Hacking Humans 5.25.23
Ep 244 | 5.25.23

Bringing in the human side of scamming.

Transcript

Nick Percoco: And once they've maybe scammed enough people, you know collected enough funds, they just basically pull the rip cord and, you know, the domain, the site, everything just disappears.

Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast where each week we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan from Harbor Labs and the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: Hi, Dave.

Dave Bittner: We've got some good stories to share this week. And later in the show, Nick Percoco who is CSO at Kraken joins us to talk about crypto scams. All right, Joe, before we jump into our stories this week, we have a good bit of follow up here. You want to kick things off for us?

Joe Carrigan: Sure. I want to give an update on my son. His bank refunded him the entire amount of money that was stolen from his account.

Dave Bittner: Oh. Excellent.

Joe Carrigan: So I asked if he got a picture, if they sent him a picture, of the person that took it from the ATM. He says, "I don't want to see that." I'm like, "I want to see it." But he did not get a picture.

Dave Bittner: Okay.

Joe Carrigan: So if the listeners were sitting out there going, "Whatever happened to Joe's son?" He's been made whole.

Dave Bittner: That's good.

Joe Carrigan: It is. It is. Sean writes in to say, "Thank you for putting together this great podcast. I listen to every episode, and have told all of my friends about it."

Dave Bittner: That's very nice.

Joe Carrigan: Everybody should do that. As you both often talk, many people do not like talking about falling for scams because they feel stupid and embarrassed. I am interested in seeing if the increased sophistication of AI scams will increase the number of people willing to talk about being scammed. If AI scams become so effective, people may not be embarrassed for falling for them. I can see a thought process along the lines of, "Computers can beat world chess masters, solve the greatest questions in the universe, and do all of it faster than ever. Of course they can make something that anyone would fall for." I think this is a good point.

Dave Bittner: Yeah. I think so. And one thing this reminded me of was how large organizations when they're faced with some kind of security breach, they'll usually say in the press release, "This was a sophisticated nation state actor. There's not much we could have done." You know, so you sort of call on this, I don't know, higher technical power that mere mortals could not possibly defend against.

Joe Carrigan: Right. And it might be the case that does increase the people reporting these incidences.

Dave Bittner: Yeah. I -- and I think it would -- something that people just need to really work on is removing the shame from it. And I think, as we talked about here --

Joe Carrigan: A bigger issue.

Dave Bittner: Yeah, but -- but, as we talked about here, I think you can kind of pre-load that with your friends and family by reminding them that there's no shame in this. You know, if I think about, you know, if -- we talk about my elderly father regularly, and I have said to him, "There is no shame if anything like this happens to you. Don't be embarrassed. I want to know. I need to know. That's the best way we can help you." So planting that seed, I think, is really important and will help spread the word.

Joe Carrigan: I would agree.

Dave Bittner: Yeah. We had a listener write in who asked to be anonymous. They said, "Hi, Dave and Joe. I thought our experience with corporate ID theft might be appropriate for your podcast. Someone or some group uses our company name and address to promote business lending. Prospective borrowers find our corporate number in Google searches to verify it's legitimate, and I've been receiving around one to two calls a week for months. They're created a fake account on Linked In. A few of the callers say they're using a Gmail account. Their loan was quickly approved. And they were asked to wire $2,200 to cover fees to an account in New York. Another person, a real estate broker, said the scammer is active on a Facebook forum for real estate agents, and promoting hard money loans. She'd seen the fake account on Linked In where he has a post for loans. Our company is involved in finance, but we're not a lender. I suppose the Linked In account enables the ability to message that guy. Our company is, in fact, being sued by one of the victims of this scam."

Joe Carrigan: Which is amazing to me.

Dave Bittner: Yeah. The listener writes and says, "I submitted a fake account report to Linked In a while ago, but nothing happened. Then a few weeks ago I learned about a potential better way to get Linked In's attention by emailing them at abuse@linkedin.com. I sent attachments including non public information verifying that we're the owners, and received written responses from a senior consultant, Linked In member safety and recovery. At this time the fake account is still present." And then there's an update that says the account has been taken down now. "Our case seems straightforward and easy for Linked In staff to investigate and determine the merit of our report. Seems to show a lack of responsibility and concern for public safety among major platforms." Yeah. Yeah.

Joe Carrigan: That's right.

Dave Bittner: I -- I will say it. I've said it before, and I'll say it again that it's maddening how many times we've said here that if you can't do something at scale, then perhaps you shouldn't do that thing.

Joe Carrigan: Correct. I agree with that 100%.

Dave Bittner: Yeah. And I say perhaps more regulation is -- or is in order. And I'll use the analogy of someone saying, "I'm sorry, but in order to turn a profit there's simply no way we can operate at scale without dumping our toxic waste in that river."

Joe Carrigan: Right?

Dave Bittner: Right? I mean we wouldn't -- we would not stand for that. We do not stand for that. So why do we stand for that in the tech world? Why do we free them of the responsibility for oversight and, you know, keeping members safe when in other environments we wouldn't stand for that? It's somehow we give big tech companies a pass.

Joe Carrigan: Yeah. I don't get that. The -- there is -- this is something that Linked In is culpable for in some way. You know, the fact that this company is being sued by a person who was scammed presumably on Linked In, the very first thing I would do if I were the listener's business is talk to my insurance company, my liability insurance company, and say, "Hey, they found this on Linked In." And have them talk to Linked In about -- about suing them.

Dave Bittner: Right.

Joe Carrigan: Because they didn't take the appropriate action to do that. I mean I don't know. Insurance companies tend to scare. They have a lot of lawyers. Right?

Dave Bittner: Yeah. I mean this would be a good question for our friendly neighborhood lawyer Ben Yelin, my co-host on "Caveat" which is, you know, does a platform like Linked In -- are they hiding behind section 230 of the Communications Decency Act? I suspect that's part of it. That's part of what gives them a pass on things like that. They can raise their hands and say -- or throw their hands up and say, "We're merely the platform."

Joe Carrigan: Right. Yeah.

Dave Bittner: Right? So perhaps there's some regulatory reform would be appropriate in that area as well. And the flip side of this, of course, is that these organizations would not be able to provide these things or may not be able to provide these things for free or for the low prices they do at scale if they had to hire the people that would be necessary to do proper oversight. And again I say, "Too bad."

Joe Carrigan: Right?

Dave Bittner: You know, like your -- that means your business model is flawed.

Joe Carrigan: It means that your users are your product, and you really don't care what happens to them.

Dave Bittner: Right.

Joe Carrigan: Is what it is.

