Hacking Humans 8.17.23
Ep 255 | 8.17.23

AI versus AI.


Blair Cohen: By using AI, we can put together enough signals to be able to know with certainty and with a high degree of confidence who really is at the end of a transaction.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where every week we look behind the social engineering scams, the phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan from the Johns Hopkins University Information Secret Institute. Hello, Joe.

Joe Carrigan: Hi, Dave.

Dave Bittner: We've got some good stories to share this week. And later in the show, my conversation with Blair Cohen. He's founder, president, and Chief Evangelist at AuthenticID. We're talking about the notion of using AI to battle AI.

[ Music ]

Alright, Joe, we have some follow-up before we jump into our stories here this week.

Joe Carrigan: We do indeed.

Dave Bittner: What do we got?

Joe Carrigan: Robert writes in and says, "Regarding the episode from August 3rd," which was like two episodes ago.

Dave Bittner: Yep.

Joe Carrigan: With the interview with Raj from Trua. "Shortly after listening to the episode, I ran across this new product online. And the headline says 'World's first ChatGPT powered voice recorder snaps to your iPhone, records calls, summarizes meetings.'"

Dave Bittner: Huh.

Joe Carrigan: And I went to the website and it is, it claims to be exactly what it says in this headline, that you can slap it on the back of your phone, it'll listen to everything, transcribe everything, and record everything, does voice recordings, will record lectures. And summarize -- transcribe and summarize everything for you using ChatGPT. Bob's first response was, well, something we can't say on a family show. It starts with the word "holy."

Dave Bittner: Right.

Joe Carrigan: "Can you imagine this device recording every call or conversation you have and that content being out of your control for the rest of the time? Absolutely dystopian and terrifying. Your podcast should be mandatory listening. Keep up the great work." So, yeah, I mean, first off, my thinking on this is you really better be careful when you're doing this. Because if you don't notify people that you're recording their phone call and you're in a state like Maryland. We're a two-party consent state.

Dave Bittner: Yeah.

Joe Carrigan: Right? You're violating the law just recording somebody even if it's just to transcribe them.

Dave Bittner: Right.

Joe Carrigan: So, yeah. I don't -- I don't know how I like this thing.

Dave Bittner: It is an odd device. I mean, it looks like, you know those little sleeves you can put on the back of your phone to hold your credit cards?

Joe Carrigan: That's exactly what it looks like.

Dave Bittner: Yeah. It looks like one of those except inside the sleeve is a little -- and that may be part of it. Because it looks like there's a little device about the size of a credit card that slides in there that I guess is the recording device. What's interesting to me is that, I mean, this is sort of a brute force workaround to the fact that at least on IOS, like Apple is really deliberate about you not being able to directly record phone calls.

Joe Carrigan: Right.

Dave Bittner: There are no apps that can do that. That is just against Apple's rules.

Joe Carrigan: That's interesting.

Dave Bittner: Yeah, yeah. So, this is, you know, like I said, it's an end around to do that. So that's problem one. So as you point out. But also, as we said in that previous interview, you don't want to be just sending everything up to ChatGPT because it becomes part of their corpus of information and people chain ask about it.

Joe Carrigan: Yeah. I actually did a little research in this recently. The OpenAI terms of service says that they don't use your input to train the model.

Dave Bittner: Oh, okay.

Joe Carrigan: But that doesn't mean they don't get your input and they don't keep your input forever.

Dave Bittner: Right.

Joe Carrigan: Right?

Dave Bittner: Right.

Joe Carrigan: So, I mean, there's nothing about that sentence -- we don't use your input to train our model. We still have it. We train a different model.

Dave Bittner: You still basically uploaded it to a stranger.

Joe Carrigan: Right. Yeah, you've uploaded it to a stranger. Exactly.

Dave Bittner: Right, right. No, it's really interesting. So, thank you, Bob, for sending in your kind note. We do appreciate it. That's a heck of a product there. We'll have a link to that in the show notes. Alright, well let's move onto our stories here. I actually have two stories for us this week. And the first one is a personal one.

Joe Carrigan: Okay.

Dave Bittner: I got a call from my father.

Joe Carrigan: Okay. How's your dad doing?

Dave Bittner: He's doing great. Overall, he's doing great. But I got the call that we all get, those of us who are in tech. Dave, the computer's not working.

Joe Carrigan: Right.

Dave Bittner: Can you come fix the computer. Actually, can you help me fix the computer. And I'm like there's no way I can diagnose your computer from over the phone. I'll be over there this afternoon.

Joe Carrigan: Yes.

Dave Bittner: Well he says all these things popped up on the screen and it says that the computer's been locked and it shut down and I have to call Microsoft tech support. You know, right away. And Windows Defender. And now, there's all sorts of alarm bells going off in my head. Because first of all, my father has a Chromebook.

Joe Carrigan: Huh.

Dave Bittner: It doesn't have Windows Defender.

Joe Carrigan: He just went to a website that threw up all this stuff.

Dave Bittner: Exactly. Exactly. So, I drop by to visit with my dad and get it worked out. And sure enough, there's his computer and it has -- every visual alert that you can imagine is going on on this computer. So there's pop-ups that say this computer has been locked, in order to unlock it you must call Microsoft now. There's like a, what do they call it, a crawl at the bottom of the screen. Yeah, exactly, saying like 47 viruses detected. You know, danger, danger! Right. And it's just everything.

Joe Carrigan: Right.

Dave Bittner: So, okay, so obviously this is a scammer.

Joe Carrigan: Yep.

Dave Bittner: Whatever dad happened upon --

Joe Carrigan: A scamming website.

Dave Bittner: Some website, who knows what it was.

Joe Carrigan: It may be a legitimate website that's been hacked.

Dave Bittner: Absolutely.

Joe Carrigan: I'm pretty sure that happened to my mom once.

