Chuck Norris gives a helping hand to a mysterious cryptocurrency CEO who may have separated investors from over a billion dollars, generative AI creates a nightmare for those wanting to Know Their Customer, and a determined journalist finally gets their revenge on a sneaky Airbnb scammer.
All this and more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, who are joined this week by special guest Maria Varmazis.
Warning: This podcast may contain nuts, adult themes, and rude language.
Episode links:
- Chief executive of collapsed crypto fund HyperVerse does not appear to exist - The Guardian.
- Crypto hedge fund CEO may not exist; probe finds no record of identity - Ars Technica.
- BUSTED: Fake HyperVerse CEO Who Stole $1.3 Billion Unmasked! - YouTube.
- Hyperverse’s Steven Reece Lewis outed as Steve Harrison - Behind MLM.
- HyperVerse crypto promoter ‘Bitcoin Rodney’ arrested and charged in US - The Guardian.
- GenAI could make KYC effectively useless - TechCrunch.
- Airbnb Grifter Busted for $7.5 Million 'Bait-and-Switch' Scam, Feds Say - The Daily Beast.
- I Accidentally Uncovered a Nationwide Scam Run by Fake Hosts on Airbnb - Vice.
- Percentage Point vs. Percent Difference - Macroption.
- “Is Math Real?” - Book by Eugenia Cheng.
- “Julia” trailer - YouTube.
- Watch Before We Die - Channel 4.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Device Trust for Okta. Watch the demo today!
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get 10% off!
SUPPORT THE SHOW:
Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
FOLLOW US:
Follow us on Twitter at @SmashinSecurity, or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.
THANKS:
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
CAROLE THERIAULT. Chuck Norris here, and I want to give a shout out. This is the dawn of a new beginning with endless possibilities. Keep up all the great work and just know you are Chuck Norris approved. Your friend, Chuck Norris.
UNKNOWN. Smashing Security, episode 354, Chuck Norris and the Fake CEO: Artificial KYC and an Airbnb Scam with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 354. My name is Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault. Hi, Graham.
GRAHAM CLULEY. Happy New Year to you, Carole.
CAROLE THERIAULT. Same back to you.
GRAHAM CLULEY. Thank you very much. And to our listeners and to our special guest this week, family favourite, Maria Varmazis. Hello, Maria.
MARIA VARMAZIS. Hi, and Happy New Year.
GRAHAM CLULEY. Is it too late for us still to be wishing each other Happy New Year?
CAROLE THERIAULT. On the 11th?
MARIA VARMAZIS. It's never too late.
CAROLE THERIAULT. Yeah.
MARIA VARMAZIS. No, no, we can do it. I think we've got all of January, or at least the first time you speak to someone in the new year. So we could go to July. I mean, really.
GRAHAM CLULEY. Okay, well—
MARIA VARMAZIS. We make the rules, Graham.
GRAHAM CLULEY. If it's the first time you've listened to us this year, hello, Happy New Year. Great to have you back.
CAROLE THERIAULT. Yes, and let's kick this show off. But first, let's thank this week's wonderful sponsors. LastPass, Collide, and Vanta. It's their support that helps us give you this show for free.
Now coming up in today's show, Graham, what do you got?
GRAHAM CLULEY. I'm going to be talking about Chuck Norris and an untrustworthy CEO.
CAROLE THERIAULT. And Maria, what about you?
MARIA VARMAZIS. AI is making it easier and easier to get around security measures.
CAROLE THERIAULT. And I'm going to talk about a double bait and switch. All this and much more coming up on this inaugural episode of 2024 of Smashing Security. Woo!
GRAHAM CLULEY. Now, chums, chums, I'm sure you all know about the metaverse, don't you? You've heard about the metaverse? Maybe you've dipped your toes into the metaverse?
MARIA VARMAZIS. Against my will, I know a little bit about it, but that's about it.
GRAHAM CLULEY. Yeah, I think it's for young people, really. It's not for people like us, is it?
CAROLE THERIAULT. Do you want to explain what it is for the 300,000 listeners?
GRAHAM CLULEY. It's the virtual world. It's the Lawnmower Man, that movie from 25 years ago. It's people having cybersex with avatars of each other. Rather than each other because their own physical reality is too revolting.
CAROLE THERIAULT. So it's the opposite of a real doll.
MARIA VARMAZIS. So a second life? I mean, isn't it Second Life?
GRAHAM CLULEY. It's a bit like that. Mark Zuckerberg has poured billions of dollars into it thinking it's the future before he realised artificial intelligence was actually the thing that people were excited about. But, you know, people are strapping monitors to their eyeballs and choosing— it's just a horrible— anyway, I don't want to talk about the metaverse.
MARIA VARMAZIS. Why do we talk about Facebook when I'm on the show? Why?
GRAHAM CLULEY. So maybe, I guess you're into streaming superhero shows. Maybe some of you have watched a few of these Marvel TV series. Maybe you've heard about the multiverse. You heard about the multiverse where there's parallel universes and— This isn't real, by the way, Carole. Well, maybe it is. Who knows?
MARIA VARMAZIS. In case you were confused.
GRAHAM CLULEY. Anyway, I want to actually know if you've ever heard of the hyperverse. So not the metaverse, not the multiverse. Have you ever heard of the hyperverse?
CAROLE THERIAULT. Can I say that I've missed this? Over the holidays.
MARIA VARMAZIS. Really?
CAROLE THERIAULT. No, tell me about the Hyperverse, Graham. I'm dying to know.
GRAHAM CLULEY. Hyperverse, formerly known as Hyperfund, is a now defunct cryptocurrency hedge fund.
MARIA VARMAZIS. Cryptocurrency hedge fund?
GRAHAM CLULEY. Yeah, cryptocurrency hedge fund.
MARIA VARMAZIS. Okay, okay, all right. Yeah, I'm in.
GRAHAM CLULEY. I know, already alarm bells are ringing in your head.