Dave Bittner: Yeah. Yeah. That's a good way -- it's a good way to phrase it. Well, thanks to everybody for writing in your thoughts here. We do appreciate it, of course. And our email address is hackinghumans@thecyberwire.com. We'd love to hear from you. Let's jump into our stories here. Joe, you want to kick things off for us?

Joe Carrigan: I do. My story comes from Maru Data, and they have a posting on their website that I saw on Linked In and unfortunately I can't remember who put it on Linked In, but it's a pretty good post. And it's called "A Guide to Dark Patterns: Terms and Examples From the CCPA and the CPA." Now that's the California Consumer Protection Act and the Colorado Privacy Act.

Dave Bittner: Okay.

Joe Carrigan: So these are two laws that have gone -- that the California law has gone into effect. The Colorado law goes into effect this summer on July 1st, I believe.

Dave Bittner: Okay.

Joe Carrigan: And these guys are talking about how you're liable in dark patterns, for dark patterns. Now it's very interesting. We've talked about dark patterns on here before, but this article cites two FTC artifacts, the first one being a report titled "Bringing Dark Patterns to Light" where they actually define what dark patterns are.

Dave Bittner: Okay.

Joe Carrigan: And it's a really good explanation of dark patterns in a formalized manner. It says, "Dark patterns, coined in 2010 by user design specialist Harry Brignull, the term dark patterns has been used to describe design practices that trick or manipulate users into making choices they would not have otherwise made and may cause them harm." I'm going to read that last part again. I have it bolded here. "Trick or manipulate users into making choices they would not otherwise have made, and may cause them harm." Does that sound like anything to you? It's social engineering in a -- in software is what it is. So the report or this article goes on to quote Samuel Levine who's the director of the FTC's Bureau of Consumer Protection. And he says, "This report and our cases send a clear message that these traps will not be tolerated." And there are a number of cases cited in this article about fines that have been levied. For example, the half a billion dollar fine that was put on Epic Games for their Fortnite dark patterns, a 5 million euro and 60 million euro fine respectively imposed on TikTok and Facebook for their -- their dark patterns. And that was imposed by the French government. But this -- this article goes on to talk about the definitions within these two laws, and in the California law there's a number of things that they say. Number one. Easy to understand language should be used. It should be simple and easy to comprehend.

Dave Bittner: Okay. Sure.

Joe Carrigan: Number two. And this one's really big. Symmetry and choice. And if you look at the article, we'll put the link in the show notes to both the article and the FTC page, if you look at the article, it contains the law, the language in the law. I'm not going to go around reading it because I'm not -- I just don't think it's helpful. But you -- if you think it would be, take a look at it. It should be easy and quick to exercise more privacy and protection as it is to exercise less privacy protection.

Dave Bittner: Oh. Okay.

Joe Carrigan: Right? That's the symmetry of choice piece.

Dave Bittner: Yeah. I'm just thinking about how hard it is to find the little tiny X in a pop up menu, pop up ad.

Joe Carrigan: That's a great example.

Dave Bittner: Especially on a mobile device, you know, where you're --

Joe Carrigan: I have looked all over for those things.

Dave Bittner: Your big fat fingers trying to find the little tiny X. And invariably you end up clicking through to the ad that you were just trying to ignore.

Joe Carrigan: Right.

Dave Bittner: Yeah.

Joe Carrigan: Yeah. You get the impression, and they get the money.

Dave Bittner: Yep. Yeah.

Joe Carrigan: Confusing language should be avoided. Customers' choices should be clearly provided, and double negatives should not be used.

Dave Bittner: Right [laughs] right. If you don't not want to consider -- continue getting this subscription --

Joe Carrigan: Right. And there's even -- by the way, I was mistaken. These comments are not from the law. These are just comments that are written down underneath. And the next one, number four here, is the design architecture should not impair a customer's ability to make choices. Consent should be given freely and specific. Freely given, specific, uninformed, and unambiguous, that's the way it should be. It should be easy to execute. This is the fifth point. And that refers to the process to submit a CCPA request that might be -- it should be straightforward. I think last week we were talking to -- or maybe it was two weeks ago. We were talking to our guest who was talking about the hoops somebody had to jump through --

Dave Bittner: Yeah.

Joe Carrigan: To remove their -- remove their data.

Dave Bittner: Right.

Joe Carrigan: And that company got slapped with a big fine.

Dave Bittner: Yeah.

Joe Carrigan: And I said, "Good."

Dave Bittner: Well, and remember that just reminds me of I want to say it was one of the big newspapers. It was either the "New York Times" or the "Washington Post" who were making it incredibly difficult to cancel your subscription to the paper. Like you could sign up for a subscription online, but in order to cancel your subscription you had to call.

Joe Carrigan: Yeah. I know the "Wall Street Journal" is like that.

Dave Bittner: And I'm pretty -- my -- it was a vague recollection, but I think the FTC called foul on that and said you can't have different mechanisms for joining something and leaving something. It can't be significantly more burdensome to try to cancel your subscription than it is to join.

Joe Carrigan: Right.

Dave Bittner: Yeah.

Joe Carrigan: I think that's a good piece of regulation.

Dave Bittner: Yeah.

Joe Carrigan: The point of this article here that says, "Using dark patterns or practices, as stated above, to obtain consent is not considered as consent. Obtaining consent using dark patterns can be considered as having never obtained customer consent." Which is great. It also goes on to talk about the Colorado Protection Act which has a lot of the same provisions in the -- in the -- as the California law does. One of the things that they add to the Colorado law is to avoid pre-selected options. Right? So when you say, "I submit all my data," you can't agree and you can't have the pre-selected option of go ahead and take everything and --

Dave Bittner: Oh. Yeah. Yeah.

Joe Carrigan: I'm going to sell my first kid to you.

Dave Bittner: Right. Right. Yeah. I remember. I used to see this a lot with, you know, "Sign me up for your newsletter." That would be pre-clicked.

Joe Carrigan: Yeah. Yeah. And that shouldn't be the case.

Dave Bittner: Right.

Joe Carrigan: So it's a good article posted on Maru Data site. I like it. I like it a lot. We talk about dark patterns here. These things are social engineering in software form. That's all it is. And users need to be aware of it or listeners need to be aware of it. And I'm glad that there's some regulation coming out about these.

Dave Bittner: Yeah. I agree. I can't help wondering if somehow or some time we're going to get to the point where the actual EULA, you know the end user license agreement, somehow gets --

Joe Carrigan: In English?

Dave Bittner: Well, yeah. Right. I mean can anybody argue that we don't need -- now I'm using double negatives. I think we need EULA reform.

Joe Carrigan: Right [laughs].

Dave Bittner: So because they just hide so much in all the legalese, and nobody -- everyone -- it's -- it's a standard trope now that nobody can read, and of course nobody can read it. And no one --

Joe Carrigan: Well, that's the purpose of it, Dave.

