The difference between shallow fakes vs. deep fakes.
Martin Rehak: Be very careful to whom you entrust your data and what kind of information are you sharing and how because if someone asks you to email your confidential information or a picture of the ID, it can be misused very easily.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We got some good stories to share this week. And later in the show, Martin Rehak, CEO and founder at Resistant AI, is talking about both deep and shallow fakes.
Dave Bittner: All right, Joe, before we jump into our stories this week, we have a bit of follow-up. I will read it here. It's from a listener named Joe who writes in and says Joe's statement about not using legacy OSes is unfortunately not an option for many of us. My former employee was a moderately large mechanical contractor, and our manufacturing facility had a number of older machines running legacy OSes - sheet metal laser cutters running XP, a few lathes running DOS still. Costs to upgrade these was in the 5- to 6-0 range...
Joe Carrigan: Right.
Dave Bittner: ...And the management felt that while it was still working, why pay to upgrade versus buying a newer machine? Secure network to us, therefore, meant no network, essentially...
Joe Carrigan: Right.
Dave Bittner: ...Air gapped, no network connections other than between the onboard systems for that specific machine - loaders versus cutters - and all files where sneakernetted via managed USB sticks or, in the case of the lathe, printouts that got entered via the keypad.
Joe Carrigan: Right (laughter).
Dave Bittner: Old school (laughter).
Joe Carrigan: Have you ever seen a lathe keypad, Dave?
Dave Bittner: I don't believe I have, no.
Joe Carrigan: I - you know, in high school, I worked in a machine shop. And we had a Hitachi lathe. I don't know what the operating system on it was. But, I mean, watching the machinist enter the - he was trying to explain to me how it worked.
Dave Bittner: Yeah.
Joe Carrigan: You know, you just have to select a tool. And then because it's a lathe, you're working pretty much linearly in two directions. It's not really a 3D kind of thing.
Dave Bittner: Yeah.
Joe Carrigan: But it was - or at least that's the way I remember it. I may be wrong. Somebody's probably going to write...
Dave Bittner: (Laughter).
Joe Carrigan: ...In to say, Joe, you're not a machinist. I'm - yeah, I never was. But, I mean - but it was tedious watching this guy program this thing directly on the machine.
Dave Bittner: Right, right. Joe continues and says, I left before the last CMMC audit, so I don't know if it was good enough, but my old team hasn't been complaining about that specifically lately, so I'm guessing it was good enough - that or the new management's other initiatives are just bigger pains in their sides (laughter).
Joe Carrigan: Right. So this is kind of my point with this.
Dave Bittner: Yeah.
Joe Carrigan: You know, you have these old legacy systems. And he's right - the cost to upgrade them is enormous.
Dave Bittner: Right.
Joe Carrigan: And, you know, we talk about if it - I think we were talking - the sentence we were using, if it ain't broke, don't fix it, right?
Dave Bittner: Yeah, right.
Joe Carrigan: Well, if I can operate this thing without having to connect it to a network, that's fine. I don't have a problem with having an XP machine sitting alone, running a lathe or a sheet metal cutter, as long as it's not networked to anything.
Dave Bittner: Right, right.
Joe Carrigan: But the moment you plug that thing into any other network, the moment somebody else finds it, they're going in.
Dave Bittner: Yeah.
Joe Carrigan: So keep it off the internet. Of course, you don't work there anymore, Joe. So that's not your problem, really. But...
Dave Bittner: Right, right.
Joe Carrigan: Which is good. But yeah, I mean, just make sure these things never get connected to the internet. And they were probably never engineered to connect to the internet. When was the last time a machine was running DOS? It's been decades, before people started envisioning these kind of things. So it's - this is what I would call operational technology, and it needs to be isolated.
Dave Bittner: Yeah.
Joe Carrigan: And it sounds like they're doing it fine. And he's right. The cost to upgrade it is prohibitive.
Dave Bittner: Yeah. And I think he brings up a good point, too, which is that, you know, it's easy for folks from the security side to say, you know, patch your systems...
Joe Carrigan: Right, right.
Dave Bittner: ...And don't run outdated OSes. But, you know, meanwhile, here in the real world, it's...
Joe Carrigan: Yeah. Exactly.
Dave Bittner: ...Not always easy to do that.
Joe Carrigan: And I think...
Dave Bittner: And so...
Joe Carrigan: That's what I was...
Dave Bittner: ...You need to be empathetic about that.
Joe Carrigan: That's what I was trying to say, actually, is...
Dave Bittner: Yeah.
Joe Carrigan: ...You know, the manufacturer goes, well, just put it on a secure network. And there is no such thing as a secure network. And the only option is just to air gap it...
Dave Bittner: Yeah.
