Afternoon Cyber Tea with Ann Johnson 6.14.22
Ep 54 | 6.14.22

Implementing Stronger Authentication


Dave Bittner: So today we're talking for our "Hacking Humans" podcast, which, of course - the focus there is social engineering and scams and those sorts of things that people fall victim to. I'm curious. You know, as someone who's been in the industry for a while, do you have recollections of when this first started to come on security professionals' radar as a real thing?

Ann Johnson: You know, it's an interesting question when you think about social engineering because I remember probably 2002 - it might have been 2003 - there was a Harvard Business Review article that talked about the September 11 attacks in the United States and talked about how they were largely social engineering attacks by the actors that actually ended up boarding the plane, that they had tested everything, that they socially engineered their way past airport security, past ticketing and really using human psychology to actually launch the attack. 

Ann Johnson: And they made the parallel to cyberattacks. And we had been discussing social engineering, and why the timing hits me is because we had only been discussing social engineering for probably a few years prior to that. And just to see how the actual concept of social engineering is this concept that, you know, folks can use both physical attacks as well as cyberattacks - it resonated with me at that point in time. So we're at least 20 years plus into talking about social engineering. 

Dave Bittner: Yeah, it's funny. I mean, I remember thinking back to my own early days, you know, back in the - I guess the '80s, the eight-bit computer era, you know, with phone phreaks. And so much of the things that they were up to was social engineering to make your way across what was the telephone - the global telephone network at the time but calling up and pretending to be someone you weren't. 

Ann Johnson: Yeah, exactly. So, I mean - and if you just think back to espionage, core espionage - right? - I mean, core espionage... 

Dave Bittner: Right. 

Ann Johnson: ...Is social engineering. So we just gave it this fancy new term. But at the end of the day, it's really the manipulation of human beings to do something they wouldn't normally do to further whatever nefarious cause you want to further. 

Dave Bittner: And as you look at things today, I mean, where we stand, what's your take on the state of things when it comes to social engineering and the scams we see? 

Ann Johnson: You know, it's interesting because I can tell you - and I'm going to give you a little bit of a personal anecdote. I think today alone - and it's not even quite noon on the West Coast, which is where I'm based - I have received six different phishing, smishing attacks. So texts to me trying to lure me to click on some type of link that are actually not simply generic - there's something that feels a little more targeted. And I'm talking to folks I know in the industry about the proliferation of smishing-type attacks as well as social engineering attacks related to account fraud, trying to get redirected money. You know, you get an email from a small company, supposedly your CFO, and they want you to send money to an account or CEO. So send money to this account. 

Ann Johnson: We - I will tell you that from a state-of-the-industry standpoint, I think we're doing a reasonable - and that's the word I'll use - job with core phishing attacks because phishing attacks have also become very sophisticated in that you can't count on typos and those type of things anymore. And the company logos look legitimate. But I think our technology and our machine learning engines have gotten pretty smart in detecting core phishing attacks. But, you know, much like anything else, once you stop the actors from using one vector, they're going to use another vector. And it's the same type of attacks - right? - and these, you know, account takeover attacks and money redirect attacks and, like I said, this proliferation. And it's been only in the past 60, 90 days of smishing attacks have really been on the increase. 

Dave Bittner: You know, you - as an executive at Microsoft, you know, Microsoft has the sort of dubious distinction of having a particular scam that uses Microsoft's name, the Microsoft Tech Support Scam, where people call up and pretend to be from Microsoft. And I suppose that's sort of the two sides of the coin of being such a large presence in the industry that, you know, folks are actually summoning your - using your good name against you. 

Ann Johnson: Well, it is. If you think of the IRS every year around this time, you know, the U.S. Internal Revenue Service, which, you know, is our tax service - right? - everyone files their taxes around this time of year. And the IRS also, you know, constantly is parading the public of, you know, the IRS will never call you. The IRS is never going to ask you over the phone for your Social Security number. You see it from police agencies. You see it from, you know, fire departments were never going to raise money doing this. Your banks will tell you, we're never going to call you. All of these things are relatively easy targets for an unsophisticated, you know, general population that doesn't - you know, really uses technology but just isn't super sophisticated with it. And the Microsoft, you know, attacks against - were the support agent - you owe us money. I get emails probably daily. Some are blocked. Some aren't. But, you know, people want me to renew my subscription for something I never had a subscription for or trying... 

Dave Bittner: (Laughter). 

Ann Johnson: Yeah. Or trying to steal credentials. Your X - you know, your such-and-such account is locked. Well, I never had that account. So it's probably not locked. 

Dave Bittner: Right. 