MARIA VARMAZIS. All right.
GRAHAM CLULEY. So the reason why you might have heard of Hyperverse is not just because the company collapsed in 2022, but rather that when it did— I mean, after all, lots of cryptocurrency things collapse. But rather when it did collapse, it resulted in approximately $1.3 billion.
MARIA VARMAZIS. What was that number?
GRAHAM CLULEY. That was billion. $1.3 billion. Ba-ba-ding, ba-da-bong. Worth of losses for its customers. So a huge amount of money. In fact, according to experts, more money was lost in 2022 through Hyperverse than any other alleged crypto scam.
CAROLE THERIAULT. Hmm. It's a big number. A lot of wonga.
GRAHAM CLULEY. Millions and millions was lost.
CAROLE THERIAULT. Well, billions.
GRAHAM CLULEY. This is an Australian— Yeah, yeah, okay. Millions and millions does add up to billions eventually.
CAROLE THERIAULT. Well, you need a lot of millions, but yes, okay.
GRAHAM CLULEY. I'll give you that.
CAROLE THERIAULT. You do.
GRAHAM CLULEY. When this Australian crypto outfit, Hyperverse, shut down, impacted thousands of investors, somehow it escaped any warnings from regulators in Australia. But in New Zealand, the UK, Canada, elsewhere, there were people and regulators and banks saying, we think Hyperverse could be a scam.
CAROLE THERIAULT. All right.
GRAHAM CLULEY. But for some reason, Australia sort of overlooked it. There's been a bit of fallout.
CAROLE THERIAULT. So the Five Eyes, everyone else in the Five Eyes was saying, this doesn't look good. And Australia was just going, I don't hear you. I don't hear you.
GRAHAM CLULEY. Are you talking about Five Guys the burger joint?
MARIA VARMAZIS. No.
GRAHAM CLULEY. Or Five Eyes?
MARIA VARMAZIS. Five Guys, Five Eyes.
CAROLE THERIAULT. Five Guys, Five Eyes.
MARIA VARMAZIS. I'm so confused. I'm so confused.
GRAHAM CLULEY. It's Five Guys, actually, where they collect information.
CAROLE THERIAULT. That's right, you go for a burger, you discuss your business.
MARIA VARMAZIS. Free peanuts. Listen, those fries.
CAROLE THERIAULT. Those fries.
MARIA VARMAZIS. Those fries.
GRAHAM CLULEY. Now, now. You're wondering, how did Hyperverse get people to trust them? Well, one way in which it did it was in December 2021, it appointed a new chief executive officer. They introduced their new CEO, the new CEO of Hyperverse, a guy called Stephen Rhys-Lewis, at an online global launch event. Video messages of support from celebrities were released. Including from Steve Wozniak, the co-founder of Apple, Chuck Norris, the actor, all saying what a fantastic thing Hyperverse was. And this Stephen Rhys-Lewis guy, he had an impressive resume, right? He was a maths and economics graduate at University of Leeds. He held a master's degree from University of Cambridge.
CAROLE THERIAULT. I haven't heard of that place.
GRAHAM CLULEY. Right, right. He'd worked for Goldman Sachs. He'd sold his company to Adobe, you know, made millions there. He'd launched an IT startup and eventually had been recruited to head up Hyperverse, which he ran from his home in Dubai.
CAROLE THERIAULT. Wow.
GRAHAM CLULEY. Impressive. Yeah.
MARIA VARMAZIS. Wowee.
GRAHAM CLULEY. Let's watch a little bit now of the announcement videos just so you can get a sense of it. There are multiple ongoing developments within the Hyperverse ecosystem. And we are very excited to slowly unreveal and share them with you.
CAROLE THERIAULT. They certainly put a lot of money into that.
GRAHAM CLULEY. Well, you know, impressive, exciting background music, I think you agree. But here's the thing — Stephen Rhys-Lewis doesn't exist.
CAROLE THERIAULT. Mm-hmm.
GRAHAM CLULEY. And we know he doesn't exist because the sleuths at The Guardian decided to do a little bit of digging after Hyperverse basically folded. They thought, well, let's go and speak to the CEO. And so they tried to contact him and they weren't able to contact him. So they went to the University of Leeds and the University of Cambridge and they said, we've never had anyone here who's a student by that name.
CAROLE THERIAULT. Do you know though, it's weird, right? Because if you called the company up and said, hey, did Steve Rees ever work there, they could say, we can't divulge any information on our employees, but universities always cough up, don't they?
MARIA VARMAZIS. Wait, they usually can verify — they will say yes or no if someone has worked there. Isn't that usually — maybe this is a country-specific thing, but usually they can just say yes, that person has worked for us, or no, they haven't.
GRAHAM CLULEY. They may not say you were a rubbish employee — they'll just verify yes, you were on the carpet or something like that. But they may say yes, they worked here from these dates.
CAROLE THERIAULT. Okay, interesting.
MARIA VARMAZIS. I'm pretty sure—
CAROLE THERIAULT. Listeners, if you know different, let us know because I'd love to know the answer to that.
GRAHAM CLULEY. So The Guardian contacted the university — no record of it, right? Nor did any records exist of Stephen Rhys-Lewis at Companies House, which is where all companies register, or on the US SEC. He didn't even have a LinkedIn profile. And I have to say, if you're going to fake your identity, create a LinkedIn profile, right?
MARIA VARMAZIS. That feels a sloppy thing to forget. You did all the other stuff and then not the LinkedIn? Isn't that usually what social engineers go for first, is the fake LinkedIn profile?
GRAHAM CLULEY. So question is, who the hell was this Stephen Rhys-Lewis guy and what was his background? The Guardian, I was reading this article just a few days ago, not able to find out.
MARIA VARMAZIS. Oh, it's Satoshi Nakamoto, definitely.