Joe Carrigan: ...And not put it on any network, which works because you can get the files off it. And we see this in hospitals, too, with, like, 20-year-old MRI machines. There is nothing wrong with the MRI machine except for the fact that it's running Windows XP. So just don't connect it to the internet.
Dave Bittner: Yeah. I had a friend who - this was years ago. But he was making a pretty penny finding and refurbing old Apple II Pluses because there was some legacy machine that the Postal Service used that was still (laughter)...
Joe Carrigan: Still running on Apple II Plus?
Dave Bittner: ...Running on Apple II Pluses. Right. And he was an old Apple guy from, you know, the old days. So he had the skills to be able to, you know, know whether one of these machines was running properly and was refurbed and to handle all of this stuff. But, you know, you never know how far back this stuff goes. Every now and then, you'll hear about some system, you know, in a barn somewhere that's...
Joe Carrigan: Right.
Dave Bittner: ...Still running on an old TRS-80 that is running the milking machines or something (laughter).
Joe Carrigan: See, this is a great example of a - of kind of the same problem we're talking about. This is the postal service running a - an operational technology on a consumer-based machine...
Dave Bittner: Right.
Joe Carrigan: ...Consumer operating system, which is what all these things are doing, you know, with Windows XP boxes or DOSboxes. Those are consumer-level operating systems.
Dave Bittner: Yeah.
Joe Carrigan: But to go with something like a real-time operating system or with a - like IBM, it's going to be much more expensive to do that...
Dave Bittner: Sure.
Joe Carrigan: ...Even though you'll get the longer-term support from a company like IBM than you will from a company like Microsoft.
Dave Bittner: Yeah.
Joe Carrigan: It's just going to price you out of the market 'cause the other guy's going to go with Microsoft and put a hundred-dollar OS and a $500 machine on it.
Dave Bittner: Right, right. Yeah. All right, well, a point well made, and we appreciate Joe writing in with his insights. Of course, we would love to hear from you. Our email address is hackinghumans@thecyberwire.com.
Dave Bittner: All right, Joe, let's jump into our stories this week. I actually have two stories, both a quicker one. The first one is just a quick reminder. I actually got an email. This is from Brian Frosh, who is our attorney general here in Maryland.
Joe Carrigan: Yes.
Dave Bittner: And they sent out a consumer alert warning people to be aware that, after Hurricane Ian and, indeed, any time there's a natural disaster weather event like this, the market tends to get - and I'm - no pun intended - flooded with damaged cars, cars that were marinating in the water down there for who knows how long.
Joe Carrigan: Right.
Dave Bittner: Right? And those cars get bought at salvage auctions, and there are folks who rebuild them and refurb them. But the title on them should be marked as being a salvage or a total loss. But there - of course, there are dishonest people out there who kind of launder the title, hide the damage and then offer those vehicles for sale. So...
Joe Carrigan: I imagine that if you move them from one state to another, it becomes much easier to do that.
Dave Bittner: Probably. Yeah, probably. So, you know, this is just a warning to be on the alert of that - obvious things like musty odors and, you know, those sorts of things. But it's just a good reminder that if you - and also because the used car market is still pretty tight right now.
Joe Carrigan: Right.
Dave Bittner: And, you know, prices are high. And so to have a bunch of cars hit the market - just, you know, buyer beware.
Joe Carrigan: Right. As an aside, I'll be doing a presentation with the CASH Campaign of Maryland and Attorney General Brian Frosh on Thursday, the day before this podcast comes out. But you'll still be able to see the recording of the meeting on the CASH Campaign of Maryland's website.
Dave Bittner: Oh, OK, perfect. Check it out. My main story, though, comes from the folks over at Gizmodo. This is written by Passant Rabie. And I'll just read the title. It's "An Imposter Claiming to Be an Astronaut Wooed a Japanese Woman Into Paying for a Return Ticket to Earth."
Joe Carrigan: We had this as a Catch of the Day when it first started being a scam.
Dave Bittner: (Laughter).
Joe Carrigan: And at the time, we said, we see - this seems ridiculous to us, but it doesn't to somebody else.
Dave Bittner: Yeah, well, this is - a 65-year-old woman in Japan paid the equivalent of about $30,000 in this online scam. The scammer claimed to be a Russian astronaut, so I suppose that would be a cosmonaut...
Joe Carrigan: Cosmonaut, right.
Dave Bittner: ...Who was looking for a ticket back to Earth. And it's a standard - it's the classic story. This person reached out to this poor woman, started a conversation, which led to an online romance...
Joe Carrigan: Right. Very quickly into lovey-dovey things.
Dave Bittner: ...Right - and then started asking for money, but claimed that, in order to get home, where he promised a relationship, he needed money to pay for his trip home.
Joe Carrigan: Right.
Dave Bittner: And, of course, that's not how any of this works (laughter).