Dave Bittner: Exactly. Exactly. And so what I think is interesting in these laws is that they're saying that your communications have to be reasonable and clearly understandable. And I would argue that modern EULAs are the opposite of that.

Joe Carrigan: I would agree with you 100%.

Dave Bittner: Right. So how does that play out as the states are making these regulations? Could someone make an argument that agreeing to the EULA doesn't mean anything because a EULA is basically one big giant dark pattern?

Joe Carrigan: Yeah. That's a good point. There was a -- I think it was in "Make" magazine a long time ago, an article about getting a print -- t-shirt printed up that said, "By selling me this product, you agree, and the manufacturer agrees, that all EULAs are null and void."

[ Laughter ]

And you walk into -- you walk into Best Buy with this t-shirt on and you buy some products, and then you walk out with products and you have nullified their -- you know, you could make the case that you've nullified their EULA.

Dave Bittner: Right. Your honor.

Joe Carrigan: Right. You honor, right. I'd nullify their EULA by saying, "All you -- null and void. Right?"

Dave Bittner: It's the novelty t-shirt defense.

Joe Carrigan: There's a good question for Ben.

Dave Bittner: I'll bet you -- you know what? It's either -- well, it's probably simultaneously one of the most fun and frustrating parts of his job as a professor of law. You know, that his students come up with these wacky scenarios. What ifs. Right? Probably always that one student who just can't help themselves and --

Joe Carrigan: Yeah. If I was ever to go to his law school, that -- that's -- that would be me. That's right.

Dave Bittner: Right. Just good old edge case Joe. He's got another --

Joe Carrigan: That's what my kids call me.

Dave Bittner: Yeah. Got to -- got another edge case. Yeah. Yeah. Have you a t-shirt printed up for you that says, "Well, actually."

Joe Carrigan: Right.

Dave Bittner: All right. Well, interesting stuff. So, as always, we'll have a link to that in the show notes. My story this week comes from "Wired." This is an article written by Laura Cole and it's called "This is Catfishing on an Industrial Scale." And it really pulls back the curtain and looks behind the scenes at some of these online dating sites that are running scams. Let me describe what's going on here. So this article talks to some of the people who are working behind the scenes for these online dating sites, and these people are hired to be the person that you chat with if you sign up for one of these online dating sites. So some of these sites not only do they try to -- they give you the opportunity to connect with other people, but you can chat with other people. And evidently some of these sites charge per message for the chatting.

Joe Carrigan: I'm not clear on this. Why are people getting paid to chat with the users of a dating site?

Dave Bittner: So let's say, Joe, you want to log in and you want to -- you want to chat with somebody.

Joe Carrigan: Right.

Dave Bittner: You're lonely. You're feeling isolated. Whatever it may be. You're in a bad mood. You just want to talk to somebody. So you sign up for one of these apps and browse through a bunch of profiles, and you can find a person and say, "Oh. This looks like someone who has common interests with me. I believe I will chat with them."

Joe Carrigan: And this is a dating app?

Dave Bittner: A dating app. Yes. And so you proceed to chat with this person who you think is a real person, and you're paying per message to do so. So you sign up ahead of time. And let's just say for argument's sake you give them 100 bucks. And every message exchanged costs you 25 cents.

Joe Carrigan: Right.

Dave Bittner: Okay. And so the company makes money. The longer the conversation goes on, the more money they make. So they're highly incentivized to extend the conversations. So what this article points out is that behind the scenes --

Joe Carrigan: They're hiring people to do this.

Dave Bittner: Exactly.

Joe Carrigan: I see.

Dave Bittner: They're hiring people to role play, to pretend to be the person that you're chatting with.

Joe Carrigan: I get it now.

Dave Bittner: Yeah.

Joe Carrigan: What a great scam.

Dave Bittner: So --

Joe Carrigan: I'd like to announce the opening of Joe's dating site.

Dave Bittner: Yeah. There you go. Where you can talk to Joe or Joanne or Josephine or [laughs]. So they spoke with several of the folks who responded to ads for freelance customer support representatives. That was the job they thought they were applying for.

Joe Carrigan: Right.

Dave Bittner: And it turns out they would be on the other side of these kind of chat apps. And what the company provides them with are full made up profiles of these people. So who they are, how old they are, where they live, who their family is, where they work. Right? And these are completely fabricated.

Joe Carrigan: Synthetic personas.

Dave Bittner: Right. And so these people's job is to rotate through two minutes at a time evidently multiple people that they're chatting with. So these -- these folks who they call moderators, they are expected to send 30 messages an hour. So do the math there. Right?

Joe Carrigan: 30 messages an hour, that's -- that's like $7 an hour for the company.

Dave Bittner: Yeah. And not all of them -- you know, they pay -- this article points out that there's one of these sites the user pays 2 euros per message.

Joe Carrigan: Whoa.

Dave Bittner: Yeah.

Joe Carrigan: Okay. So that's a lot more. Now you're talking at 70 -- 70 messages an hour? Or 30 messages.

Dave Bittner: Well -- well, so the people behind the scenes are expected to send 30 messages an hour.

Joe Carrigan: They're trying to elicit the people to send much more than that.

Dave Bittner: But they're dealing with multiple people simultaneously. Right? They have multiple chat windows open that they're monitoring.

Joe Carrigan: This sounds an awful lot like a scam call center.

Dave Bittner: That's a ding, ding, ding [laughs]. That's exactly what it seems as though this is. Now the companies who are doing this, getting back to the EULA, say in their EULAs they say things like, "We may use system profiles at our discretion to communicate with users to enhance our user's entertainment experience." Right? So it's like to them they're framing it -- it's like calling a psychic, Joe. It's just entertainment.

Joe Carrigan: Yeah. It's Miss Cleo.

Dave Bittner: Right. Please don't plan your life around any of the things that we're telling you to do here. This is for entertainment purposes only.

Joe Carrigan: Now I'm more angry that you made that analogy.

Dave Bittner: I'm sorry [laughs].

Joe Carrigan: Because, I don't know, those psychic hot lines really bug me.

Dave Bittner: Sure.

Joe Carrigan: You know, because people -- you know, it -- I don't -- I don't know. Penn and Teller had a great episode on psychics, and one of the things that sent Penn Jillette into a rage was when a woman -- everything was fine and dandy up until the woman said, "I need to know if my daughter's going to be okay. She's been diagnosed with something, some sickness."

Dave Bittner: Right.

Joe Carrigan: The psychic said, "Oh, the spirits are telling me that she's going to be fine."

Dave Bittner: Yeah.