GRAHAM CLULEY. They couldn't work it out. But that doesn't mean, of course, that nobody on the internet could uncover the truth. And I found a YouTuber going by this strange name of Nobody Special. So, this YouTuber, Nobody Special, he took it upon himself to do a little bit of digging. So, he took a screenshot of the Stephen Rhys-Lewis CEO announcement video — so, he had his face and he loaded it into PimEyes.
Now, I think we've spoken about PimEyes before. It's an extraordinarily scary website where you can upload people's images and it will trawl the internet, not looking for that exact image, but actually do a kind of facial recognition. So it will find social media pictures, all kinds of things of who it thinks is the same person. And it can be really, really quite convincing — you know, it's quite reliable.
MARIA VARMAZIS. Have you — you've done it, right? You've tried it out?
GRAHAM CLULEY. Yeah, yeah, yeah, I've done it. And some people I think, well, that isn't me, but there's quite a lot. It's like, bloody hell, it has found me here and there, you know, including pictures of me when I was much younger, more handsome, etc., etc.
Anyway, this YouTuber, Nobody Special, he found images of someone who looked very much Stephen Rhys-Lewis. Found images of this guy sprawled drunkenly around in cocktail bars in Bangkok, hanging out with strippers and prostitutes. So not living your typical — I mean, he's clearly quite drunk in these images.
CAROLE THERIAULT. And it could definitely not be the Stephen he's looking for.
GRAHAM CLULEY. So PimEyes isn't saying the name of these people. It's just saying this is an image of someone who looks really, really similar. And unfortunately, none of these pictures did reveal the man in the picture's true identity, right? It didn't say who he was.
So what Nobody Special, the YouTuber, did was he started searching for images of other people seen in these drunken snaps in Thailand cocktail bars alongside our mystery man, assuming they must be his drinking buddies because he was being photographed so often. And one of them was a guy called Chris Moulton.
And he found Chris Moulton's Facebook page, and he was looking through images Chris had posted up on Facebook, and he found one of Chris with one of his mates eating pizza in a Bangkok bar. It was clearly the same guy again, right? It's Stephen Rhys-Lewis, it's the CEO, and it's the same guy who appears in these Thailand cocktail bar pictures as well.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. It really sounds like—
MARIA VARMAZIS. This is a roller coaster ride.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. But the problem is Chris Moulton hasn't tagged our mystery man in these photos. We're so close now, but he hasn't tagged him in the photo. So what's his identity?
But the YouTuber who's investigating all this, he saw that the photo had been liked five times, and so he thought, "I'll just look to see who liked this." And one of the people who liked the photo was someone with the same face, and that was how they were able to identify Stephen Rhys-Lewis's true identity.
CAROLE THERIAULT. So Stephen Rhys-Lewis liked a video that he featured in.
GRAHAM CLULEY. He liked a photo of himself with his friend up on Facebook. And that's where the link was.
And his real name, it turns out, is Steve-O Harrison, originally from Bournemouth, which is a sort of fairly sleepy town on the UK south coast.
CAROLE THERIAULT. It's a beautiful place.
GRAHAM CLULEY. No, I used to go there as a kid. Maybe everyone seemed old when I went there as a kid. Maybe now I'd think they're all youngsters.
MARIA VARMAZIS. Yeah, if it's that boring.
GRAHAM CLULEY. I think it's quite a party place now, but it's not Bangkok, right? It's not quite the same.
And what this YouTuber did was he compared videos of Steve "Stevo" Harrison with Stephen Rhys-Lewis. And it's clearly the same voice and it's the same look.
In fact, I'll play it now. Here's a bit of Stephen Rhys-Lewis speaking, the CEO: "And we are very excited to slowly unreveal and share them with you." And here's Steve, Steve-O Harrison: "I'm currently training for Spartan in three weeks. I'm going down there to do the trail run, which is 10K, and I think I've done this course before."
I would say that's the same voice. Would you not agree?
CAROLE THERIAULT. I'm not an expert. I feel this is just crazy research.
GRAHAM CLULEY. Is it 'cause English people just sound the same to you?
MARIA VARMAZIS. No, because people confuse Carole and I all the time.
GRAHAM CLULEY. I do.
MARIA VARMAZIS. I have to say, yeah, we're actually the same person. We've been meaning to tell you, very similar, but this feels like the right time. So, you know, you've suspected all along.
CAROLE THERIAULT. Okay, I admire and appreciate this guy's— this YouTuber Nobody Special's work here, but I'm hoping that there's something a bit more proofy to this story than pure conjecture.
GRAHAM CLULEY. Well, I think it's pretty compelling. I'll link to the video so you can check it out for yourself and see if you agree with his evidence anyway.
He looked up Steve-O Harrison's LinkedIn account, and what you find is it describes himself as a TV presenter and sports pundit, not a cryptocurrency CEO.
MARIA VARMAZIS. Well, what do you need to be a qualified cryptocurrency CEO, to be fair?
GRAHAM CLULEY. He says this. He says he works alongside international businesses to help front their products and services. It sounds like he's been hired to pretend to be the CEO. He's a rent-a-CEO.
MARIA VARMAZIS. Oh, the twists keep coming.
GRAHAM CLULEY. And maybe we should have guessed that because if you look at Steve Rhys-Lewis's Twitter account, he's pinned a tweet which has a link to the promo video for the Hyperverse. And there's a caption which reads, "Where reality ends and imagination begins." And I think that's really the case.
Now, interestingly, why have Chuck Norris, Steve Wozniak, and other celebrities fallen for this? Why are they endorsing Hyperverse?
CAROLE THERIAULT. Chuck Norris here, and I want to give a shout out to Hyperverse. Under the leadership of CEO Stephen, Hyperverse will be the leader of metaverse space. This is the dawn of a new beginning with the metaverse odyssey. With endless possibilities. Keep up all the great work and just know you are Chuck Norris approved. Your friend, Chuck Norris.
I was going to say, you know, remember we were talking about it just before last, at the end of the year, that rent a— yeah, you pay a fee.
GRAHAM CLULEY. Cameo. Yeah, that's the thing, wasn't it?