Joe Carrigan: No.
Dave Bittner: If you're up on the ISS...
Joe Carrigan: Yeah.
Dave Bittner: ...Return service is guaranteed.
Joe Carrigan: Yes, one way or another.
Dave Bittner: Yeah. That's right. This article points out that space agencies like NASA pay about 50 to $55 million to get its astronauts up to the ISS, and that price does include a return trip back to Earth.
Joe Carrigan: Yes.
Dave Bittner: So it's funny to talk about. It's - it sounds funny. It is kind of funny in its absurdity, but it's not funny to the poor woman who is out $30,000 and...
Joe Carrigan: Yeah, that's the tragedy here.
Dave Bittner: ...Yeah, and also has, I suspect, a broken heart about this, too.
Joe Carrigan: Sure.
Dave Bittner: She really thought that - you know, I suspect, this was the man of her dreams. Who wouldn't want to have a relationship with an astronaut, right? It doesn't get much better than that, I would think (laughter).
Joe Carrigan: Yeah, yeah. That's pretty glamorous, I would say.
Dave Bittner: Yeah. That's right. That's right. So we'll have a link to the story in the show notes. Sad story - but, again, you know, worth spreading the word about that - as ridiculous as some of these things sound, people are out there falling for them.
Joe Carrigan: They're going to work, right?
Dave Bittner: Yeah. They're going to work. And this - in this case, this one did. All right, Joe, that's what I have for us this week. What do you have for us?
Joe Carrigan: Dave, I also have two stories. My first story comes from Lauren Schwentker at KY3, which is - let me get the call letters up here. It's KYTV. Guess which state.
Dave Bittner: Well, it's a K, so it has to be west of the Mississippi, but I don't know (laughter).
Joe Carrigan: Ah, that's good. KYTV - KY3 - I would have guessed Kentucky, but that's not west of the Mississippi. But...
Dave Bittner: OK.
Joe Carrigan: You're right. It is from Missouri - Springfield, Mo.
Dave Bittner: OK.
Joe Carrigan: But I picked this one because I'm pretty sure I saw something like this recently right here in Baltimore.
Dave Bittner: Oh.
Joe Carrigan: Yep. It is - Springfield police warn drivers of "potential" funeral scam. And potential is in quotes on this. But there is a person standing - and they have pictures of it. A person standing in the street wearing a Day-Glo green vest with the reflective strips on it. And they are walking with a sign that says funeral for this person, and it has a picture. You can't really see on the picture here. But they also have a little bucket that they're using to collect coins or change.
Dave Bittner: Oh.
Joe Carrigan: So they're essentially panhandling, allegedly, for a funeral for someone who has passed away. It's kind of like the in-person version of the GoFundMe scam where somebody dies and immediately, scammers go out and they set up a fake GoFundMe pages, just take the money and run, and the family never benefits from it.
Dave Bittner: Right.
Joe Carrigan: I doubt the family of this person also benefits from it. So, you know, my advice, don't give money to people at stoplights with - collecting for a funeral. The one thing that I do give money to is the fire department locally may do something called Fill the Boot where...
Dave Bittner: Oh, yeah. Yeah.
Joe Carrigan: ...It's a campaign to collect for some charity, particularly if it's paid fire - you know, a taxpayer-funded fire department like we have around here.
Dave Bittner: Yeah.
Joe Carrigan: Oftentimes, it's just for the fire department themselves to fund themselves.
Dave Bittner: Right.
Joe Carrigan: But it's really easy to tell that those are authentic because they have large, modern pieces of fire equipment...
Dave Bittner: (Laughter).
Joe Carrigan: ...Parked right there with their lights on.
Dave Bittner: It's hard - yeah, it's hard to borrow a fire truck, right (laughter)?
Joe Carrigan: Right. Yeah. The fire department is not really giving those out. So...
Dave Bittner: No, no.
Joe Carrigan: ...When you see that, OK, that's probably legit, right?
Dave Bittner: Yeah.
Joe Carrigan: It's probably actually firefighters doing this. This is probably not.
Dave Bittner: Yeah.
Joe Carrigan: So be aware.
Dave Bittner: It's hard. You know, when you see folks at the - on the - at the street corner, your heart goes out to them very often, and...
Joe Carrigan: Right.
Dave Bittner: ...So it's hard. I understand the impulse to give them some money. But I suppose - I mean, would you agree that it's better to just give directly to an organization that helps folks?
Joe Carrigan: Yeah. I would do that. Or...
Dave Bittner: Yeah.
Joe Carrigan: ...You know, my rule is if someone looks like they're hungry, I will buy them a meal. You know, but I generally don't give money to people.
Dave Bittner: OK.