Joe Carrigan: And that enraged Penn, and it enrages me. Right? Because now you've gone beyond the entertainment value. Now you're giving somebody false hope about -- or hope about something you know nothing about.

Dave Bittner: And something very specific.

Joe Carrigan: And something very specific. Exactly.

Dave Bittner: It's one thing I think to entertain someone by saying, "Oh, it looks like you're going to be lucky in love." Something broad and general and, you know -- although I still have a problem with it, but that -- yes. That doesn't raise my hackles as much as, "Will my loved one live or die?"

Joe Carrigan: Right. Yeah. Or psychic surgery. Those kind of things.

Dave Bittner: So getting back to this, one of the agents they interviewed said that when they came to their chat interface they received a new message one morning and it said, "Please stop talking to my husband. He is spending money we do not have to talk to you." And of course they had to pay for that chat.

Joe Carrigan: Yeah. 2 euros.

Dave Bittner: Right. And so these, air quotes, "relationships" can go on for years. They talk about people who claim that they've fallen in love. Not surprising, people who have proposed marriage. So the question is, is this just for entertainment purposes? Are these companies off the hook for -- if they say in their EULA --

Joe Carrigan: Right.

Dave Bittner: Right? We're not -- we're not responsible for the pain and suffering our service may cause you. All pain and suffering is purely the responsibility of the person who's paying for the pain and suffering.

Joe Carrigan: Yeah. I don't -- this is -- first off, this is -- I think the -- when I see a lot of headlines I get, you know, they're often written by editors. This is an accurate headline. This says "Catfishing at an Industrial Scale." That's what's going on.

Dave Bittner: Right.

Joe Carrigan: And they're making tons of money doing this. Definitely unethical. And you hide the little statement in the EULA that nobody reads we've said 100 times on this show today and 1,000 times before. It's infuriating, Dave. What do people do to protect themselves against this? I mean is -- are companies like -- companies like Match.com are not doing this, and eHarmony, all the big ones. Right?

Dave Bittner: Yeah.

Joe Carrigan: They're not doing this.

Dave Bittner: Let me throw -- let me throw a little bit of a kicker at you here. So the final paragraph in this article says -- this is one of the chat people who work for the company talks about how someone they were talking to was sharing their heaviest emotional concerns and says one was talking about suicide and how the fake woman had saved him from it now that he had found love.

Joe Carrigan: Oh, my God.

Dave Bittner: So love. So but -- so let's unpack this. So the love is not real.

Joe Carrigan: Right.

Dave Bittner: But this person is claiming or expressing that were it not for this conversation, they may have ended their life.

Joe Carrigan: Yeah.

Dave Bittner: So is this a good thing?

Joe Carrigan: I don't know. I mean yes. It's a good thing the person did not kill themselves.

Dave Bittner: Yeah.

Joe Carrigan: That's good.

Dave Bittner: Right.

Joe Carrigan: That's a good outcome.

Dave Bittner: Right.

Joe Carrigan: But what happens when this guy finds out he's been played?

Dave Bittner: Right.

Joe Carrigan: Right?

Dave Bittner: Yeah. Exactly. What's the rebound from that?

Joe Carrigan: Yeah. I mean the first thing I'd do if I'm that -- if I'm that caller and I had -- well, first off, I would hope that I would never do this. But if I'm the catfisher on the other end, the first thing I'd do is go, "Look, man. We need to get you some help here. That needs to happen."

Dave Bittner: That's delightfully ethical of you, Joe.

Joe Carrigan: Right. Delightfully ethical of me. I don't know that I'd tell him it's all a scam at that point in time because now I have -- now I'm in a conundrum. Now I'm in a dilemma. Right?

Dave Bittner: Sure.

Joe Carrigan: I've scammed this guy into thinking that we have a relationship, but I've also saved him from ending his own life. But now I have to do something to make that okay.

Dave Bittner: Yeah.

Joe Carrigan: Right? Because I can't just go, "Joke's on you." Right? Because there's a good chance that will end up with the outcome that I think I may have prevented.

Dave Bittner: Right.

Joe Carrigan: You know?

Dave Bittner: Yeah. And so is there an ethical responsibility to pull back the curtain at some point?

Joe Carrigan: The ethical responsibility to pull back the curtain is at the beginning of the conversation, but they're not doing that.

Dave Bittner: Yeah. So if -- let's say there was a company that did this completely on the up and up and just said, "Hey, this is all fantasy. These people are not real, but this is what you're going to get. You're going to pay for talking to people who pretend to be exactly the person that you're looking for, and that's what we're doing here." Like that I wouldn't have a problem with.

Joe Carrigan: That's coming, though, Dave. And that's going to be powered by these generative chat programs.

Dave Bittner: I agree. I agree.

Joe Carrigan: In fact, I've already seen years ago -- a couple years ago my wife and I were watching I think -- I don't know if it was a Netflix documentary or some other show, but they were talking about people who had their best friends were AI language models.

Dave Bittner: Yes

Joe Carrigan: And --

Dave Bittner: Yes.

Joe Carrigan: They were saying their best friends were AI language models.

Dave Bittner: Well, remember this is years ago. We talked about there was a mother who was describing how her child who had some --

Joe Carrigan: He was autistic.

Dave Bittner: Yeah. He had -- and he had some pretty, you know, severe learning disabilities or abilities to interact with other people.

Joe Carrigan: And this was the Siri story. Right?

Dave Bittner: Correct. And so Siri had become a great resource for this young person because Siri had endless patience and was willing to interact and answer all of their questions.

Joe Carrigan: There are definite use cases for that that are beneficial like that Siri case. And I would imagine that generative models will be great for kids and adults like this, like this kid in the story.

Dave Bittner: Yeah.

Joe Carrigan: And there are a lot of them out there. You know, I haven't involved myself with any of these generative chat bots yet. I don't know why I haven't, but I just haven't.

Dave Bittner: Okay.

Joe Carrigan: I haven't taken the time to sit down and talk to one of them.

Dave Bittner: Yeah.

Joe Carrigan: But I could absolutely see if there was a speech interface to one of these things that that would be a real beneficial use case for maybe not just people with social disorders or autism or something like that. Maybe just general use. But the point is that has to be done up front. It has to be -- it has to be ethical. It has to -- the ethics require that that has to be. You have to know that. You have to know that going in. What these companies are doing is I would say goes beyond unethical and goes into immoral. This is wrong. They shouldn't be doing this.

Dave Bittner: Yeah.

Joe Carrigan: And now they're finding themselves into -- into situations like the one we talked about with the guy who is -- who has been talked out of killing himself by somebody. And now they've created a dilemma because of their -- their failings on this scale.