Ann Johnson: But I'm a more sophisticated user, right? And I supposedly can look for these things and not be caught by them. But I - sometimes it doesn't matter because the attacks are so targeted, so sophisticated. 

Dave Bittner: Have you found yourself, you know, going down that path or, you know, caught yourself at the last moment saying, oh, I almost fell for that one? 

Ann Johnson: You know, it's funny. I - recently, I was looking at something, and I - to answer your question, almost. But I realized my bank would have never - it looked legit. I got an email that looked, like, legitimately came from my bank. It legitimate - and I said, you know what? My bank just wouldn't do that, right? But it took me a minute. I wasn't going to click the link. I was just - I paused. And the one thing people have to realize is that urgency. The bad actors use urgency. You must click this link now. I'll tell you a quick little story about my husband. He - and this was - this is probably 10 years ago. He called me in a panic, and he said - and I always handle our taxes. And he said, we've been audited, and if I don't send $500, you know, right away via credit card - I got a phone call, and if I don't send the $500 to pay off this audit, you know, they're going to, you know, take further action. And I'm like, OK, slow down. You know, this is a known scam. 

Dave Bittner: (Laughter). 

Ann Johnson: But he was - 'cause he didn't handle our taxes, and he thought that I hadn't paid something. And he just - he was like - literally almost fell for it, no fault of his own. The person on the phone sounded so legitimate to him, that they were going to raise the fines or take further action or confiscate properties. Like, yeah, we need to give him the credit card. But, you know, he paused long enough to call me and ask, right? And that's what they don't count on. You know, they got him live on the phone, and they launched this whole - and he's like, look; we're going to have to call you back, and the other person's trying to deter him from calling back, right? If someone is behaving like that, even if you're not technologically sophisticated, if someone's trying to pressure you in the moment to do something, trust your gut. Trust your instincts and pause. What I tell my family is, if you ever get a call from someone claiming to be the bank or the credit card company, say, oh, you know - be very polite and respectful, say, OK, I'll call you back, and then call them back on the number that's either on the - you know, your known - a known number on the back of your credit card or the bank's legitimate number from their website and call back. I said, but don't ever take the inbound call and take action from an inbound call or an inbound email. 

Dave Bittner: You know, I think the point you bring up about pausing is so critical. And also, having someone to bounce these things off of, to have a - you know, have a buddy who you can say, so this thing is happening, and I'm not sure what to make of this. So many scams, I think, could be slowed down or stopped if we just took the time to do that. 

Ann Johnson: It's true. And we're getting to the point where, you know, we're having digital natives - right? - coming into the workforce. You know, the younger millennials, the older Gen Z, they're digital natives. So they're going to be less susceptible to these things. But then a generation like, you know, the boomers or this - even the silent generation - right? - that, you know, have exited the workforce. You know, I'm a solid member of Gen X. We started with technology, you know, in high school, right? You know, first computers... 

Dave Bittner: (Laughter) I'm with you. I'm with you. 

Ann Johnson: Yeah. Yeah. 

Dave Bittner: Yeah. 

Ann Johnson: We started with computers in high school, so we're not digital natives, but we are a little more aware. But all that means is the actors are going to have to be more sophisticated, right? They're going to find different ways. They're not going away. They're not going out of business. They're going to find different ways to steal money from people. And they will continue to persist. And one of the things - and we probably don't have time to do in depth here. But, you know, crypto is a big enabler of fraud because once a transaction is done, it's theoretically untraceable, and it's gone. And that's - as you know, we've seen a huge increase in ransomware that's almost directly tied to crypto. We're going to - as more and more people start, you know, developing crypto accounts and starting to put their funds in those types of things, we're going to see more and more attacks launched with NFTs and crypto and just the theft of things that could be converted to money - right? - or converted to digital currency at least. 

Dave Bittner: What do you suppose is on the horizon here? I mean, we have these efforts to go passwordless, you know, things like that. Do you suppose they're going to gain traction? 

Ann Johnson: Yeah, absolutely. So we launched, as you know, our passwordless initiatives for our consumer accounts last fall. And we have - know that there is a need, but there's a tremendous amount of education that's still required. Getting people - it was funny because - I'll tell you this. There's this industry impetus around FIDO2 that's wonderful and around authenticators. The challenge now is - I was working with an account outside of Microsoft today, and I realized that I have three different authenticators on my phone now. I don't think your... 

Dave Bittner: (Laughter) Yes. 

Ann Johnson: Yeah. I don't think your average user is going to want to manage three different authenticators, right? 

Dave Bittner: No. 