Joe Carrigan: Just because I don't - I have that - always that fear of the scam in the back. And also I don't know - and I've talked to people about this and I've heard people say, you know, you don't - if you're going to give somebody money, you don't get to tell them what to do with the money...
Dave Bittner: Right.
Joe Carrigan: ...Which is legit. That's fair.
Dave Bittner: That's my philosophy, yeah.
Joe Carrigan: You know, go - I, you know, there's always the theory, oh, they're just going to spend it on drugs. Well, OK. But if I want to - you know, so I don't know. I do give to organizations that help people.
Dave Bittner: Right.
Joe Carrigan: But if I see someone who's in immediate need of food, I have, in the past, purchased food for people.
Dave Bittner: OK. Yeah, cool. What else do you have for us this week?
Joe Carrigan: My other one is not as nice. We haven't talked...
Dave Bittner: (Laughter) Oh, no.
Joe Carrigan: ...About one of these recently, but this is coming from Nick Bohr at WISN in Milwaukee. And it's a story about a kidnapping scam.
Dave Bittner: Oh.
Joe Carrigan: This is a woman - she's only being identified by a pseudonym in here, but she was called on the phone, and it was the same story we've heard before where there is someone screaming in the background and this woman is yelling - you know, this person yelling in the background is going, Mom, they're hurting me. Help me.
Dave Bittner: Yeah.
Joe Carrigan: Right? And she goes immediately into panic mode. Now, fortunately, she has enough wherewithal to contact her husband and to start the process of finding out if her daughter is OK because the way these scams work is they just dial a random number and it's these people putting on this drama play that's really convincing.
Dave Bittner: Right.
Joe Carrigan: And they're telling you that they have your kid and that they're going to kill your kid if you don't pay up. So she was actually in the process of going to the bank and had gotten the money out of the bank and was getting ready to do something that they were telling her to just in case they had actually had her daughter.
Dave Bittner: Wow.
Joe Carrigan: But that's when her husband contacted her and said the child is safe. And once she had that verification from her husband, she knew the jig was up and she told them to go pound sand. And so the thing about this and the thing I wanted to bring up about this is this can happen to anybody at any point in time.
Dave Bittner: Right.
Joe Carrigan: So - and if this happens and you haven't ever thought to yourself, what would I do if this happened to me? - you're not going to have a plan immediately. Your emotions are going to take over, and your rational mind is going to shut down.
Dave Bittner: Right.
Joe Carrigan: There is nothing in the world more terrifying to any parent than the loss or harm coming to a child.
Dave Bittner: Right. We talked about that's why when the school nurse calls, the first thing they say is everything's OK, but...
Joe Carrigan: Right.
Dave Bittner: Yeah.
Joe Carrigan: Exactly.
Dave Bittner: Right, right.
Joe Carrigan: That is exactly right. And I'm sure that the first call from the new school nurse - you know, the nurse that just graduated from nursing school goes in there and she calls and says, this is so-and-so from your child's school...
Dave Bittner: Right.
Joe Carrigan: ...What happened?
Dave Bittner: (Laughter) Right, right.
Joe Carrigan: You know...
Dave Bittner: They learn it quickly.
Joe Carrigan: ...That's a lesson that nurses learn very quickly. Exactly.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: Everything's OK, but - so I don't know how to tell people how to prepare for this other than the fact that they should know that it's a scam. But what do you do when somebody calls and says...
Dave Bittner: Well, the thing I can think of is to have - to preestablish a buddy system.
Joe Carrigan: Right.
Dave Bittner: And that buddy could be your spouse, that buddy could be one of your kids, could be a friend. Doesn't matter, just someone you trust. And the two of you agree that if something like this happens, they're going to be your first call.
Joe Carrigan: Right.
Dave Bittner: And they're going to be the one who is of sound mind to be able to try to figure out if there's anything to this.
Joe Carrigan: Right.
Dave Bittner: Right?
Joe Carrigan: Yeah.
Dave Bittner: To me, that's probably one of the best things you could do here, someone who's not in that heightened emotional state who can think rationally and help you figure out what - exactly what's going on here.
Joe Carrigan: One of the big problems with this kind of attack is that it immediately occupies a device you need to reach out to somebody with, right? So you've got the scammer on the phone. They're telling you that they have your kid...
Dave Bittner: Right.
Joe Carrigan: ...Right? You can't just put them on hold and call the - call your wife or your buddy in this buddy system. You have to have that number committed to memory. I made a point about two years ago of memorizing my wife's phone number. This is a phone number she's had for 10 years?
Dave Bittner: Yeah.
Joe Carrigan: I didn't know it.
Dave Bittner: Right.
Joe Carrigan: Right?
Dave Bittner: Yeah. Yeah.
Joe Carrigan: And that's a problem. Because what happens if I lose my cellphone and need to contact my wife?