CAROLE THERIAULT. Yep.
GRAHAM CLULEY. It was Don Johnson and Elijah Wood or something who were saying things about, was it Vladimir Zelensky or something, having a drug problem. They'd been tricked into saying things. Well, it seems to be the same thing.
So Woz has recorded a video where he's recorded it basically up his own nostrils. And Chuck Norris is a little bit more professional. You'd think Woz would know where his webcam is. But these appear to be Cameo videos where, so this company just paid a few bucks. You can normally ask a celebrity to wish someone a happy birthday, or in this case, endorse a cryptocurrency scam.
MARIA VARMAZIS. I thought they vetted those things way more carefully. They usually have a whole list of rules of stuff they won't say. I guess they don't.
CAROLE THERIAULT. That's wild. Yeah, but that probably goes direct to the person and they're, yeah, sure, I'll read that. I don't care. Probably haven't read it.
GRAHAM CLULEY. I need $20. Yes.
MARIA VARMAZIS. Chuck Norris needs $20? What world is this? He roundhouse kicks his $20 into his pocket. Would he need $20?
GRAHAM CLULEY. So Steve Harrison hasn't been collared by the law. As far as I know, he's still out in Bangkok doing whatever he does out there. Someone else allegedly linked to the Hyperverse has been now arrested and charged in the United States.
Someone who's known as Bitcoin Rodney has been. Bitcoin Rodney, also known as Rodney Burton.
MARIA VARMAZIS. Bitcoin Rodney.
CAROLE THERIAULT. Is that his real first name? Is this a bit Judge—
MARIA VARMAZIS. That's his Christian name, Bitcoin Rodney.
GRAHAM CLULEY. He's alleged to have made fraudulent presentations claiming high returns for investors, but it was all obviously a whole load of garbage. So Hyperverse, who would have thought it? We're kicking off 2024 with some cryptocurrency scamming.
I suspect there's lots more of this to come. Come on, Chuck, get your act together and Woz, work out where to point your webcam next time. Maria, what have you got for us this week?
MARIA VARMAZIS. I'm amazed that I picked a story not knowing what yours was about that is also about AI fraud and a little bit of bitcoin. Just completely by chance, and I mean that for real.
This story, I saw the beginnings of it trickling through on Reddit and the Fediverse of all things a couple of days ago, maybe about a week ago, I don't remember exactly, but right around the New Year. And I saw a toot.
GRAHAM CLULEY. All right, let's not call them toots.
MARIA VARMAZIS. We don't say toot anymore on the Fetiverse. I saw an image that looked totally innocuous, and I don't often see a lot of images on my feed on Mastodon because I follow a bunch of nerds, so it's always text only.
And it was just like a very normal verification post is what the title said at the top of the image. And the image below was of a like youngish woman looking right at the screen holding up a piece of paper.
It's a completely insignificant image that reminds me of the gajillions of these that I've done for— I've done one for Binance, for example, where you have to hold up a government ID, it's a terrible selfie, and they run it through— I don't know what they run it through, a person or automated system, both— and they— it's supposed to verify that you are who you say you are. And of course everyone always looks kind of terrible in these pictures, but that's what this image was, just says verification post.
And I'm just wondering why am I seeing this on my Mastodon feed? Did somebody make a security boo-boo and post something publicly that they shouldn't have, like a credit card?
And then I looked a little more closely at the image, just a smidge, and I noticed that the piece of paper that she's holding up to the camera, it has two lines of handwritten notes on it. And the first one was clearly a Reddit username— sorry, a subreddit name.
And the second line was a Reddit username, which was u/yourmom. And I'm going, okay, that's an interesting Reddit username.
What is going on here? And then of course I did the thing I should have done, which was read the text that came with it.
And this was from user— oh right, yes, read the actual text in the tweet— I mean the post. It's from a username Nixcraft, and they said this: this is crazy, Stable Diffusion created a verification image of someone doing their KYC for a bank or similar.
AI will impact know your customer, which is what KYC means, not Kentucky Fried Chicken or whatever I thought it was. AI will impact know your customer identity verification processes.
As AI makes it cheaper and easier to impersonate someone's likeness and identity markers, which are often found in a breach, it will become simpler for attackers to take over accounts and steal money, data, impact brands, etc. I was like, wow, that's a great thing to read on my feed first thing in the morning.
So I did what any good nerd would do is I went straight to Reddit. And I wanted to find the original post where this was happening.
And I went into the rabbit hole on Reddit where this was posted. It was on Stable Diffusion.
And there's a Reddit user there who was publishing a workflow that I don't know much about AI at this level, but it wasn't— it was complicated but not impossible. A workflow to create really convincing deepfake identification selfies.
I mean, way, way more convincing than anything I've ever seen. That would take maybe at most a day to fake someone else's government ID and verification image.
And not only that, but there are also video versions of this. So if you're thinking, well, you know, it could just, what's the difference between this and Photoshop?
There's a very easy way for generative AI to make these know your customer videos that someone could just upload pretty easily to, I don't know, your bank to pretend to be you. And the barrier keeps just dropping on how easy this is becoming.
And you know, this information is posted pretty wildly and widely.
CAROLE THERIAULT. But think of all the companies, five years ago, everyone that we spoke with were talking biometrics. Biometrics are everything, you know, and they invested loads of money in that.
And I always hated the idea because you only have one face. So biometrics are dead effectively in a lot of ways.
MARIA VARMAZIS. TechCrunch also saw the same thing I did. A lot of people saw this on Reddit and they put an article together that I'm sure we can link in the show notes about this specific thing. They also included a security research firm called Sensity that said they found that the 10 most popular know-your-customer providers are severely vulnerable to real-time deepfake attacks. So I mean, I feel like an entire industry just got killed off effectively by GenAI right now.