Dave Bittner: Yeah. And I wonder too like, you know, from your story, could this sort of thing run afoul of regulations in California, regulations in Colorado? 5 It may.

Joe Carrigan: That's an excellent question. That is -- that is an excellent question. That would be a good question to ask a lawyer in California or Colorado because I think your statement earlier about EULAs essentially just being nothing more than a huge linguistic dark pattern, right, I think that's valid. I've seen a couple of companies who have had -- who have straightforward plain English EULAs. Like they had the legalese and above it in bold they say, "Here's what it says." I've only seen like one or two of those. Not a lot of people are doing that.

Dave Bittner: So yeah. You're a home owner.

Joe Carrigan: I am.

Dave Bittner: As am I.

Joe Carrigan: Yep.

Dave Bittner: Remember settlement day?

Joe Carrigan: Oh God. I've refinanced twice, Dave.

Dave Bittner: Right. So how does this extend to that? Right? I mean you -- there are situations in our lives, I'd say buying a car is another one, where you -- placed in front of you are pages and pages and pages of legalese that mere mortals cannot be expected to understand.

Joe Carrigan: Do you remember who you talked to when you were signing these documents at the purchase of your home?

Dave Bittner: Right. Well, yeah.

Joe Carrigan: It was a title company with an attorney.

Dave Bittner: Right.

Joe Carrigan: And they were explaining to you what you're doing.

Dave Bittner: Yes.

Joe Carrigan: And hopefully you have another representative in a Realtor that is a buyer's agent representing your interests and not the seller's interest.

Dave Bittner: Yeah. I was fortunate enough because my father before he retired was in fact a Realtor.

Joe Carrigan: I spent time as a Realtor as well.

Dave Bittner: And so when we -- I specifically remember on the first home my wife and I settled on we're sitting at the settlement table and the settlement officer would explain, "This is what you're signing. This is what this means. This is what this is for." I would look over at my father and my father would nod and then I'd sign.

[ Laughter ]

But you're right. You got to have people in their corner. And, you know, as Ben and other lawyers joke, you know, everybody hates lawyers until they need one.

Joe Carrigan: Right. Yeah.

Dave Bittner: So.

Joe Carrigan: We've recently had to engage the services of a lawyer in our house, and even still I don't like them.

Dave Bittner: Fair enough.

Joe Carrigan: I like Ben, though. Ben's great.

Dave Bittner: Right. Okay. Ben's the exception.

Joe Carrigan: No. Actually I have -- I have friends that are lawyers, and I like them. I try not to talk legal questions, but I have. I have pestered Ben on the weekends in the past.

Dave Bittner: Nice. Nice. All right. Well, again this article is from "Wired" written by Laura Cole. It's titled "This is Catfishing on an Industrial Scale." Interesting read. Worth your time. We'll have a link to that in the show notes. Joe, it's time to move on to our catch of the day.

[ Soundbite of reeling in fishing line ]

Joe Carrigan: Dave, our catch of the day comes from Gareth who writes, "Hi, Dave and Joe. Long time listener. Never miss an episode." That's great, Gareth. "An interesting fish arrived in my junk. At least it didn't land in my actual inbox." Dave, this one's pretty good.

Dave Bittner: All right. It says [laughs] the subject is "Hello. Your kind attention." And then it starts off and it says, "Hello. Your kind attention. My name is Morgan Adamski from Internet Fraud Intelligence National Security Agency. We are commissioned to eradicate all incidents of criminal activities that is associated with internet cyber fraud against their victims. We partner with other crime control security agencies, international law enforcement agencies such as the International Monetary Agency, Central Intelligence Agency, the FBI, and the U.S secret service to share intelligence and coordinate action. An ongoing investigation led to the reason you are being contacted, and we do appreciate your time going through this important notification and information. Some imposters are currently under investigation and interrogation in our custody for internet fraud related charges, especially cases of demand of fees repeatedly from their prey. However your email happened to be on their list as a target. To enable us gather more evidence before swinging into action," like Spider Man, "I need to ask you some couple of questions, if you don't mind. One. Have you at any point in time been scammed? Option A. Yes. B. No answer. Two. Did you ever file complaint to any authority? Option A. Yes. B. No answer." Joe, this feels like a note you would pass in middle school class. Like do you love me, A yes, B no.

Joe Carrigan: Check yes or no.

Dave Bittner: Will you be my friend? "Three. What is the average amount you were scammed? Option A, 5 to $10,000, B, 10 to $50,000, C, 50 to $150,000, D, 150,000 and above, E, none answer. Four. How were you scammed? Option A. Romance scam. B. Business email compromise. C. Business proposal, inheritance, beneficiary, lottery. D. None answer. If you are asked or you're presently asked to send fees continuously --" It says fest. They misspelled fees. "If you were asked or you're presently asked to send fest continuously, kindly forward to us the email correspondence and documents for which those demands for fees was stated. We are here to dismiss any form of unofficial administrative fees imposed on beneficiary to deny them of civil right of possession. Than k you for your cooperation as we await your earliest response. Morgan Adamski assistant director of internet fraud intelligence, National Security Agency."

Joe Carrigan: So Gareth notes that this looks like it might be looking for people who were previously scammed to do some follow on scams.

Dave Bittner: Right. Exactly.

Joe Carrigan: That's exactly what this is.

Dave Bittner: So you were scammed for 150 grand? Oh. We're going to follow up with you.

Joe Carrigan: Right. Oh. It's payday.

Dave Bittner: Right. It's like pre-qualifying the folks that you're going to scam.

Joe Carrigan: That is exactly what they're doing here.

Dave Bittner: Yeah.

Joe Carrigan: It's laughable to us because, Dave, we live very close to the National Security Agency headquarters.

Dave Bittner: Yes. I would say in the shadow of the National Security .

Joe Carrigan: Well, the whole -- I'm not going to say it [laughs]. The Internet Fraud Intelligence National Security Agency, I don't know that that exists.

Dave Bittner: I don't think it does.

Joe Carrigan: My favorite thing is they say the IMF which is the International Monetary Agency.

Dave Bittner: Right.

Joe Carrigan: Not -- the IMF is International Monetary Fund. They are a lending organization. They do not do law enforcement.

Dave Bittner: Correct.

Joe Carrigan: They talk about international law enforcement agencies of which the Central Intelligence and the FBI are -- I guess they do say and the U.S, but those are not internet -- so many things in here that just stick out as red flags. The unfortunate part is somebody does fall for this. Somebody does go, "Hey, these guys are here to help me." And what's going to happen is they're going to get scammed out of more.

Dave Bittner: Yeah. No. It's sad.

Joe Carrigan: It is.