Dave Bittner: Right.
Joe Carrigan: You know, what happens - and here's what actually caused it to happen to me was somebody said - I was watching a video on YouTube and somebody said, what if you get arrested and you're being processed? They take all of your possessions, including your cellphone. How are you going to call your wife? I don't know. I don't...
Dave Bittner: Right.
Joe Carrigan: ...Know the number.
Dave Bittner: (Laughter) Right.
Joe Carrigan: Now I know the number. Now, the number is in my head.
Dave Bittner: Right. Yeah. I mean, I guess part of this, too, is that it'd be good to have a cover story for the scammers...
Joe Carrigan: Right.
Dave Bittner: ...To say, I'm going to put you on hold because I need to call my bank to make...
Joe Carrigan: Right.
Dave Bittner: ...Sure that the money is there...
Joe Carrigan: Right.
Dave Bittner: ...Or to see what I need to do to get the money out of the bank, right?
Joe Carrigan: Yeah. Yeah.
Dave Bittner: Because that will likely satisfy them that you're still going by their plan, not your plan.
Joe Carrigan: Right.
Dave Bittner: Right?
Joe Carrigan: Right.
Dave Bittner: So, you know, if you have something like that ready to go, maybe that would work. But you're right. It's a tough one. That's a tough one.
Joe Carrigan: It is a tough one. And I hope it never happens to anybody. And I hope that if they - that law enforcement finds the people that do this.
Dave Bittner: Yeah.
Joe Carrigan: I really do.
Dave Bittner: You know, one time I was visiting my parents, and I went to - my folks, you know, have a condo nearby. And I went and my mom was in the middle of a phone call with someone when I walked in. And I could tell she was agitated.
Joe Carrigan: Yeah.
Dave Bittner: And I said, Mom, what's going on? And she said, they're saying this and they - I owe them money and it's so-and-so. I said, hang up the phone, Mom. But they're saying this. Hang up the phone, Mom.
Joe Carrigan: Right.
Dave Bittner: But they're saying - hang up the phone, Mom.
Joe Carrigan: Hang up the phone.
Dave Bittner: She just - OK. And she hung up the phone. And I said, they're scammers.
Joe Carrigan: Yeah.
Dave Bittner: And they didn't - of course, they didn't call back.
Joe Carrigan: Right.
Dave Bittner: You know? But had I not been there...
Joe Carrigan: Yeah.
Dave Bittner: ...She could have gone down the path.
Joe Carrigan: Sure. Sure.
Dave Bittner: So sometimes you've just got to be lucky.
Joe Carrigan: Yes...
Dave Bittner: Yeah.
Joe Carrigan: ...Exactly.
Dave Bittner: All right. Well, those are our stories this week. We will have links to all of those in the show notes, of course. Joe, it is time to move on to our Catch of the Day.
(SOUNDBITE OF REELING IN FISHING LINE)
Joe Carrigan: Dave, our Catch of the Day comes from Richard from Liverpool. You know, Dave, Liverpool needs to be rebranded with something nicer, I think. The name Liverpool - never really a fan. Kind of like, you know, they did with Scaggsville and...
Dave Bittner: (Laughter).
Joe Carrigan: ...Changing the name to Maple Lawn.
Dave Bittner: Right.
Joe Carrigan: (Laughter).
Dave Bittner: Right. Yeah. OK.
Joe Carrigan: Anyway, Richard writes, this is like some weird double bluff. Say it's genuine. It looks like a phish, though. Has spelling mistakes but keeps reiterating that it's genuine. I think it's genuine. Well, one doth protest too much. Dave, go ahead and take it away.
Dave Bittner: Well, in honor of Richard from being from Liverpool, I'll say this. (Impersonating Liverpool accent) Security update. Please reset your password. Hello. We've been updating our website security system. So please reset your password to complete the security update for your account. You only need to do this once. We previously sent a security update from a different email address which raised some concerns. At Darts Corner we take the security of your data very seriously. So we are re-sending this email from this address so you know it's legitimate. We've added a banner to the homepage of our website so you know this is a genuine request. Once you've reset your password, you can take advantage of all the new website features, including faster loading, improved search and increased security. Reset my password or visit dartscorner.co.uk. If you have any questions or problems, please contact us using live chat on our website, reply to this email or contact us.
Joe Carrigan: So that's the end of it...
Dave Bittner: (Laughter).
Joe Carrigan: ...Right?
Dave Bittner: Yeah.
Joe Carrigan: But here's the thing. Darts Corner is a site that sells dart supplies.
Dave Bittner: Oh, like dart - like playing darts in a pub?
Joe Carrigan: Yes.
Dave Bittner: OK.
Joe Carrigan: Every time I walk by a dartboard, there's some part of me that's - that gets childishly giddy about it.