Whether or not you miss it, it's not really here or there. But TechCrunch also included a quote from the chief security officer for crypto at Binance, which is the same thing that I had used for this exact thing. And they said that yeah, this is very easy for deepfake tools to completely bypass their security measures for to pass liveness checks, which is what they call it. So I guess everything needs to go back to in person is essentially what I'm taking away.
CAROLE THERIAULT. Maybe it'll have to be stuff like you'll get on the video, right? And then they're gonna have to spew out something unexpected like, do jumping jacks right now!
MARIA VARMAZIS. Oh my God, right? Yeah.
CAROLE THERIAULT. Or like, run around in circles.
MARIA VARMAZIS. Yeah, like those Google CAPTCHAs have already gotten super weird. I got one the other day that was, which animal is heavier or something? And I was like, what the hell is this CAPTCHA? So yeah, they're gonna just gonna throw random things at you, like find something that's pink in your house right now or something.
CAROLE THERIAULT. Wow.
GRAHAM CLULEY. Maybe we're going to get to a point where we actually need to physically go somewhere to—
CAROLE THERIAULT. Well, that'd be great.
GRAHAM CLULEY. Maybe there'll be brokers where you could go to someone in the high street and they have certain security standards. And so you have to go there, present yourself, and they will affirm that you are— They've closed all the branches.
CAROLE THERIAULT. So— The branches are all closed.
GRAHAM CLULEY. Well, Carole, what's your answer? Are you gonna have a barcode under your armpit or something, which people can scan? Scan it in. What would you get it to?
CAROLE THERIAULT. Where?
GRAHAM CLULEY. What are you gonna—
MARIA VARMAZIS. It's a fascinating problem, and I don't know what the solution is. Does anybody?
CAROLE THERIAULT. I'm just not gonna buy anything again.
MARIA VARMAZIS. That's all.
CAROLE THERIAULT. I'm not doing anything.
MARIA VARMAZIS. Oh, Carole, your story was heartbreaking. I felt for you.
CAROLE THERIAULT. Oh, poor Carole.
MARIA VARMAZIS. I almost fell for a scam myself, so don't worry, you're not alone.
GRAHAM CLULEY. Did you get your money back yet, Carole? Is there anything new?
CAROLE THERIAULT. No, not yet. Watch this space.
GRAHAM CLULEY. No.
MARIA VARMAZIS. Sorry.
GRAHAM CLULEY. Listen to our last episode, everyone, if you want to hear about Carole's friend Charlotte, who was scammed.
CAROLE THERIAULT. I loved your reaction so much. 'Cause I wanted to tell you right away, and I said, no, keep it for the show. Keep it for the show.
GRAHAM CLULEY. Well, okay, Charlotte, what have you got for us this week?
CAROLE THERIAULT. Okay, are you guys Airbnb dates, or do you use that to rent houses, or is it VRBO in the States? So do you use that?
MARIA VARMAZIS. VRBO? Yeah, yeah, yeah, I've used them.
GRAHAM CLULEY. Yep, I've used Airbnb, yeah, a number of times.
CAROLE THERIAULT. Yeah, right, I'm an Airbnb-er, and for the most part it's been a pretty good experience. I only rented a place once for one night with a very tightwad buddy of mine, and that experience was not great because we got what we paid for.
GRAHAM CLULEY. Sorry about that.
CAROLE THERIAULT. Not you. So typically, you know, when you're organizing an Airbnb, you back and forth via the Airbnb messaging app.
GRAHAM CLULEY. Yep.
CAROLE THERIAULT. You share basic contact info, pay for the visit, then off you trot, right? And you fly off to wherever you're going, or driving, whatever.
And then you have a check-in time, right? So imagine you're sitting around the corner from your Airbnb, you know, maybe you're sipping a cranberry juice, Graham, a latte for Maria, until it's time for you guys to check in.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. And this is going to impact your romantic getaway, or, you know, whatever, if you're sleeping on the streets in a far-flung city. And the caller explains, look, sorry, sorry, sorry, the previous guest flushed something down the toilet, flooding the unit.
'But don't worry, I've got another property until the problem gets sorted.' Thank goodness, right, thank goodness.
GRAHAM CLULEY. These things happen.
CAROLE THERIAULT. These things happen.
GRAHAM CLULEY. You're going to be terribly nice about it in English. You're not going to complain.
You'll say, 'Oh, you'll probably be the one to apologise.' I would actually apologise, probably.
'I'm sorry you had to go to the inconvenience.' Honestly, I would. 'Find me somewhere else to stay.'
'Even though it wasn't my poop, wasn't my poop that blocked the loo, but despite that, on behalf of everyone who poops, I would like to apologize.' You're gonna take that on yourself?
MARIA VARMAZIS. So, so gracious, such a gentleman. Oh my goodness.
CAROLE THERIAULT. But the guy says, 'Look, look, I've got this other place and it's, you know, it's 3 times bigger and you'll get it for the same price.' And he sends you a few pics and the property does look bigger.
GRAHAM CLULEY. Brilliant.
CAROLE THERIAULT. You know, it looks fine. And, you know, the guy's, I need to know, you're booking or you're canceling?
What do you want to do? So you change the reservation by the Airbnb app to this new property and off you trot to the new property and it takes you a bit to find it.
You can't find on the main street because it turns out it's kind of behind the house, where a garage would be, a garage turned flop house type thing. And while it's big, it's a vamped up shed.
And the furniture is crap. It's a bit of a shithole, basically.
But you're, it's one night, it's one night. And so the next day, instead of getting good news, you get a text explaining the plumbing in the original rental is not fixed and that new tenants are moving into the flop house the next day, so you need to skedaddle and just, you know, ask for your money back.
Refund, refund, refund.
GRAHAM CLULEY. I can imagine myself apologizing again for this inconvenience cycle.
MARIA VARMAZIS. Yeah, yep, exactly.
CAROLE THERIAULT. You'd apologize. And also, you might be a bit fucked off with all this because you only have a short stay.
This is holiday time.
GRAHAM CLULEY. Yeah, yeah, it is a bit of a shit.