Dave Bittner: Could be. So now I go through the dance of trying to close all these windows. Which, they're not going down without a fight. Right? So, I'm trying to click on X's as fast as I can, you know. It's like playing a, I don't know, it's like an 80s arcade game. You know. And I'm having no luck with this at all.

Joe Carrigan: It's like "Defender" but you don't have a smart bomb.

Dave Bittner: Exactly. Yes, that is a great way to describe it. So, what I end up force restarting the machine. And then as quickly, like as soon as, you know, Chrome comes up I'm just like close all windows. Close all windows.

Joe Carrigan: Right. Do you want to start where you left off? Oh God no.

Dave Bittner: No, no. No. So, so we got him up and running again. And you know, I installed Privacy Badger on his browser. Which is the EFF's -- basically the EFF's very sort of set it and forget it anti-scammer, anti-ads kind of thing. It's very lightweight.

Joe Carrigan: It's a Chrome plug-in?

Dave Bittner: Yeah. Very lightweight, easy to use, it comes from the EFF, who, you know --

Joe Carrigan: They're trustworthy.

Dave Bittner: They have a reputation I trust.

Joe Carrigan: Right.

Dave Bittner: And so, you know, we'll see. Hopefully that will help, you know, sort of shame on me for not having something like that already installed. But --

Joe Carrigan: I mean, you took the right step in getting him a Chromebook.

Dave Bittner: Yeah. Thank you. I agree.

Joe Carrigan: That's number one. But you know, what's going to happen here, if he calls any of these numbers is they're going to ask him for a credit card and they're just going to charge the credit card out the wazoo.

Dave Bittner: Right, right, exactly.

Joe Carrigan: And that's the scam.

Dave Bittner: Yep. Yep.

Joe Carrigan: And there's no amount of security product that you can put on a computer that will stop that from happening once he picks up the phone and dials the numbers.

Dave Bittner: True. True. Yeah. I'll just note as a side thing, you know, for the longest time I would always recommend, you know, Macintosh computers for folks who are not computer savvy.

Joe Carrigan: Right.

Dave Bittner: My parents. My friends, family, and loved ones. Basically people who I would be doing tech support for. And part of that was because I'm more familiar with Macs than Windows, so it was in my own self-interest. But also, you know, they just tend to not have as many issues. All that kind of stuff that, you know, we've covered many, many times. I don't do that anymore. Because Chromebooks are so bulletproof. They're so cheap.

Joe Carrigan: Yep.

Dave Bittner: You know, if worse came to worse with this, I would throw away the Chromebook and buy my dad a new one.

Joe Carrigan: Right. And then have him log back into his Google account and everything's there.

Dave Bittner: Exactly! They're practical disposable.

Joe Carrigan: I've been a lover of Chromebooks for a long time. I got my kids Chromebooks when my son started high school. And my daughter was like I am never using this.

Dave Bittner: Yeah.

Joe Carrigan: But my son was like well I'll use it. And he kept using it. And one day he said I can't do any of my homework because my Chromebook is broken. I said oh no. No, no, no. You go downstairs to your PC and log into your account in a Chrome browser window and all of your stuff will be right there.

Dave Bittner: Yeah.

Joe Carrigan: And he was like dang it. Now I have to go do my homework. He was actually relieved. He thought everything was gone.

Dave Bittner: Ah, yeah, yeah.

Joe Carrigan: But no, it wasn't gone. It was in the cloud. So, you know, he thought it was on the Chromebook and it isn't. It's not. It's stored in Google's cloud architecture, whatever that looks like.

Dave Bittner: Right. And obviously, you know, there are privacy concerns with that. You got to put -- you're putting your trust in Google.

Joe Carrigan: Right.

Dave Bittner: But you know, as companies go who are into surveillance capitalism, they're among the more trustworthy ones.

Joe Carrigan: Yeah, I mean, they're not -- I don't know. I mean, they're not out there actively saying we're opposing people. I mean, they're trustworthy only because we live in America. We didn't live in America, we might not feel the same way.

Dave Bittner: As opposed to people who are under the blanket of GDPR?

Joe Carrigan: No. Like people who are under the blanket or living under the protection of Dear Leader.

Dave Bittner: I see. Gotcha'.

Joe Carrigan: Where they say we need to have access to this person's account. And I don't know, I think that Apple would be more likely to say no. Google would be like well, we don't want our business to suffer.

Dave Bittner: Right.

Joe Carrigan: Yes.

Dave Bittner: Right. Yeah, that's a good point.

Joe Carrigan: And I don't have any knowledge of that. Other than the fact that when the Chinese government said you have to give us all of your source code in order to do business here in China, they said okay here you go.

Dave Bittner: Yeah.

Joe Carrigan: And --

Dave Bittner: Google, you mean.

Joe Carrigan: Google, yeah. I'm pretty sure that was Google.

Dave Bittner: Yeah. Well. Yeah. It's a big market.

Joe Carrigan: It is. It is. And it's one of the biggest!

Dave Bittner: Yeah. Alright, so all's well that ends well. We got dear old dad back up and running. And it seems to be so far so good. So, you know, I sounded, like a lot of us, when the phone rings and I see it's his name there's -- two sides of my brain fire off. I'm like oh, that's so nice, I get to talk to my dad! And the other half is like what has he done.

Joe Carrigan: Right.

Dave Bittner: Am I going to have to fix his computer? Or his TV? Or his washing machine. Or whatever.

Joe Carrigan: Well, I've been getting calls from my parents. My mom is looking to switch cell phone providers. And my dad is actually going and getting a smart phone again. He has been on the flip phone for a while. Loved it.

Dave Bittner: Yeah, well. There's something to be said for that.

Joe Carrigan: Yeah.

Dave Bittner: Alright, you know what? I'm going to skip over my second story here just in the interest of time. It was kind of thin anyway, it was just about the FBI warning people of scammers trying to cheat people after their NFTs. And my reaction to that story was people are still using NFTs?