Dave Bittner: Really?
Joe Carrigan: I love the idea of playing darts.
Dave Bittner: OK.
Joe Carrigan: Although every time I do it, I hurt my elbow. I think I'm doing it improperly.
Dave Bittner: OK.
Joe Carrigan: Perhaps I need to take dart lessons. Anyway.
Dave Bittner: Yeah, they're not that heavy.
Joe Carrigan: Right. This...
Dave Bittner: (Laughter).
Joe Carrigan: This is a legit email, I think. Because if you go to the - if you look up Darts Corner online, it gives you the same URL. And if you go to that URL, it does, in fact, say reset your password here. They've put a banner up on their front page. But this is - what I think this is, is an example of how to not notify your customers that they need to reset their password for security reasons. Because Richard is exactly right. This does look like a phishing email. Previously is misspelled in this email. And it reiterates over and over again - trying to - as Richard puts it, protesting too much. This is a poorly worded corporate communication. There's no shortage of those in the world, though. So I don't mean to rain on Darts Corner. But, you know, this is just an - one example of probably hundreds of thousands that come out every year.
Dave Bittner: Yeah.
Joe Carrigan: But this can be done better - No. 1, saying go directly to our website and click on the change my password link.
Dave Bittner: Yeah.
Joe Carrigan: But don't send an email with a link to change your password. That reeks of phishing.
Dave Bittner: Don't you think it's remarkable that in this day of free spellcheck and grammar check in so many online tools that this stuff still happens?
Joe Carrigan: Yeah.
Dave Bittner: Right.
Joe Carrigan: Yeah, it's - I do find it remarkable.
Dave Bittner: Yeah.
Joe Carrigan: Yeah. I was typing something in Gmail recently, and it was making grammar recommendations to me.
Dave Bittner: Yeah.
Joe Carrigan: And Outlook does the same thing.
Dave Bittner: Yeah. They all do.
Joe Carrigan: Yeah.
Dave Bittner: I mean, you know, what...
(LAUGHTER)
Dave Bittner: All right. Well, our thanks to Richard for sending this in. We do appreciate it. And, of course, we would love to hear from you. If you have something you'd like us to consider for the show, our email is hackinghumans@thecyberwire.com.
Dave Bittner: Joe, I recently had the pleasure of speaking with Martin Rehak. He is the CEO and founder at a company called Resistant AI, and we're talking about both deep and shallow fakes. Here's my conversation with Martin Rehak.
Martin Rehak: So deepfakes are the hard and nonscalable way how to commit fraud. And I'm pretty certain their time will come in the future. But if you look at current fraud and if you looked at current financial crime, deepfakes are a very small minority. We talk about them a lot because they're interesting. They are technically exciting or something new. But hiding behind that attention is the - is a much more important way of shallowfakes. Shallowfakes are automatically produced fakes using traditional means. So this could be thousands of documents produced at scale - impersonate different people. You can buy database of leaked Social Security numbers and addresses and other information, and you can produce documents using that information. And then you can put pictures of people you actually have working for you on those documents and then proceed with identity theft at scale, which is something that's quite lucrative. And these are the documents we keep encountering on a daily basis.
Dave Bittner: And can you give us some examples of how folks are trying to implement this sort of thing - the types of scams they're trying to pull off?
Martin Rehak: We see this mostly in the onboarding process of neobanks and other fintechs, but increasingly with traditional banks because digital onboarding is today's standard. So what we see is people opening accounts, or robots opening accounts pretending to be people. And these so-called robotic identities are something that's inherently scalable. 'Cause what people haven't realized, by turning finance, as a human-driven service, into something that's purely technological, is that by turning a process into code, you're opening yourself to a whole new category of attacks that go after the weaknesses in the code. But these weaknesses are not network security or system security issues that our cybersecurity colleagues deal with. But these are weaknesses in the process.
Martin Rehak: And sometimes they are amusing. You have people identifying with inflatable dolls. So - because if you don't think about all of the possible options in the algorithm, you say, I want to have a look at the ID card. I want to have the look at the person. I want to match the face. But what if the face is an inflatable object? Because what you talked about was what it means to be a 3D face. OK, it's a 3D face, but actually, it's a doll. And then you think, OK, it needs to be alive, but then someone fakes an ID of a cat. We have seen this. We have seen an ID card with a picture of a cat on it, which, if you are a regulated financial institution, doesn't look very good in your data when someone comes to inspect.
Dave Bittner: Not, a good day for the audit, right?
Martin Rehak: Well, at least you remember that day for rest of your life. So...
Dave Bittner: That's right.
Martin Rehak: And so does the auditor.
Dave Bittner: So that's fascinating. I mean, and so what is to be done to protect people against this? How are you detecting these sorts of things and putting mitigations in place?