CAROLE THERIAULT. So you're gonna go, fuck it, I'm gonna go to a hotel. I'll sort this out when I get home.
And you try to get home and trying to recoup your money from Airbnb—
MARIA VARMAZIS. Airbnb—
CAROLE THERIAULT. From Airbnb, and it turns out that it's not as easy as one might think. And this is kind of a short version of what happened to Vice journalist Ali Conti back in 2019. And she ended up having to repeatedly badger her Airbnb, and even then she only recouped a third of what she ended up paying for the rental.
Okay, but she's a journalist, so she started digging, and she learned that the phone number that she received the call from was a Google untraceable number. When she did a reverse image search of the couple who were supposedly renting the property, it turned out to be a stock photo.
And she started reading the reviews of the property. And other people were saying, oh, last minute, there was a problem with the property, and that refunds were being ghosted.
So as soon as refunds were being discussed, the phone calls stopped. They stopped taking calls.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. And there were some positive reviews as well. But when you started looking at who they were, it turned out that they were also Airbnb-ers sharing very similar properties, like perhaps identical.
So in the show notes, I've given you 4 pictures of 4 different Airbnb-ers.
MARIA VARMAZIS. Yeah.
CAROLE THERIAULT. And you can see it's just basically different angles of the same room. And it's exactly the same apartment.
GRAHAM CLULEY. Oh, yes.
MARIA VARMAZIS. Uh-oh. Okay.
CAROLE THERIAULT. So Ali's snooping unveiled 5 accounts controlling 94 properties in 8 different cities that all seem to be suspiciously run by the same people. And she alerted Airbnb, but they showed little interest, and the active accounts remained open, and they did not respond.
And she started talking to people that left shitty reviews, and it turns out that she wasn't alone. And it turns out that based on a bunch of small things the small print inside Airbnb, there's things like if a guest stays even one night in a rental, it's difficult to obtain a full refund according to the Airbnb rules.
GRAHAM CLULEY. Hmm.
CAROLE THERIAULT. And if a host asks a guest to stay at a property that's different from the one rented, Airbnb advises the guest to request a cancellation if they're not okay with the switch. Right?
In both cases, the rules favor a would-be scammer and places the onus on the guests who have just parachuted into some place with their luggage and have nowhere to stay.
MARIA VARMAZIS. Oh, nightmare.
CAROLE THERIAULT. Right? And remember, this was back in 2019. And there's an update.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. Because according to Daily Beast's Joss Dallio, he wrote that Shray— I don't know how you say this last name. It's G-O-E-L. Goel?
GRAHAM CLULEY. Shray Goel.
CAROLE THERIAULT. Shray Goel. He's the alleged Airbnb scammer. He was arrested just after Christmas this year.
Oh, and this was because Ali Conti published her very detailed piece in Vice way back in 2019. She got a call from the FBI wanting to hear more.
Here we are 4 years later, and Goel has been charged with wire fraud and aggravated identity theft. 20-page indictment laying out how the self-proclaimed visionary real estate investor allegedly grifted millions by running a double booking bait-and-switch scheme.
MARIA VARMAZIS. Oh geez.
CAROLE THERIAULT. So he and his cohorts would contact the lower-paying renter at the last second. So he'd rent it to two people, one would be paying a little bit less.
They would contact them sometimes minutes before their scheduled arrival to tell them the property was unavailable for the entirety or a portion of their stay, right? And the indictment said that Goel would then offer to rebook those guests to an upgraded property free of charge.
And many would accept without properly reviewing the new lodging. And of course, the upgrade was usually inferior.
MARIA VARMAZIS. Yeah.
CAROLE THERIAULT. And this spanned over 100 properties throughout the US, including some in California pads and rent-controlled buildings. And in total, they said he used fake profiles and deception to make more than 10,000 reservations on Airbnb that amounted to $7 million in payouts.
GRAHAM CLULEY. Wow.
CAROLE THERIAULT. It's a pretty lucrative scheme, huh?
GRAHAM CLULEY. Makes you a bit frightened of booking things via Airbnb, really, doesn't it? If this is possible.
CAROLE THERIAULT. You know, there's so many properties on there.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. The thing that I don't like is, remember at the beginning when Ali Conti was gathering evidence, Airbnb didn't want to know. And it's only when the FBI came knocking that they started playing ball.
MARIA VARMAZIS. Yeah.
CAROLE THERIAULT. And the worrying thing for me, what it suggests, is it's really hard to get your money back if you've been scammed on these platforms. The support isn't there, and that sucks.
MARIA VARMAZIS. Yeah, yeah.
CAROLE THERIAULT. But it does show that if you share your story of how you have been scammed or almost scammed, it can help other people, but it also can lead to arrests. So hat tip to Ali Conti.
GRAHAM CLULEY. Although it took 4 years. It's taken 4 years for this guy to be... It's a long time, isn't it? I mean, excellent work by the journalist for doing this and well done to the FBI for investigating this. Obviously it was complicated or whatever, but it's—
CAROLE THERIAULT. But, you know, if you're an Airbnb-er, maybe look at Google Maps, you know, use Google Maps to see the property beforehand. That's a way maybe of just checking that it actually exists because in some places, you know, they couldn't even find the property and if they put you under pressure, try and ask you to switch up your reservation, just cancel it, and it puts you in a much stronger negotiation position. Because seriously, who wants to go away expecting a little she-she bijou something-something and end up in some crappy shithole shed flop house, whatever?
So you Airbnb-ers out there, take heed. This episode of Smashing Security is sponsored by Kolide.
Wouldn't it be great if a device which lacked compliance or lacked security was denied access to your organization's SaaS apps and other resources? Because this would mean that the hackers who had nabbed the unlucky employee's credentials, for example, could not gain access to your assets.
It would effectively lock them out. Welcome to Kolide, a world where access is only given to approved secure devices.