Joe Carrigan: Right. Didn't that all just collapse and fail?

Dave Bittner: Evidently there are some, what does -- Ben Yelin calls them dead-enders. Right? They are riding this into the ground. Right? They are holding onto hope that it's all going to turn around. There's going to be a renaissance of NFTs and they will have the last laugh, so.

Joe Carrigan: Yes.

Dave Bittner: I wish them well, but I don't hold out hope for them.

Joe Carrigan: Yeah. So I was in the process of trying to figure out whether or not I could make a bunch of NFTs and had a great plan for it. But as I was starting to investigate it, that's when the whole market sort of falling apart and I was like nah, I'm not going to do this.

Dave Bittner: Yeah.

Joe Carrigan: This is no longer a waste of my time. I can no longer make money selling people with too much money things they don't really need.

Dave Bittner: There you go.

Joe Carrigan: So. Anyway.

Dave Bittner: Alright. Well, no links to my story today unless you want to stop by and say hello to my dad.

Joe Carrigan: Check out his Chromebook.

Dave Bittner: Check out his Chromebook. Joe, what do you have for us this week?

Joe Carrigan: Dave, actually this comes to us from The Washington Post by way of my boss, Dr. Tony Dahbura. Who sent this link to me and one of our students who we're working on a project with.

Dave Bittner: Yeah.

Joe Carrigan: And this is the quiz "Are You Smarter Than a Scammer?"

Dave Bittner: Oh boy.

Joe Carrigan: Let's play this game, Dave.

Dave Bittner: Okay.

Joe Carrigan: You've got the link there.

Dave Bittner: Oh, okay. Let me open it up here.

Joe Carrigan: I've already taken the quiz.

Dave Bittner: Of course you have.

Joe Carrigan: I'll tell you how I did after you take your quiz. There are eight questions on this quiz.

Dave Bittner: Okay.

Joe Carrigan: And you see a question one. Do you see what it says?

Dave Bittner: "Are You Smarter Than a Scammer? Play this game." Okay. "Question one." Here we go. Should I just read the question?

Joe Carrigan: Well, I'll do a bit of -- I'll give it a little bit of background. It looks like it is a cell phone. This is a picture of a cell phone on the webpage.

Dave Bittner: Right.

Joe Carrigan: But yes, it has a -- it has a text message someone has received. And it says "USPS The package arrived at the warehouse and cannot be delivered due to incomplete address information. Please confirm your address in the link." And then it has a link and some more things down there. Now Dave. Is this a scam or not a scam?

Dave Bittner: This is a scam.

Joe Carrigan: Okay.

Dave Bittner: Yes.

Joe Carrigan: Scam. And you'll find out you are correct.

Dave Bittner: Oh, okay. I hit the scam button. Yes, correct, this is a scam. Yep. Alright. Does it get harder as we go along?

Joe Carrigan: They do get a little tricky.

Dave Bittner: Okay. Alright, good. I'm up for it.

Joe Carrigan: Okay, question two of eight.

Dave Bittner: Yes.

Joe Carrigan: Is a Facebook profile. Agent Trich Morgan.

Dave Bittner: Okay.

Joe Carrigan: And apparently this is somebody reaching out to you and you look at their Facebook profile and it says Agent Trich Morgan on Facebook.

Dave Bittner: Right.

Joe Carrigan: Scam or not a scam?

Dave Bittner: I'm going to go with scam.

Joe Carrigan: Scam.

Dave Bittner: Part of which because I'm looking at the description here and it says Agent Trich Morgan updated his profile picture. So that's a little bit of a red flag to me.

Joe Carrigan: Yes. And it is a woman.

Dave Bittner: It is a woman, yes. Agent Trich is a woman.

Joe Carrigan: Right.

Dave Bittner: A lovely woman standing in front of what looks like some government department flag. American flag.

Joe Carrigan: Yes. Not really any department that you could identify, just department.

Dave Bittner: It just says department and you see an American flag. Yeah. And she's a, you know, fine looking, well dressed lady here. So nothing unusual or outstanding about her photo. Alright. I'm going to click scam. Correct! This is a scam. Alright.

Joe Carrigan: Question eight of three.

Dave Bittner: Yeah.

Joe Carrigan: It's a text message from a number that's not in your contacts.

Dave Bittner: Yes.

Joe Carrigan: And it says "Anna, let's have a barbeque tomorrow." Now you have three choices here. Is it scam, not a scam, or maybe a scam.

Dave Bittner: Well. See, this is where -- okay. I'm going to say -- I think it's a scam. Because first of all, my name is not Anna. And --

Joe Carrigan: Right.

Dave Bittner: But what I'm wondering -- see, I'm trying to reverse engineer the quiz now.

Joe Carrigan: Right.

Dave Bittner: Because it's either going to be scam or maybe a scam. So I'm going to hedge my bets and consider the audience of who this is for. And I'm going to say maybe a scam.

Joe Carrigan: Maybe a scam is correct! Yes.

Dave Bittner: Unless your name's Anna.

Joe Carrigan: Unless your name is Anna, there isn't enough information to decide either way.

Dave Bittner: Right. Right. And we've talked about this scam before. They basically try to get you -- in other words, they use this phony message to try to start a conversation with you.

Joe Carrigan: Right.

Dave Bittner: And then they'll try to sell you like cryptocurrency or NFTs or something like that.

Joe Carrigan: Yes.

Dave Bittner: Yeah.

Joe Carrigan: And you too can be a dead-ender in the NFT world.

Dave Bittner: Yeah, that's right. Okay, next.

Joe Carrigan: Next one is an email that comes from Chase Fraud Alert. And it says "Action needed. Please confirm activity. Chase debit or ATM card. Card ending in," and the number's greyed out. It says someone's name. And then "Did you or someone you authorized use your Chase debit card or ATM card for this declined transaction?"