Martin Rehak: So it's a daily escalation battle because what we see is that the fakes are getting better and better on a daily basis. They used to be quite amusing initially because when you had the first generation of OCR working on ID cards, the software was so fragile that it was very happy to read any kind of number. So people just took a Post-it note, put it on a stolen ID card with a different name. They change a bunch of numbers with Post-its, and it was accepted. These are the old days. It doesn't - it shouldn't work anymore. It does occasionally.
Martin Rehak: But people are getting better. So now they are producing fakes that are, for humans, completely distinguishable. And we actually need to use AI and machine learning to catch those elements. And we need to use smarter and smarter algorithms by day because the opponents against us are improving on daily basis.
Dave Bittner: So what kinds of things do the artificial intelligence look for? I mean, are there specific tells here that the humans miss?
Martin Rehak: What I'm wondering whether you want to commit some fraud today...
Dave Bittner: (Laughter).
Martin Rehak: ...Or whether you are just asking.
Dave Bittner: It's a fair question. It's a fair question (laughter).
Martin Rehak: It's a very fair question. So the way how we operate is that we don't look for any specific thing because then if I misspoke in this interview, you would know what to do. And we don't definitely want you to become a criminal. You are too smart for that.
Martin Rehak: So what we do is that we look at conjunction of hundreds of parameters. So in the ideal case, we look at everything from what is the ID card, how is it positioned on the table, what are the different angles, what is the table behind it, how is it photographed to doing analysis of what is actually written on the card through basically understanding the data, understanding the state, the issuing organization and all those things. And then we build a holistic view. But we also look at the behavior of people or onboarded identities throughout the process. So we see how they interact with the IT environment. We see how they transact after having been converted. We know what they do. And by looking at all this range of data, we can make the best decision available.
Dave Bittner: What is your advice for people who think this might be something that they should be concerned about?
Martin Rehak: Well, depends whether you are a fintech or onboarding manager in a bank or whether you are an individual who's concerned about their own security and privacy. So for an individual, I would say, don't let your personal data be stolen, which is very easy thing to say. But it means, be very careful to whom you entrust your data and what kind of information are you sharing and how - because if someone asks you to email your confidential information or a picture of the ID, it can be misused very easily. Some check-in processes in different locations are basically indistinguishable from onboarding in a bank.
Martin Rehak: So what we have seen happening is that people enter the building. The receptionist asks them, oh, can you show me your ID? But the receptionist actually has already opened the application for account opening, takes a picture of the person, takes a picture of the ID, passes the identity verification step and then opens an account in that person's name. That's very simple. We have seen this same operation in a homeless shelter, where you essentially provide all of the nice services. You give new clothes to homeless people, but then you also steal all of their identity and all the money they might have had. That's not how you should behave. And you should be very careful when someone asks you to prove your identity.
Martin Rehak: For a bank, you need to be thinking two or three steps ahead. If you are a fintech or if you are a bank or lending money - and these companies are specifically being targeted, obviously - you need to think two or three steps ahead of the attackers. It's not only, how did I stop the guy yesterday, and I'm not losing too much money last week, but it's how come - how do I make sure that I'm not losing money next month? How do I make sure that in two months I'm not going to go bankrupt because of the fraud that happens over the weekend?
Martin Rehak: The danger of shallow fakes is they can be produced at scale, and this can happen very quickly. If you have a completely automated process, you can actually issue 1,000 clones per hour without knowing that. And if you walk into the bank on Monday morning and you learn that you issued 1,000 mortgages or 1 million each with no houses that actually exist - might be a small trouble for the bank.
Dave Bittner: Joe, what do you think?
Joe Carrigan: Dave, can you imagine the absolute nightmare situation of going through something with an auditor and finding that one of the verification documents for a know-your-customer requirement is a driver's license that has a picture of a cat on it?
Dave Bittner: Yeah. That it would probably not be a good day (laughter).
Joe Carrigan: Right. I cannot imagine being the employee that had to go through that and just going, oh, well, this is not right...
Dave Bittner: Right.
Joe Carrigan: ...'Cause I'm pretty sure Mittens here doesn't actually have a driver's license.
Dave Bittner: No. Seems we've made a little mistake here...
Joe Carrigan: Right.
Dave Bittner: ...Small error. Yeah.
Joe Carrigan: Shallow fakes - another term. It's probably a good name, though. We have cheap fakes, which are based on the idea that we just take a video and do things to it to make people look like they're drunk. We saw that with Pelosi and Trump during the Trump presidency.
Dave Bittner: Right.
Joe Carrigan: It was...
Dave Bittner: They'll slow things down...
Joe Carrigan: They'll slow things down.
Dave Bittner: ...To make it look like they're slurring their words or - yeah.