Dave Bittner: All right. Well, thanks to Gareth for sending that in. Again we would love to hear from you. Our email address is hackinghumans@thecyberwire.com.Joe, I recently had the pleasure of chatting with Nick Percoco. He is the CEO at Kraken. And were talking about crypto scams. Here's our conversation.

Nick Percoco: So I think when I'm here and I think about crypto scams I don't think of them as very much different than your traditional scams, but they happen to just use cryptocurrency rather than other things of value. But in general what typically happens is that you have a victim or a, you know, regular person who has some interest in either increasing their net worth, right -- they have -- they want to increase the amount of money that they have in their pocket. And they're very eager to. And they somehow get introduced via dozens and dozens of different ways to someone out there that's willing to try to help them do that, but in a way that will eventually steal all of their money or all of the money that they've put into this, into this situation. So -- so that's like the basic premise around it. Like a real world example would be an investment website that looks very well designed, very well put together. It doesn't look like it's got some issues. There's no typos everywhere. It looks completely legit and it might be called, you know, Next Century Crypto Capital dot com or something. Just making up some name. Right? It might be called -- and it looks legit. It has a legit executive team that, you know, at least to the victim looks very legit. You know, photos, maybe even Linked In profiles. And -- and it asks the victim to create an account with them. And when they create an account with them, it then asks them to create accounts with other places, like other financial institutions like a cryptocurrency exchange. Like Kraken. And the victim goes and legitimately creates an account with us. You know, verifies their account, connects their account to their bank account, and funds it with, you know, 5,000, 10,000, $50,000. And then is convinced by this investment company to either buy some cryptocurrency -- so purchase some Bitcoin or Ethereum or Monero or something. And go and then send it to this investment company because they are now going to further invest it for them. They are going to manage it for them just like you would with any other traditional investment company. Like you go to a wealth management company and they say, "Okay. We're going to create an account for you. You now need to wire some funds from your bank account to us." And then they're going to, quote, "manage it" for you. Very, very similar. And so the victim has really no idea that this -- at this point that this is a scam. They then go and they send those funds to that investment firm. And -- and that's typically they might play them along for a little bit, but eventually maybe that investment firm just disappears off the face of the Earth. Like the website just disappears. And once they've maybe scammed enough people and, you know, collected enough funds, they just basically pull the rip cord and, you know, the domain, the site, everything just disappears. And now you have -- you have people who have invested in this company using cryptocurrency, but they could have, you know, wired these funds to them or they could have, you know, PayPaled the funds to them. You know, traditional funds to them. But it happens these, they use cryptocurrency because they're promising those victims a very large return. Like something that maybe would seem unbelievable when you're dealing with, you know, U.S dollars, they're telling them that they're going to 200X or 300X their money. But in crypto people have seen that. Right? People have seen that they've -- some people have bought -- or bought multiple $5,000 worth of a crypto asset, and it has gone up 5 times, 10 times, 100 times over the course of time. And so -- so the victims play along with that. You know, they think they're going to get this massive return and instead they get -- they lose their investment.

Dave Bittner: I hesitate to use the term because I don't want it to sound disparaging, but are they taking advantage of unsophisticated or inexperienced investors?

Nick Percoco: All the time. Yeah. I mean that's -- that's who they prey on. I would say these are not experienced investors. These are not people who have maybe, you know, a very large portfolio of assets that they manage and they do a lot of research before they invest into. It's not that population. From what we see in our world, it's -- it's in general people who are, you know, like over 55 years old who fall victim to this. In general. I would say there's a whole spectrum of victims. Right? From probably very young to very old. But I would say, you know, if you were to throw a heat map up there, the heat map would probably be in the 55 and older category. And so potentially those individuals have a small nest egg. Right? That they've saved for a very long time. And now they see a promise of, you know, 20Xing their money through this investment company that they just found via a Google search or a friend who's also a victim of the same investment company said -- you know, told the, "Hey, you should send your money to this person because they're going to 20X my money." Right? It's one of those things.

Dave Bittner: Now from your point of view, you and your colleagues there at Kraken, what sort of visibility do you have into this sort of thing?

Nick Percoco: In many cases we hear about these scams in many cases after the fact because from our point of view, if you think of -- you're going to any traditional financial firm. Right? Like or even a cryptocurrency exchange like us. You know, you're going through a process of opening an account. Pick a username. You have a password. You fill in your identifiable information, your KYC. You provide your identity documentation. You know you KYC your account. It goes through an approval process. And then now you have an activated account. And then you legitimately go and you connect it to your bank account and you start, you know, buying cryptocurrency. That type of activity looks exactly the same thousands of times a day within our client base. And it's typically not until after the fact that we hear, "Hey, you know, I sent my -- I bought some Bitcoin and then I sent all of that Bitcoin to this other person out there." And then they disappear. And so we will hear about that. We do track when those types of things happen, and we also, you know, communicate with other -- other people in the industry to identify other things that are out there before we learn about them on our platform so we can proactively do things like, you know, flag scammer, you know, cryptocurrency addresses so that we can intercept when those funds are going to that scammer and put a hold on them. And so that we can do an investigation, reach out to that person. Why are you sending, you know -- why did you create an account, you know, last week, fund it with $50,000, buy $50,000 worth of Bitcoin, and now we're immediately sending it to an address that we've heard through, you know, our intelligence and have seen is linked to scammers? Do you know the people you're sending this to? Do you know the -- do you know the organization? How much research did you do on this organization? And oftentimes we're able to intercept that and stop a victim from being scammed.

Dave Bittner: That's great to hear. I did not know that there was that sort of, you know, oversight to help assist your customers. You know, you hear about things, you know, like we hear about gift card scams and it seems as though, you know, the drugstores, the grocery stores, you know they've done things even as simple as putting up signage and things at the checkouts and educating their cashiers to try to get in the middle of these sorts of things. So it's heartening to hear that in the exchange world that you all are coming at this as well.

Nick Percoco: Yeah. We do a great deal of education. We have a lot of information about these things on our support center. We also do videos for our clients about, you know, how to look out for scams. And then we have, you know -- we have a whole team internally, you know, looks for things like fraud, account takeovers, and scams on our exchange. And intercepts that.

Dave Bittner: Once the cryptocurrency is gone, is it gone? Is there any ability to claw it back?