Dave Bittner: Okay.

Joe Carrigan: And it has yes, I recognize it. No, something's wrong. Is this a scam or not a scam?

Dave Bittner: I'm going to say not a scam.

Joe Carrigan: Not a scam.

Dave Bittner: Correct. Ha-ha. And here's why I thought it was not a scam.

Joe Carrigan: Okay.

Dave Bittner: Because it has the email, the return email address, is chase@fraudalert.chase.com.

Joe Carrigan: Right.

Dave Bittner: So it's the .chase.com that makes me think it's authentic.

Joe Carrigan: Yes.

Dave Bittner: However, we know email return addresses can be spoofed.

Joe Carrigan: Yes, we do. I would say that even if you said scam on this one, I would still say right enough for me.

Dave Bittner: Right. Better safe than sorry.

Joe Carrigan: You'd make the phone call or you would, you know, you'd call Chase at a number that you know is good.

Dave Bittner: Okay. Next up. Question five.

Joe Carrigan: Question five is Geek Squad Academy. "Dear customer, thank you for choosing Geek Squad for your computer anti-virus plan. As today is the auto-renew date, you'll be charged the amount of $419 for the Geek Squad anti-virus plan." And it goes onto say here's all your personal information. However, if you want to call off the subscription, you can reach us at the helpline number 1-866 and some number.

Dave Bittner: Yeah.

Joe Carrigan: Scam or not a scam?

Dave Bittner: Scam.

Joe Carrigan: Scam, right.

Dave Bittner: Absolutely.

Joe Carrigan: We talk about these all the time.

Dave Bittner: Yeah. In fact, it's funny. My dad got one of these right before things went bad for him -- hmm. And he sent it onto me. Is this something I need to reply to? I'm like no, dad, no, no.

Joe Carrigan: Delete it.

Dave Bittner: Just get rid of it, yeah.

Joe Carrigan: Yes.

Dave Bittner: Yeah. And the scam is that they're going to try to get you to call.

Joe Carrigan: Right.

Dave Bittner: They're eliciting a response from you because odds are nearly 100% that you never engaged with the Geek Squad or any anti-virus plan or anything.

Joe Carrigan: Right.

Dave Bittner: So when you see this, you think to yourself, what? I never did that! This is going to auto-renew? Well I better call them and give them a piece of my mind!

Joe Carrigan: Right. And then they go okay, fine. We're going to install this software on your machine and we're going to log into your bank account to make sure that everything's right and then they're just going to steal all your money.

Dave Bittner: That's right.

Joe Carrigan: Terrible.

Dave Bittner: That's right. Okay.

Joe Carrigan: The next one is a voicemail. I don't know if we can put it in there.

Dave Bittner: Why not. Let me listen to it here.

Robotic Voice: Hi there. This call is to remind you that 50% discount offer on your Comcast Xfinity account expires today. In order to avail the discount, please call back at 866-310-0608 from 8 am to 5 pm Pacific Standard Time. Thank you and have a great day.

Dave Bittner: Alright, yeah. I'm going with scam.

Joe Carrigan: Scam, right. That is obviously a scam.

Dave Bittner: We are so cynical, Joe.

Joe Carrigan: Yes.

Dave Bittner: Yeah. So, why do we -- how do we know this is a scam?

Joe Carrigan: Comcast doesn't call you to give you 50% off. They just don't do it, it's not in their interest. Also, you know --

Dave Bittner: That's true. If anything they're going to raise your prices and try to hide it from you.

Joe Carrigan: Right, yeah. That's what they all do.

Dave Bittner: Yeah.

Joe Carrigan: I'm not just picking on Comcast. Verizon does it too.

Dave Bittner: All the cable providers.

Joe Carrigan: Alright. Question seven of eight.

Dave Bittner: Okay. Question seven of eight.

Joe Carrigan: It is a Facebook Messenger chat on the marketplace listing that you just made and somebody says "Still available for sale?" and you have said "Yes." "Alright, we'll pay you up front now and my girl will come pick it up once the payment is cleared. I only got Zelle for payment." And you respond "Okay." "You got Zelle?" "Yes, but I need to check to make sure there's no way I can be scammed. No offense but it's just too rampant for me to not investigate a bit." And the person responds "Alright, Zelle is a fast, safe, and easy way to send money and you receive money from people you know and trust who have a bank account in the US." Is this a scam or not a scam?

Dave Bittner: You know I don't, off the top of my head, I don't know enough about the protections that Zelle has in place. I know Zelle is run by a bank.

Joe Carrigan: Yes.

Dave Bittner: So I would hope that there'd be some consumer protections. But on the other hand, with so many of these online payment systems, there is no way to claw it back.

Joe Carrigan: Right. Scam or not scam?

Dave Bittner: You know what? I'm going to go with scam because of the person's insistence on using this and only this.

Joe Carrigan: Okay.

Dave Bittner: Because if they only have Zelle for payment and there's actually a face-to-face exchange that's going to happen, well bring me some cash. Or you know, something like that.

Joe Carrigan: Right.

Dave Bittner: So I'm not 100% sure on this one but I'm going with scam.

Joe Carrigan: Scam is correct.

Dave Bittner: Alright.

Joe Carrigan: This is a scam. If you're selling a bike or anything on Facebook Marketplace and immediately have an interested buyer who wants to pay up front and have a third party pick it up, they aren't interested in going in a ride or test driving or whatever it is. But they want -- what they want to do is break into your Zelle account. That's what they're trying to do.

Dave Bittner: Okay.

Joe Carrigan: So one of the things they point out is that the Zelle has the registered trademark circle after it. And it looks like they just copied this text from the Zelle website to paste it into the Facebook Messenger. So that's what they're going for here. But yes, you said scam. And it is in fact a scam.

Dave Bittner: What's the scam here?

