Google me.
ZOE ROSE. She sounds brilliant. She managed to get through.
CAROLE THERIAULT. I also had a police report. Oh, you did? I also had a police report, yes.
ZOE ROSE. That's brilliant, I love it.
CAROLE THERIAULT. I had also had an interview with— I can just picture you being like, Do you know who I am? No, no, no. I was panicking. They wouldn't let me in and I really wanted to come home. And they're like, well, how can you prove that, you know, you work in the UK? How can you prove? And I'm like, I don't know. Google me. How long ago was that? That was like a long time ago.
ZOE ROSE. 10 years? 15? Brilliant. I love it.
CAROLE THERIAULT. That was a long time ago.
ZOE ROSE. My respect for you has raised to a new level.
GRAHAM CLULEY. Well, on that shock horror revelation that someone is appreciating Crowmore, we have just about wrapped it up. Zoe, if anyone wants to follow you on the social networks— I do, yes! What is the best way to do that?
ZOE ROSE. It would probably be to go on the Twitterverse and look at @5683monkey, although if you really want, there's also 5683ferret, which is my ferret, and lately they've become more popular than me, so I wouldn't be offended.
GRAHAM CLULEY. And, and if you want to follow us on Twitter, we're at Smashing Security, no G. Twitter won't allow us to have a G. And you can check out our online store, you can grab t-shirts and mugs and stickers and things like that at smashingsecurity.com/store.
CAROLE THERIAULT. And thanks to each of Thank you for listening once again. We're thrilled if you like what you hear. Now, I read today that podcasts are plateauing. No, no, no. It's true that those that are listening to podcasts are just listening to more, and that's where the growth's coming. This is bad for all of us. So this week, if you want to help us grow, get someone who's never heard a podcast to listen to one. Find a topic they love and get them a source of pure joy. If they're interested in 3 hilarious security-minded folks yakking about cyber snafus, unlikely, send them to Smashing Security.
GRAHAM CLULEY. And also a big high-five to our sponsors this week who made the show possible, which is LastPass. Thank you guys at LastPass. If you want to learn more, you can get in touch with us at . But until next week, cheerio, bye-bye, bye everybody!
CAROLE THERIAULT. Oh, should I say bye? Perfect. I don't even think we need a teaser at the end anymore. That's perfect. Oh, I'm terrible at this. No, you're great. You have to come on again, right?
-- TRANSCRIPT ENDS --