Nick Percoco: Depending on where it goes. Now I would say majority of the time it's gone. Right? Like that's the nature of crypto. Right? That's the nature of -- think of the ease of use and sort of the whole premise around Bitcoin is that it's permissionless. You don't have to go through a third party to be able to send it between two parties. And you can't claw it back. So I couldn't send you a Bitcoin, get a product from you, and then decide, you know, I'm going to do a charge back on the Bitcoin I sent you. I can't do that to you as an exchange, you know, of value there. But, that being said, some scammers -- you know, there's different levels of sophistication. If a scammer is giving the victim an address that is -- it is tied to like a hardware wallet or a software wallet that is not part of any sort of centralized exchange, then it's probably gone. But that address if it's a significant amount of funds, you know -- that address will get it flagged by us, potentially by other exchanges that -- so that if funds ever come in to the exchange from that address, from that wallet, that those funds will get flagged and held. And so -- so this does happen from time to time where a victim will have their funds. You know the funds will get sent to some, you know, attacker's wallet. The attacker, you know, will record that wallet address in our systems. That same attacker will maybe have a Kraken account. And they'll send the funds to Kraken again. You know, at that point it's not a good thing from an attacker's perspective, and it's a good day for the victim. Now it also could be that the funds, you know, go directly to another exchange. In that case, we will reach out to the other exchange and say, "Hey, we have a victim here that sent by Bitcoin to your exchange to this wallet address." And it doesn't happen all the time. Right? Like sometimes it's the world of crypto moves much faster than humans can in many cases. So but it has happened where the other exchange has said, "Hey, we see them. We're holding the funds." And then we can -- then the victim -- they don't just send the funds back immediately. Right? That's not really what happens. But then the victim can open up a law enforcement case and, you know, eventually get their funds back. Right?

Dave Bittner: Yeah. In terms of education, you know, the message to spread for our audience just in terms of awareness, the red flags that are out there, any words of wisdom there?

Nick Percoco: Yeah. I mean in general if the -- if the opportunity seems too good to be true, it usually is I think in every situation. Right? In any sort of scam. The other piece is if the scammer is asking you to -- or not scammer. If the company you're dealing with or the people you're dealing with are asking you for things like, "Create an account on this exchange and then give us the username and password. We're going to manage it for you." That's definitely a red flag. So it's if they're providing you with any sort of sense of urgency, like you need to do it by Friday, you're going to lose out on this deal, right, you know, this fund's going to close if you don't get it in by -- if they're giving you that type of message as well, it's usually some red flags that they can trigger. So it's a lot of -- and the other piece is you just need to be very careful because these investment sites are, you know -- they pop up, you know. There could be a dozen a month that pop up or more. And they -- they may be by the same groups. Right? They have -- they have like a tool kit that says, "We need a new site." They type in the name of a site, and a new site gets spun up. Right? Automatically. It's not as if they spend, you know, weeks and months establishing this really great robust site. They most likely have these things automated. We've seen trends where these, you know -- one site gets taken down, and then a very similar site comes back up. New domain name, but similar look and feel.

[ Music ]

Joe, what do you think?

Joe Carrigan: You and I were talking about Kraken I think last week. Maybe it was a CyberWire segment.

Dave Bittner: Yeah. It was.

Joe Carrigan: We were talking about Kitboga, the scam baiter on YouTube.

Dave Bittner: Right.

Joe Carrigan: Which, by the way, you should check him out. He's really good. Very funny. But Kraken actually went through the process of setting him up an entirely fake interface that he used to waste scammers' time.

Dave Bittner: Right.

Joe Carrigan: It was great. Crypto scams are the same as regular scams. That's one of the -- one of the points that Nick makes here. And they're just using cryptocurrency which is kind of one of the things that we say. In fact, Dr Tim Leshke who is our forensic instructor at Hopkins, he -- he makes a great point when he's talking very early on in his forensic class. He says that the internet doesn't create new crimes. It just provides a new way to commit old crimes. And that's what's going on here. There's not -- there's not a lot that's new under the sun really. The internet is new, but the scams are not. They're the same old scams. We even had a couple years ago I went back and did a bunch of scams that were just old. You know, the old timey scams, you know.

Dave Bittner: Right.

Joe Carrigan: And we, you know -- and you can see the similarities between those scams and the current scams that are going on now. They're the same thing.

Dave Bittner: Yeah. They work.

Joe Carrigan: The workflow that Nick describes is pretty interesting for how these scammers work. First off, they create -- they create a fake website for some kind of crypto exchange or something. And then once they hook a victim, they -- the victim creates an account on the fake site. Then they go create a legitimate account with a legit exchange like Kraken. Kraken's a real crypto exchange.

Dave Bittner: Right.

Joe Carrigan: They could also use like Coinbase or some other real cryptocurrency exchange out there.

Dave Bittner: Yeah.

Joe Carrigan: Then they link some bank account to that legit account because when you open an account with Kraken or with Coinbase or anybody you have to fund that account somehow. Now you can fund it with cryptocurrency that you already have, but if you don't have any cryptocurrency you can do a bank transfer.

Dave Bittner: Right.

Joe Carrigan: And that bank transfer then can be used to buy cryptocurrency on this legitimate exchange. So you fund the -- they have you fund the legitimate account. Oh, and the other point I wanted to make is you can't -- you probably can't do that. It's probably necessary to use these legitimate exchanges because the illegitimate company is not going to go through the necessary regulatory and -- whatever the legal process is for having banks able to wire them money.

Dave Bittner: Right.

Joe Carrigan: Because then they have to disclose all their information like who they are, where they are, what their names are, probably go in and meet with somebody.

Dave Bittner: Yeah.

Joe Carrigan: Don't want to do that.

Dave Bittner: Right.

Joe Carrigan: So we -- we exploit companies like Kraken to get people to send us money. And they get them to fund the legit account, put money -- put that money into the cryptocurrency, and then send that money to the fake company. That's like a six step process to walk somebody through.

Dave Bittner: [Laughs] right. Right.

Joe Carrigan: That's a long process.

Dave Bittner: Yeah.

Joe Carrigan: And frankly I'm kind of -- I don't want to say I'm amazed it works, but it's -- it's a -- I'm observing that it's a long process.

Dave Bittner: Yeah.

Joe Carrigan: I don't know what I want to say about that beyond that.

Dave Bittner: It must be worth it or they wouldn't do it.

Joe Carrigan: Right. I'm -- oh yeah.

Dave Bittner: The return on the investment.

Joe Carrigan: I guarantee it's worth it.

Dave Bittner: Is worth it. But you're right. It's a lot of steps.

Joe Carrigan: Right. This relies on the belief that some of these scammers are going to make you rich. And I was really interested to hear. I liked what Nick said about the way they exit. You know, sometimes they start showing you, "Oh, look how much money you're making." And we've had stories on pig butchering scams where they actually send you money back. So maybe these guys are doing some of that. I don't know if they are, but eventually they just exit. They're gone.

Dave Bittner: Yeah.