Joe Carrigan: They're just trying to get access to your Zelle account. They're going to trying to flim-flam you, fast talk you.

Dave Bittner: Okay. I see. So once you establish this transactional history, then they've got a hook in you and they're going to try to --

Joe Carrigan: Right. They probably have your email address.

Dave Bittner: Yeah.

Joe Carrigan: Immediately. And they're probably going to send you an email impersonating Zelle. Right?

Dave Bittner: Okay.

Joe Carrigan: So that's what's next.

Dave Bittner: Okay.

Joe Carrigan: Alright. And finally we have a webpage that says "In regards to Facebook Incorporated consumer privacy user profile litigation, United States District Court for the District of California -- Northern District of California."

Dave Bittner: Yeah.

Joe Carrigan: "File a claim. Click here to edit your claim. The deadline for submitting a claim form is August 25th, 2023 at 11.59 pm." So is this a scam or not a scam?

Dave Bittner: Oh, goodness. I can't tell. Again, if I don't know I'm going to error on the side of scam. I would say the URL that the domain name is facebookuser privacysettlement.com, which seems awfully long to me.

Joe Carrigan: It does.

Dave Bittner: But. That also seems like the kind of domain that some law firm would set up on behalf of Facebook. So it's possible it could be legit. But I would say if I got this, seeing here what I'm seeing, I would not click through on this. I would -- if I think I'm entitled to something, I would try to get at the information for this by other means rather than clicking through. And also, part of this, this quiz has no information about how I came to be on this webpage to begin with.

Joe Carrigan: Correct. That is one of the shortfalls of this quiz.

Dave Bittner: Yeah. So I'm going to go with scam.

Joe Carrigan: Scam.

Dave Bittner: Yeah. Not quite.

Joe Carrigan: Not quite. This is not a scam.

Dave Bittner: Okay.

Joe Carrigan: Now here's the thing, Dave. Don't feel bad. Because you are in good company.

Dave Bittner: Okay.

Joe Carrigan: None other than Dr. Tony Dahbura scored exactly the same way you did.

Dave Bittner: Oh.

Joe Carrigan: Missing only the last question. And said that the input was iffy.

Dave Bittner: And he's got a PhD.

Joe Carrigan: He does. I also scored seven out of eight. But I did not miss this one.

Dave Bittner: Oh.

Joe Carrigan: Probably because I heard from Tony that the last one was iffy. So I said okay. Not a scam. I did this. But I missed the one about Zelle.

Dave Bittner: Okay.

Joe Carrigan: I didn't think that was a scam. So I would have been alright, I have Zelle, here's my number. Or send me the Zelle money.

Dave Bittner: Yeah.

Joe Carrigan: But I don't have Zelle. So I'd be like no. I don't have Zelle. And I don't know how that would have worked out for me.

Dave Bittner: Yeah. Yeah. Well. I mean, I would -- I don't feel bad about how I did. I guess I would have liked to have gotten them all.

Joe Carrigan: It feels good when you get them all.

Dave Bittner: Well it does. And I feel like as deep as you and I are into all of this, I feel like we should have gotten them all.

Joe Carrigan: I'll tell you that our student did in fact get them all.

Dave Bittner: Oh, okay. Good for them. Yeah. Yeah, I guess. Maybe I'm just making excuses for us. But I think it also illustrates how tricky this can be. And as we always say here, anybody can fall for these things.

Joe Carrigan: They sure can.

Dave Bittner: And they're built in such a way to be tricky. So. Yeah. Alright. Wow, that was an interesting quiz. That was fun. You know, this would be a good one to share with your friends and family.

Joe Carrigan: Yes.

Dave Bittner: A very good one to share with your friends and family.

Joe Carrigan: And there's a link in the show notes. So you can send it all out and tell them you scored eight out of eight because you heard it on the show first.

Dave Bittner: That's right. We gave away all the -- because it's not like they're rotating through random questions.

Joe Carrigan: No, these are the exact same questions that I took yesterday.

Dave Bittner: Okay, alright. Well no fair cheating, dear listeners. Alright. Well as you say, we will have a link to that in the show notes. Joe, it is time to move onto our "Catch of the Day."

[ Soundbite of Reeling in Fishing Line ]

Joe Carrigan: Dave, our "Catch of the Day" comes from Steve. And it's an email that is just fantastic. The subject is "Pay," pound sign, "581." "Pay #581". You want to muddle your way through this?

Dave Bittner: Sure. It says, "Payment details. Receipt 2x. Order number one. 1x order number two. Account number 96167. Your account summary. Amount paid $355.93. Pervious unpaid balance $893.87. Confirmation number. Payment method, credit card. Download invoice. Kindly download your invoice. Note, your order has been confirmation. Regards. We set all details attached with this email. Thank you for your choose us. Support Giovanni Clayson."

Joe Carrigan: So there's a link here for download your invoice, and Steve actually has deobfuscated it. It goes to a tinyurl link.

Dave Bittner: Right, a link shortener.

Joe Carrigan: Which is a link shortener.

Dave Bittner: Yep.

Joe Carrigan: And then that wound up going to some other site that was called getscreen.me, which installs a -- which is a link to a RAT, or a remote administration tool. Or if it's more malicious, remote access trojan.

Dave Bittner: Right.

Joe Carrigan: So it's just somebody trying to install something you do not want on your machine.

Dave Bittner: Yeah. Do you remember off the top of your head what the magic incantation is to reveal a tinyurl? To expand it without going to it? There is something like that.

Joe Carrigan: There was an exclamation point you put after the -- but that was for bitly.

Dave Bittner: Is that right?

Joe Carrigan: Yeah.

Dave Bittner: Okay, okay.

Joe Carrigan: I think it's for bitly.

Dave Bittner: Maybe that's what I'm thinking of. Alright. Well I think on -- my, again, I'm talking off the top of my head here. But -- or the other end of my body. And I believe if you -- you can go to tinyurl or any of these link shorteners.