Ann Johnson: Yeah. So I think that we still have a need for - to drive simplification and standards in the industry and some type of methodology that people are comfortable and able. It's ease of use, right? Passwordless adoption is going to significantly increase when we have more ease of use for end users because you know, those of us who are - and you know this. I was at RSA for 14 years, so I can appreciate... 

Dave Bittner: Yeah. 

Ann Johnson: ...All kinds of 2FA, multifactor auth. But I understand it super well. Even your average cybersecurity user isn't exactly an expert in, you know, authentication methodology, and that's leading us to this place where we need to continue to be on a mission to be passwordless. But the adoption rates have to be driven by ease of use. And having three authenticators is a suboptimal experience. 

Dave Bittner: Yeah. I believe - I have been in that boat where I've said to myself, which authenticator did I use for this account? And I - you know, I'd find myself banging my head against the desk sometimes. I think even, like - you know, like yourself, I consider myself on the sophisticated side of the user spectrum. I would put you above me, certainly (laughter). But I think what's interesting is that even at that level, when the stuff doesn't work, it is so frustrating when it is a roadblock getting in your way of just wanting to do the things you want to do on your devices. And, you know, the trust is so easily given up when you run into one of those frustrating situations. 

Ann Johnson: Yeah. So I'll tell you something funny. My husband knows I pick on him every once in a while about security. He's a tech - he was a tech - he's retired now. But he was a tech guy but not a security person. He was really super frustrated with a particular app - and I'm not going to name the vendor - that he had on his phone, where he had to... 

Dave Bittner: (Laughter). 

Ann Johnson: ...Where he - I had insisted he enabled strong authentication to the app, so, you know, he enabled strong authentication to the app. But then he also had to reauthenticate the time of transaction. And that friction for him - I said yes, but all you have to do - and this was a time when we were still using our thumbs on our phone more than our faces. I said, yeah, all you have to do is put your thumb on the (laughter) - you know, thumb on the home button one more time. This is like... 

Dave Bittner: (Laughter) Right, right. 

Ann Johnson: But even for him, this - you know, somebody who had been in tech his whole career - that was too much friction. He was really angry that I had made him set it up like that. And he's like, I just can't believe you did this. And I said, well, you know, you want to authenticate again at the time of transaction for something this app - that could be a larger transaction, you know? Again, we as an industry have a ways to go to remove as much friction as we can from the user experience. And then users will be using stronger authentication much more freely. 

Dave Bittner: What role do you suppose, you know, the leading organizations, the Microsofts of the world have to play in this? Is this a situation where Microsoft can say, hey, we're doing away with passwords, so, you know, you kind of get on the boat here? 

Ann Johnson: So we've done so much. So our first - you know, our first approach is obviously to work with all third parties that support FIDO2. We have the Microsoft, you know, Authenticator that we have put out. We have Windows Hello for business that you can use, you know, facial recognition as an example. And we're working with all of the different FIDO2 vendors like UbiKeys if someone wants to carry a key, right? We want to make - we - and we've built technology into our Azure Active Directory to support passwordless configuration. So you can choose what type of passwordless methodology or what type of passwordless authenticator you want to use. That's the first step - right? - is making it really pervasive and adopting as many industry standards as we can so that the people who are building applications can build to it. The second step is doing things like enabling it in our consumer accounts. Now you can choose to be passwordless on your consumer account and just use your authenticator or use whatever experiences that you choose to use because again, we've built those integrations in Azure Active Directory. The third step, Dave, is what you said, saying now we're only passwordless. We're not there yet because we still need to remove some friction from the industry. But step one is making the experience better by having a lot of alternatives and adopting user standards. Step two is then adopting it ourselves within both our work and our consumer accounts. Step three will come to the point where we say, OK, your only option is passwordless. We're not quite there yet. 

Dave Bittner: Are you optimistic that we can get there, that this is going to be something in the future we'll look back on and, you know, look at those days and say how - you know, how did we ever stand for that? 

Ann Johnson: You know, it's - I want to be optimistic. Let me tell you, as someone who's started her career in strong authentication - and we only saw a significant improvement in even enterprise users using it during COVID because they were required to because they were working from home so much. But we still haven't - you know, we still, all these years later, haven't really come to the place where there's this massive acceleration. I believe that we will get there because it will be easier, especially from a consumer experience. You use strong authentication every day on your consumer device. You don't even know it if you have a smartphone, right? If we can just talk about it in those terms and make it consumable and make it accessible for people, then we will get there. But it's been a slow ramp so far, so I'm just remaining optimistic that at some point in time, we will finally cross the chasm and be there and have much, you know, greater than 67% adoption.