Joe Carrigan: And it's interesting to see that soon after they're gone, sometimes they're back. Right? And that's -- I'm going to get into more of that in a minute. One of the things that works with crypto, cryptocurrency, rather, is that people have seen people make tons of money in cryptocurrency.

Dave Bittner: Right.

Joe Carrigan: I mean do you remember when Bitcoin was 25 cents a Bitcoin?

Dave Bittner: I mean I remember the early days of it. I can't say that I paid a whole lot of attention to it in the early days, but I certainly heard the stories.

Joe Carrigan: I said, "I can buy a Bitcoin for 25 cents." And I think, "Oh, I'd just be throwing away a quarter."

Dave Bittner: Right. Right.

Joe Carrigan: Stupid. But it turned out, thats stupid, but, you know, who knew back then? It was four bucks and like I should have bought something when it was a quarter. And now I'm really wishing I'd bought some when it was $600, but so people have seen this happen and they're kind of inexperienced with, A, investing, and B, cryptocurrencies. They don't understand how cryptocurrencies work which is something you should absolutely understand about every single investment you make. You should understand how it works. It doesn't matter if you're buying cryptocurrency, if you're buying, exchange for a fund, a stock, a mutual fund, a CD. Know how that works.

Dave Bittner: Yes. And I will push back a little bit on that and say that I think part of what a lot of people rely on is having a financial advisor.

Joe Carrigan: Right.

Dave Bittner: Who you pay to understand this stuff for you. And to explain it and that sort of thing. So what -- but what that relies on is that your financial advisor is a legit person who has the proper licenses and all that stuff.

Joe Carrigan: If you're going to go with a financial advisor, one of the questions you should always ask them is are they a fiduciary.

Dave Bittner: Yeah. So in this case the people think that they're dealing with someone they trust, someone who's like a financial advisor, but they're a scammer.

Joe Carrigan: That's right.

Dave Bittner: Yeah.

Joe Carrigan: And they could even -- that scammer will tell you, "Yeah. I'm a fiduciary. I can look out for your best interests." They don't care. They'll tell you whatever they need to tell you.

Dave Bittner: Right.

Joe Carrigan: I like -- one of the things that Nick touches on is this can spread like a virus between people. You know, somebody can say, "Hey, man. I'm making all this money on this cryptocurrency deal. Why don't you get involved?" Next person's in. There's a -- there's not a lot that companies like Kraken can do once that cryptocurrency has been sent into a wallet that they don't control. Basically once it's gone, it's gone. Now they can ID a scammer address. And if the scammer tries to reuse that address, they can say, "No. No. We know that's a scammer address. You're not sending your cryptocurrency there." Because Kraken does have an obligation to its customers to protect them to the best of their ability. Now if you get a new wallet address that's a scammer address, there's really not much they can do about that. They don't know it's a scammer address. They can put it into it the database of scammer addresses, but all the scammer has to do is create a new address.

Dave Bittner: Yeah.

Joe Carrigan: And those are free on the Bitcoin network. You can do that on every cryptocurrency network. I find it interesting that some of these scammers are using crypto exchanges, legit crypto exchanges like sending the money back to Kraken. I mean if you tell somebody to open a Kraken account and then you scam that person out of some Bitcoin and you just have them send it to your Kraken account --

Dave Bittner: I'm imagining somebody walking into a bank and sticking up the bank and robbing the teller, and then immediately walking to the teller right next to that teller and saying, "Hi. I'd like to open a new account."

Joe Carrigan: "I'd like to make a deposit to my account please."

Dave Bittner: Right.

Joe Carrigan: Exactly. That's exactly the same thing that's going on here. I will say this. These guys are -- are going to stay in this game because this game is profitable.

Dave Bittner: Yeah.

Joe Carrigan: They're scamming people out of money. They're finding a way to move that money around. It's there are companies out there that make a lot of money or that do tracking of these cryptocurrencies, the block chains, but if you get that -- if you put that cryptocurrency into a privacy preserving cryptocurrency like Monero Gcash or BitcoinZ, then it's going to be very difficult to track it.

Dave Bittner: Yeah, although I will say that, you know, law enforcement has certainly claimed that their ability to track is greater than what most people think it is.

Joe Carrigan: I would like to know more about that.

Dave Bittner: Yeah.

Joe Carrigan: And that's good. Probably good, you know, because people getting scammed out of cryptocurrency is not that good. But -- and it's also, I don't know -- that gives me privacy concerns as well.

Dave Bittner: Yeah. I mean I think there's -- there's -- I think we're on a pathway of more regulation when it comes to cryptocurrency exchanges. We just -- I just -- in fact, just this morning I was reading that the EU is going to be cracking down and saying that the exchanges are responsible to their users for the losses that happen on the exchanges. And there's been a lot of noise about, you know, what do we consider exchanges to be? Are they -- are they financial institutions or are they more like a sports betting organization? Is it gambling? Is it --

Joe Carrigan: Yeah. That's a good question.

Dave Bittner: Is it a bank or is it a casino?

Joe Carrigan: I don't think it's a casino, but I also don't think it's a bank.

Dave Bittner: Yeah.

Joe Carrigan: And it's going to be interesting to see how that plays out. If somebody sends their cryptocurrency from an exchange to a scammer, and it's the first time that's happened, I don't know how you make the -- how you make the exchange liable for it aside from just saying, "Well, you're liable for it." And --

Dave Bittner: It's like credit cards. Right? I mean you're limited on your liability. And I think it's -- that's -- they're saying it's going to be a similar kind of thing.

Joe Carrigan: Right.

Dave Bittner: Yeah.

Joe Carrigan: But that means that now every single one of those exchanges, every single one of those transfers, is going to have to be monitored. And then to get around that all the scammers have to do is say, "Now you need to set up a wallet on your home computer and send your cryptocurrency to your home wallet. And when you're transferring your money out of the exchange, just say you're transferring it to your home wallet." Which is true. And then from your home wallet you transfer it to the scammers.

Dave Bittner: Okay.

Joe Carrigan: So that's how they're going to get around that. I don't know that it's going to be helpful is what I'm saying.

Dave Bittner: Right. All right. Well, again our thanks to Nick Percoco from Kraken for joining us.

Joe Carrigan: That's a good interview. Thank you, Nick.

Dave Bittner: Yeah. We do appreciate him taking the time. Really interesting insights there.

That is our show. We want to thank all of you for listening. Our thanks to Harbor Labs and the Johns Hopkins University Information Security Institute for their participation. You can learn more at harborlabs.com and ISI.JHU.EDU. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like "Hacking Humans" are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at N2K.com. Our senior producer is Jennifer Eiben. The show is edited by Elliott Peltzman. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: And I'm Joe Carrigan.

Dave Bittner: Thanks for listening.