Joe Carrigan: Right.

Dave Bittner: And you can put in the shortened link and it will show you what it's going to go to before you go there.

Joe Carrigan: Right.

Dave Bittner: And so you can see what you're in for. Ahead of time. Which is, you know, a good idea of you don't know -- if you don't trust it. And these days, you shouldn't trust it. Alright, well our thanks to Steve for sending that in. And of course, we would love to hear from you. If there's something you'd like us to consider for our "Catch of the Day," you can email us. It's hackinghumans@n2k.com.

Joe Carrigan: Yes. And send in those catches of the days. We're running low on them. So send them in.

Dave Bittner: Alright.

Joe Carrigan: Now we'll get a bunch of them, Dave.

Dave Bittner: Yes, we will.

Joe, I recently had the pleasure of speaking with Blair Cohen. He is the founder, president, and Chief Evangelist at an organization called AuthenticID. And we're talking about this notion of using AI against AI. Here's my conversation with Blair Cohen.

Blair Cohen: The state of things is super frightening today, Dave. ChatGPT I think, what it's done, and what all the other large language models have done, has been to just bring the power of AI to normal people. You know, this capability to replicate your face, replicate your voice, replicate any biometric modality. That's kind of been around for a while. But it took a lot of skill. And now with the large language models and some decent understanding of scripting languages, you can just talk to the computer now and have it create all kinds of synthetic stuff. In a lot of cases, it has never actually existed in the real world. So synthetic faces, synthetic voices. I'm scared.

Dave Bittner: And so where does this lead us when it comes to things like online authentication?

Blair Cohen: It leads us to a place where there becomes a lot less trust. In any remote transaction, any remote marketplace, any social network. Unless something is really done from an underwriting standpoint, we're starting to see that happen. Where we're now getting verified accounts on places like Instagram and Twitter that have never existed in the past. So in the past, you've had bots that have opened up just a gazillion fake, bogus accounts that they've been seeding and using for nefarious purposes, in a lot of cases. In a lot of cases, they're just seeding those and waiting to bust out and use them for nefarious purposes. But that's where we are. If people start doing a better job underwriting and making sure that a real human is behind this aviator, a real human is behind this identity, then we can begin to trust these marketplaces again. But today, I think there's a lot of lack of trust, if you would.

Dave Bittner: I think one of the challenges that we always talk about with this sort of thing is how can organizations do this at scale? And I know one of the things that you and your colleagues are advocating here is using some of these AI tools to assist the good guys in trying to authenticate people. Can you describe what you're up to?

Blair Cohen: So that's precisely what we're doing. You know, companies like AuthenticID have been trying to instill trust in these marketplaces in these social networks and these ecosystems. If you think about something like an Airbnb, that's pretty personal. You're allowing people into your home. So there really needs to be a lot of trust in those ecosystems. And that's what we're doing is by using AI, and giving people the convenience of being able to do this from their sofa, on a Sunday morning, we can put together enough signals to be able to know with certainty and with a high degree of confidence who really is at the end of a transaction. And primarily that's being accomplished today using biometrics. But that's where AI comes to play and the bad actors also have access to biometric technologies. And have been reverse engineering it. So, there's the rub. It can be used for good, but it can also be used for bad. So it's in this constant game of whack-a-mole. So that's, we're constantly whacking down the mole and killing those guys. But every day a new one arises. And unfortunately, you know, our arms are bound. It's like playing table tennis with one hand tied behind your back. Or both hands tied behind your back.

Dave Bittner: Can you give us some insights of the types of things that you all are doing? I mean, what does AI bring to the table that helps you with this task?

Blair Cohen: So what AI allows us to do is to see things that humans can't see. It allows us to build DNNs, which are dynamic neural networks, and large neural networks that make convolutions of images. And that's a lot of fancy words to say that I could take one image of your face, make 50 different iterations of your face using AI, and train a model on that. So that the next time it sees your face it can know for sure that it's really Dave and not somebody else. So AI allows us to see artifacts in images today. And in voice prints today. That humans wouldn't be able to see. So it prevents, we deal with organized criminals, organized fraudsters who are trying to scam some of the largest banks and telecos in the world, which are whom we protect. So, they get quite creative. And AI allows us to see these artifacts. There's no way for somebody to take over your face because it has to be replayed somehow. It has to be replayed via some sort of camera sensor. Or uneducated into the ecosystem in some way, shape, or form. And when that happens, our AI's able to distinguish those artifacts and know that that's really some sort of a replay. And not a real person that's at the end of that camera.

Dave Bittner: How do you deal with things like either false positives or false negatives? You know, we hear news stories about facial recognition systems, you know, getting things wrong. People being falsely accused of things in that case. How do you address that sort of concern?

Blair Cohen: You know, today there are probably 2,000 different vendors that hawk some sort of facial recognition algorithm with varying degrees of success. But if you look at the top 20 algorithms that exist in the world, these are all evaluated by a quasi-governmental entity called the National Institute of Standards in Technology, NIST is the acronym for that. And NIST very painstakingly goes through and it evaluates every single algorithm that is submitted on a monthly basis. And if you look at performance, the variants across genders, male/female, across skin colors, whether really, you know, we've got six different variations of skin colors, across ages, the variance is indistinguishable. They've even gone further into evaluating an algorithm's performance based on where a person was born. So they're looking at, you know, the different characteristics of 20 different countries that exist around the globe and evaluating the algorithm's performance based on those characteristics. And you'll find that today's top performing algorithms have trained on that type of data. Therefore, perform really well. I think there's just been a lot of really poor journalism out there that conflated and didn't really accurately report how the algorithms performed in a lot of cases. They weren't properly utilized. So today's algorithms, I don't think it's much of a concern.