Joe Carrigan: Yeah. So the term deepfake comes from the fact that they are created with deep learning, which is an AI technique.
Dave Bittner: Yeah.
Joe Carrigan: And fake photos can be made with what are called GANs, which are something adversarial networks - generally - general adversarial networks?
Dave Bittner: Yeah. I think that's right. Yeah.
Joe Carrigan: ...Which is another AI technique. But if you apply GANS to something - other - or to make videos, I think we can still call them deepfakes. I think it's - everybody understands what they are. So I like the term shallow fake, even though it may not use deep learning. I mean, they might be using AI to generate fake documents for - pictures for fake documents, right?
Dave Bittner: Right. Right.
Joe Carrigan: But what they're doing is they're attacking the AI that's in place already. They're using AI to attack - or processes - to attack the AI. And they're trying to find weaknesses and vulnerabilities in these existing systems.
Dave Bittner: Which AI? What do you mean?
Joe Carrigan: The AI on the systems - on the verification systems, right?
Dave Bittner: Oh, I see.
Joe Carrigan: So - and when I say they, I mean the bad guys.
Dave Bittner: Right.
Joe Carrigan: What the bad guys were doing is trying to defeat these AI systems, the systems that look at it - it's a classifier. Is this a real driver's license?
Dave Bittner: Yeah.
Joe Carrigan: You know, that - nope, that's - has a picture of a cat. That's not a real driver's license.
Dave Bittner: (Laughter) Right. Right. It's a very handsome cat, but a cat nonetheless.
Joe Carrigan: Right. That's right.
Dave Bittner: (Laughter).
Joe Carrigan: And as we know, cats are notoriously bad drivers.
Dave Bittner: Right. Yes, that is true.
Joe Carrigan: They always swerve for the dog.
Dave Bittner: It's been proven.
Joe Carrigan: Yep. So now that bad guys are generating these fraudulent documents, and they're mostly using automation and maybe a little bit of AI for these cards. And now they're doing this at scale. So, I mean, when you think about making the process of opening an account more difficult, as a bad guy, you sit there and go, OK, well, this is how they've done it. So I'm going to automate this. And I'm also going to have a bunch of scripts that just generate some synthetic identities, and I'm going to try to overwhelm this system. And one of them will work, and one of them will stick.
Dave Bittner: Right.
Joe Carrigan: Or maybe they're not synthetic identities. Maybe I have a database of actual stolen information from people so that the information is more - or the attempts are more likely to stick to work. And then I'll have some accounts through which I can launder some money.
Dave Bittner: You know it - every time I go to some place and I would say, mostly - what I'm thinking of are medical establishments...
Joe Carrigan: Yeah.
Dave Bittner: ...Where they say, can I have your driver's license and your insurance card? And I hand them over. And what's the first thing they do?
Joe Carrigan: Scan them.
Dave Bittner: They put them in a scanner.
Joe Carrigan: Right.
Dave Bittner: And it just - it makes me go, ugh, a little bit.
Joe Carrigan: Right.
Dave Bittner: But, you know, I...
Joe Carrigan: That happened to me very recently.
Dave Bittner: Yeah.
Joe Carrigan: I can't remember where it was.
Dave Bittner: Yeah. Yeah.
Joe Carrigan: You know, for the individual, think about who you give your identity to, just like you were just talking about.
Dave Bittner: Right.
Joe Carrigan: Do I - yeah. I have not given my Social Security number to a medical provider in probably 20 years.
Dave Bittner: OK.
Joe Carrigan: They've asked for it, and I've refused. And I said, you know, if that's a deal-breaker, we can not do business, and I can make a phone call...
Dave Bittner: Right.
Joe Carrigan: ...Because you're not supposed to ask me for that if I refuse to give it to you. And the reason I've never given it away is because I've always been afraid that they're going to get targeted in some data breach.
Dave Bittner: Yeah.
Joe Carrigan: And then somebody's going to have all the information they need to do whatever they want with you, you know, from an identity theft standpoint.
Dave Bittner: Yeah.
Joe Carrigan: Fintech needs to think - financial institutions need to think three moves ahead. I think that's a very good suggestion here from Martin, that you really need to be doing your threat modeling and understanding - thinking like a bad guy. You know, you're not a bad guy because you think about how to exploit a system. You're a bad guy when you start exploiting the system and committing fraud.
Dave Bittner: Yeah.
Joe Carrigan: So just thinking about how the system could be exploited doesn't make you bad.
Dave Bittner: Sure.
Joe Carrigan: Threat model.
Dave Bittner: Yeah. All right. Well, interesting stuff for sure. And again, our thanks to Martin Rehak for joining us. He is the CEO and founder at Resistant AI. We do appreciate him taking the time for us.
Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