As the administrator, you can manage every operating system, even Linux, from a single dashboard. Another bonus of Kolide: employees can often fix their own problems without involving IT support, meaning less resources are needed to effectively operate a more secure environment.
Kolide is the device trust solution for companies with Okta. Kolide ensures that if a device is not trusted or it's insecure, it is denied access to your cloud apps.
Learn more at kolide.com/smashing. That's k-o-l-i-d-e.com/smashing.
And huge thank you to Kolide Security for sponsoring the show.
GRAHAM CLULEY. Shortcut compliance without shortchanging security. That's what Vanta can bring your company. Expanding the scope of your security program with Vanta's market-leading compliance automation, saving your business time and money.
Vanta has over 5,000 customers around the globe who are saving over 300 hours in manual work and up to 85% of their costs for SOC 2, ISO 27001, HIPAA, GDPR custom frameworks, and more. And with Vanta's 200+ integrations, you can easily monitor and secure the tools your business relies on.
From the most in-demand frameworks to third-party risk management and security questionnaires, Vanta gives SaaS businesses of all sizes one place to manage risk and prove security in real time. And as a special bonus, Smashing Security listeners can get a stonking 20% off Vanta.
Just go to vanta.com/smashing to claim your discount. That's vanta.com/smashing. And thanks to Vanta for supporting the show.
And welcome back and join us for our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone can choose something they like. Could be a funny story, a book that they've read, a TV show, movie, a record, a podcast, a website, or an app, whatever they like. It doesn't have to be security-related necessarily.
CAROLE THERIAULT. Better not be.
GRAHAM CLULEY. Well, my Pick of the Week this week is not security-related. In fact, it's maybe not even a Pick of the Week. It might actually be a Nitpick of the Week.
CAROLE THERIAULT. Oh. Oh, gotta find that sting.
GRAHAM CLULEY. Yeah, well, back—
MARIA VARMAZIS. Starting 2024 with a bang, Graham.
GRAHAM CLULEY. Back in the day, I used to work with Carole Theriault at a security firm. And this is just an example of something which niggles me because it has to do with percentages. Because Carole and I, we used to do a press release each month. This is many years ago. This is 20 years ago.
CAROLE THERIAULT. Oh my God.
GRAHAM CLULEY. It's not that I'm serving up an old grievance here or anything.
MARIA VARMAZIS. No, no, no. Airing of grievances was last month during Festivus, Graham. You're a little late.
GRAHAM CLULEY. We would do a press release maybe saying the dirty dozen spam-spewing countries. And there were a number of anecdotes regarding that. Let's not mention the Pitcairn Islands. But anyway, the trouble we got into with them. There would be something, for instance, oh, you know, India has risen from 28% to 37% of all, as a percentage of all the spam spewed in the last month.
CAROLE THERIAULT. Basically a bunch of stupid numbers.
GRAHAM CLULEY. A bunch of stupid numbers, as Carole would mention.
MARIA VARMAZIS. But it got so much attention every time. Yes.
GRAHAM CLULEY. It was an easy way of getting coverage for the company we were working for.
CAROLE THERIAULT. Yeah, 100%.
GRAHAM CLULEY. So we would mention that a number would rise from, I don't know, 5% to 20%. You'd want to explain that in some way. And Carole would come back and she'd say, 5% to 20%, it's risen 15%. And I knew you'd be on this, Maria, because Maria's a maths nerd.
And she knows 5% to 20% is not a rise of 15%. It's 15 percentage points.
MARIA VARMAZIS. Indeed.
GRAHAM CLULEY. You have to be careful to say 15 percentage points. It's actually a 300% rise if you go from 5% to 20%, because how many 5s have you got, right? Sorry for being boring about this. Anyway, I'm not sure what my nitpick really is. Is my nitpick people who get percentages wrong in that way, percentage rises and percentage falls in that—
CAROLE THERIAULT. Are you kidding me? Are you kidding me?
GRAHAM CLULEY. No, I don't know.
CAROLE THERIAULT. So you went back 15 years to talk about something we had to do every fucking month that we hated. And you're like, no reason I brought that up.
GRAHAM CLULEY. Oh, oh, oh, is my actual problem, is my actual nitpick of the week with mathematics itself? Because maybe maths should simply be different. Maybe Carole is right that a rise from 5% to 20% should be able, you should be able to say that's a 15% rise.
I wonder if I'm just being too pernickety. I wonder if I've got this wrong. I'm just questioning all of reality right now. Maybe maths itself is wrong and it should be reinvented. So my nitpick of the week is percentages, but more specifically, mathematics.
MARIA VARMAZIS. It's existence.
GRAHAM CLULEY. Which I think it just needs to be corrected. Maria, what's your pick of the week?
MARIA VARMAZIS. Okay, Graham, for your nitpick, there was an interview with an author I heard on the radio. Her name is Eugenia Chang, and she wrote a book called Is Math Real?
And I think you gotta read that book. I'm gonna make that a sort of semi-pick, 'cause it's—
GRAHAM CLULEY. Is math real?
MARIA VARMAZIS. Yeah, is math real? Yeah, and she's a mathematician, so.
GRAHAM CLULEY. All right, we'll put a link in the show notes so people can read it and then tell me what it said.
MARIA VARMAZIS. She gave a really fascinating interview on Science Friday, which is a great show here in the US, highly recommend. My pick of the week is a television show that just completed its second season, and it is called Julia.
And some people might be able to guess that, yes, it is about Julia Child, the—
GRAHAM CLULEY. Ooh! Yes!
MARIA VARMAZIS. She was the pioneering television chef who was really, really popular in the '60s especially, but beyond, you know. And she broadcasted on US public television from WGBH in Boston, which is my home station.
She is very beloved here in the Boston area where I live. And she's very famous in North America, I would say. I don't know if she's as well known outside.
CAROLE THERIAULT. Yeah, she basically went to France with her husband. He worked, she decided to become a cook.
She turned out she was amazing at it, came back home and did the show, and it was like a superstar.