Dave Bittner: Where do you suppose we're headed with this? When you look towards the horizon, you know, what does the future hold for authenticating people online?

Blair Cohen: I think that biometrics are, despite the fact that regulatory pressure and new guidance continue to come out on nearly a daily basis these days, I still biometrics winning. It's the only way to know for sure who completed a transaction. Who performed a transaction. Today you have different types of fraud. You have third party fraud where somebody knows enough about me where they've taken over my account. That's third party fraud. But you know a lot of fraud today is real people that call up Neiman Marcus at the end of the month and say wait a minute, I didn't do that. And Neiman's doesn't really have any way to prove that it wasn't Blair. So they end up writing off a lot of bad debt that gets written off as bad debt, but it's really fraud. And it's first-party fraud. Whereas with biometrics, that can't really happen, either. Right? I'm going to be able to know for sure that that really was Blair that bought all that stuff in Neiman Marcus. Not that I can afford to shop there, but. But that's where it's going to go. But I think that as AI continues to advance, biometrics are going to involve a little bit more friction. Today, it's pretty much frictionless. I'm able to just show my face and instantly we can apply all the loudness algorithms and all the mapping algorithms and make sure that it's really me and I'm really alive and present in that moment. Today, that's good enough. But is it going to be good enough tomorrow? Maybe not. I think that we may see that turn to multimodal. So it's going to require me to show my face and a fingerprint. Or my face and a voice print. or my face and a voice print that makes me see a dynamic phrase that's being shown on the screen in front of me. But at the end of the day, biometrics will win out.

Dave Bittner: Joe, what do you think?

Joe Carrigan: So, do LLMs really bring the power of AI to the masses like Blair says? Do you think? I mean, I guess they do, right?

Dave Bittner: I think they do.

Joe Carrigan: Give people the tool -- or like, if you run the ChatGPT and start entering text in, it'll start responding to you.

Dave Bittner: Yeah.

Joe Carrigan: And you'll be able to use that to generate stuff that might be useful to you.

Dave Bittner: That's true.

Joe Carrigan: But --

Dave Bittner: I think it's a bit of a magic trick, though.

Joe Carrigan: Yeah.

Dave Bittner: You know? Like it's -- there undoubtedly good, legit uses for it. But I guess there are also too few guardrails in my estimation.

Joe Carrigan: Right. Actually, my next question was, is that good? Right? And you know, I don't know. I like to think that it is because I'm the kind of guy that says yeah hammer is a tool.

Dave Bittner: Yeah.

Joe Carrigan: It can be used to build a house or tear one down, right?

Dave Bittner: Right.

Joe Carrigan: But I tend to think that yeah, we're better off with it than without it, I guess. But yeah, be mindful that it's out there. And that these people, these tools can be used to generate very effective deceptive text.

Dave Bittner: That's right.

Joe Carrigan: There needs to be a lot less trust in general from people to people now more than ever with these things out there that help people be deceptive.

Dave Bittner: Yeah.

Joe Carrigan: I would say that there's no way that you can trust anything is a real person on any social media account. I just don't -- unless you know that person personally, right? Like on Facebook, everyone I'm connected with I've met personally.

Dave Bittner: Right.

Joe Carrigan: I know who they are. And I talk to them about okay, yeah, remember when I posted that on Facebook? That was years ago. And they go yeah. And then I'll send them messages. It's really the only reason I still have a Facebook account is because I've said this before, I use the Messenger to communicate with people.

Dave Bittner: Right.

Joe Carrigan: There is an attempt to build the trust in social media. And I think that even if everyone on a platform is verified, I think it would still suck.

Dave Bittner: Okay.

Joe Carrigan: You know? It would still be the same group of people saying the same things. You know, you know why you left Facebook, right?

Dave Bittner: Right.

Joe Carrigan: It's because you had people on there spouting all kinds of stuff. And it's why I kind of walked away from all social media.

Dave Bittner: Yeah.

Joe Carrigan: You know? There was just -- I don't want to hear your political opinions. Period. I really don't. And if you want to talk politics, we're not going to talk politics on Facebook and have a productive conversation where one of us changes our mind. That is not going to happen.

Dave Bittner: Yeah.

Joe Carrigan: And I just don't think that it's really a productive place to have those things. And there's that perverse incentive from every social media company to keep you engaged, to show you things you either want to see because you like them, or you want to see because they make you angry.

Dave Bittner: Yeah. Let me "yes, and" you.

Joe Carrigan: Yes, and.

Dave Bittner: In that when I dropped off -- so yes, I dropped off of Facebook years ago.

Joe Carrigan: Yes.

Dave Bittner: That was pre-pandemic. And then more recently, I dropped off Twitter.

Joe Carrigan: Right.

Dave Bittner: For all the reasons people are dropping off Twitter these days.

Joe Carrigan: You mean "X," Dave.

Dave Bittner: I stand corrected. And but I switched to Mastadon. And I have to say, I'm really liking Mastadon. And I think one of the reasons I like it so much is that there is no algorithm. There's nothing on my timeline that's algorithmically generated. It's people you follow, people who follow you. So, anything I see is either something that I specifically said I'm interested in. Or someone I'm already interested in is sharing that I can see.

Joe Carrigan: Right.

Dave Bittner: And it makes all the difference in the world. Is Mastadon perfect? No. I mean, there's still, you know, there are dark corners of Mastodon just like everywhere else.

Joe Carrigan: Right.

Dave Bittner: And they deal with content moderation and all of those kind of things. But I will say that just in terms of the pleasure, the quality of discourse and not rationing up my level of anxiety, I've been quite pleased with what I've built on Mastodon. And I think that's another thing to be mindful of is that it takes a little more work to build a Mastodon instance. Because you have to go -- the feed's not just going to start putting stuff in front of you.

Joe Carrigan: Right. You have to go out and get it.

Dave Bittner: Yeah. But once you put in the work, it's quite pleasant.

Joe Carrigan: Alright. Maybe I'll start Mastodon.

Dave Bittner: That's my pitch for Mastodon.

Joe Carrigan: I have one Mastodon account out there on one of the servers somewhere.

Dave Bittner: Yeah.

Joe Carrigan: I think it's the one that Maria Varmazis recommend at one point in time.

Dave Bittner: Okay.

Joe Carrigan: It's like a cybersecurity Mastodon server.

Dave Bittner: Yes. Yeah, yeah. Absolutely.

Joe Carrigan: But if I'm going to do a personal Mastodon server I'm just going to look for something that interests me and maybe go out there. I don't know what I would even find. Is there a grumpy old man Mastodon?

Dave Bittner: I'll bet you there is.

Joe Carrigan: 'Cause that's where I would be.

Dave Bittner: I'm on one call "Hackyderm," which partially I just like the pun.

Joe Carrigan: Right.

Dave Bittner: But I did some digging in. And you know, the people that run that instance, their sensibilities align with my own overall. So, you know, I figure alright. This I'll hitch my wagon to. And so far, I haven't regretted it. But.

Joe Carrigan: Okay.

Dave Bittner: Do shop around. There are lots of them out there. And all -- it's a spectrum of quality but.

Joe Carrigan: Right.

Dave Bittner: But again, my experience has been it's been worth it.

Joe Carrigan: Good.

Dave Bittner: So, what else about our interview with Blair here?

Joe Carrigan: Right, yeah. I went off on a social media tirade there.

Dave Bittner: That's alright.

Joe Carrigan: And you know what, Dave? You've convinced me, I'm going to try Mastodon. I'm going to start looking for it. I'll let you -- I'll give you a report next week.

Dave Bittner: Yeah. I'll know. Because you're going to look me up.

Joe Carrigan: I guess I will.

Dave Bittner: Yes, yes. Alright.

Joe Carrigan: So, AI allows the construction of models that permit the verification of people. And I have been asked multiple times if I want to save my voiec print with a company. And I say no.

Dave Bittner: Okay.

Joe Carrigan: There's a company I do business with where they go hey, your voice can be your password. I'm like I don't know that I trust you with that yet. Maybe I shouldn't feel that way. I don't know how I should feel about this. Because we keep talking about these biometrics. And I admit that I have lost the battle on this. That we're going to have to go with biometrics. And I like Blair's example here of going with -- he talks about going to Neiman Marcus and somebody you know, fraudulently says that those were fraudulently charged to my account.

Dave Bittner: Right.

Joe Carrigan: Right? I fraudulently -- is hard to say over and over again. But it makes perfect sense. I mean because that is a loss to that business and increased cost to everybody else.

Dave Bittner: Yeah.

Joe Carrigan: Even if, essentially it's just shoplifting using your credit card.

Dave Bittner: Right.

Joe Carrigan: But if you have biometrics there and they have a face scan of you while you're standing there. And it's not all that obtrusive, they would be able to say no, this was you standing there, we have your biometric data. I don't know if there'd be any ramifications for that, though, because now you've just attempted to commit fraud. Maybe it's just your word against theirs or I don't know, I don't know where that goes down the road. I like to think, whenever I hear an example like this, I start going down the road with what does that mean? You know? How does that wind up. Do people now have to face criminal charges because they tried to essentially shoplift using their credit card?

Dave Bittner: Yeah.

Joe Carrigan: I don't know.

Dave Bittner: Well, and you think about the two sides of, like in a retail situation, where if someone tried to do a scam like this and they sent them a note that said hey, is this you standing in front of our register? It sure looks like you. On the one hand there's that, but on the other hand, what sort of pushback -- like how would you react if you went to your local Macy's and they said okay, before we ring you up, I need you to look into this camera.

Joe Carrigan: Yeah.

Dave Bittner: Like. Somehow I don't think you'd be okay with that.

Joe Carrigan: Lasers come out and scans your face and a little red line --

Dave Bittner: Exactly. On your way up the escalator, we weighed you and -- you know. Like. Right.

Joe Carrigan: You need to eat more vegetables, Joe. I know. You sound like my doctor.

Dave Bittner: Yeah. So. It's tough.

Joe Carrigan: Yeah.

Dave Bittner: It's tough.

Joe Carrigan: One final point I want to talk about is what Blair said about NIST looking at the algorithms. That is good, these AI algorithms. Because in the past, there were algorithms that did have a hard time differentiating different groups of color -- based on your skin pigmentation.

Dave Bittner: Right.

Joe Carrigan: People with darker pigmentation had more false positives and more false negatives than people with lighter pigmentation. And now, NIST looks at things like skin color, place of birth, which is a different metric, age, which is very important to you and me, right? And these algorithms have gotten a lot better. So I'm happy to hear that.

Dave Bittner: Yeah.

Joe Carrigan: That this is less of a problem than it used to be. That doesn't mean the problem has gone away completely.

Dave Bittner: Yeah.

Joe Carrigan: But, you know, again, we're talking about -- my feeling on these things is I don't want these things being used for law enforcement or being a, you know, held up in a court of law.

Dave Bittner: Right.

Joe Carrigan: I think, I don't think there is as pseudoscience-y as some of the things out there that also don't stand up in a court of law, there definitely is a real science behind it. But I just don't think they're ready yet.

Dave Bittner: Yeah.

Joe Carrigan: For this kind of trust.

Dave Bittner: Yeah, I think the broaden of proof is on them.

Joe Carrigan: Yes.

Dave Bittner: Yeah. Alright. Well again, our thanks to Blair Cohen for joining us. Again, he is the president and Chief Evangelist at AuthenticID. And we do appreciate him taking the time for us.

That is our show. We want to thank all of you for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This show is edited by Elliot Peltzman. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: And I'm Joe Carrigan.

Dave Bittner: Thanks for listening.