GRAHAM CLULEY. So she's America's equivalent to Delia Smith or Fanny Craddock or something like that.
MARIA VARMAZIS. Basically like a biopic, TV series. So it's really taking its time with Julia Child's story, starting about how did she end up becoming a TV chef.
And the interesting thing is, she is being played by Sarah Lancashire, who is a British actress and absolutely nails Julia completely. So, I had no idea that she was not American, but she did a great job.
And aside from the fact that the story is fascinating and the series is extremely well done, one of the reasons I love it is they actually— this series has taken pains to get things accurate in terms of how it looks. They filmed a lot of the show right here in the Boston area.
So, there are many scenes at a diner that is in my city that I sit in with my my daughter all the time, and I recognize it. And Julia Child is very much like a beloved Boston hero.
And so the fact that they actually didn't say, we're just going to put it all on the soundstage in LA, and they filmed it out here, to me adds a lot to the color and the flavor of the story. So, I've really enjoyed it so far.
It's honestly been one of my favorite TV shows I've watched in a while. It's available in the US through HBO, and I believe in the UK you can watch it through Apple TV.
I have no idea outside of those two, I'm sorry, but it's widely available, so I recommend it highly. It's just called Julia.
CAROLE THERIAULT. I have not seen it, but I'll keep my eyes open.
MARIA VARMAZIS. I think you might really like it, Carole. I really do.
GRAHAM CLULEY. It sounds up your street, Carole, because you're a big chef, aren't you?
CAROLE THERIAULT. Thanks, Maria. You got it, Carole.
GRAHAM CLULEY. Carole, what's your pick of the week?
CAROLE THERIAULT. Well, mine is a detective series. So for some reason, when my cousin was over during the holidays, we started talking about that show Naked Attraction. Do you remember that, Graham?
GRAHAM CLULEY. Graham Cluley.
CAROLE THERIAULT. Yeah, right. I think we've talked about it in the show, people, old-timers out there, you'll remember we've talked about this, but basically I assumed it had been canceled right after the first season because who would? But no, it's still going. There's 7 series.
GRAHAM CLULEY. I'm surprised the whole channel hasn't been canceled. It was basically for exhibitionists, wasn't it? That's the point of the show was they would pull up a little drawbridge to reveal your— So it was a dating show, but based initially upon whether you fancied someone's genitals or not.
CAROLE THERIAULT. Well, it's a dating show where you have 3 potential dates, and you get to gauge which one you choose based on their nude bodies. Completely nude. Junk and stuff nude. Basically, if you want to check out naked bodies, you want to see people in the nude, this show is for you.
GRAHAM CLULEY. No!
CAROLE THERIAULT. But that's not my pick of the week, okay?
MARIA VARMAZIS. Oh, okay, all right.
CAROLE THERIAULT. Because we watched one show, and we're, oh my God, look! He's so— look at his penis. And then we got bored.
MARIA VARMAZIS. How many penises can you look at? That's true, right?
GRAHAM CLULEY. Graham, don't answer that.
CAROLE THERIAULT. We were scouting around Channel 4 and I found this show called Before We Die.
MARIA VARMAZIS. Oh my God.
CAROLE THERIAULT. Now don't let the name put you off. Before We Die is a British crime drama series based on a Swedish series of the same name by Nicholas Rockstrom.
GRAHAM CLULEY. Sounds cheery already. Yes.
CAROLE THERIAULT. I know, I know. Okay. Series 1 opens with the DI Hannah Lang, that's played by Lesley Sharp, and she launches a manhunt when her secret lover, also a cop, goes missing. And then, soon, it seems that a Croatian mafia-esque family known as the Mimica, are involved. And maybe there's also a leak inside the cop house, maybe. And I can't tell you anything about series 2 'cause it continues the same storyline. But I love the Croatian angle, right? 'Cause I love the sound that accent makes, and the actors are Croatian. And I love Mama Mimica. She's the head honcho family. Just great playing the mom queen. And you're both very quiet. You've fallen asleep.
MARIA VARMAZIS. I'm just listening.
GRAHAM CLULEY. Normally I'd be on the phone to someone else chatting while you're talking, but no, on this occasion I'm just listening to you. Sorry about that.
MARIA VARMAZIS. I'm just wrapped. I'm listening. Okay, okay.
CAROLE THERIAULT. I found it quite fun, and I hated the title, Before We Die, but we got it from Channel 4 streaming service. Or failing that, if this sounds really boring, you can also find Naked Attraction there, and you can look at boobies and dongs. I'm just giving, you know, no judgment, just whatever your thing is. Yeah, Rule 34.
MARIA VARMAZIS. Mega pass.
GRAHAM CLULEY. Well, one of those suggestions was a great Pick of the Week, and the other one could have been a Pickle of the Week. Who knows?
MARIA VARMAZIS. But not a sticky pickle though.
CAROLE THERIAULT. Boom!
GRAHAM CLULEY. That just about wraps up the show for this week. Maria, I'm sure lots of listeners would love to follow you online or find out what you're up to. What's the best way for folks to do that?
MARIA VARMAZIS. Well, I host a daily show for space professionals called T-Minus Space Daily, which you can find at space.n2k.com. And I also am on Sticky Pickles with Carole, so you can look up either T-Minus Space Daily or Sticky Pickles, either one, you'll hear my damn voice.
CAROLE THERIAULT. So, beautiful voice.
GRAHAM CLULEY. Tremendous. And you can follow us on Twitter at Smashing Security, no G, Twitter allows us to have a G, and you can also look up the Smashing Security subreddit. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.
CAROLE THERIAULT. And massive shout out to our episode sponsors, Vanta and Collide, and of course to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 353 episodes. Check out smashingsecurity.com.
GRAHAM CLULEY. Until next time, cheerio, bye-bye, bye, au revoir.
MARIA VARMAZIS. Maria, super! Oh, thank you for having me on. Always a delight.
-- TRANSCRIPT ENDS --