The online dating world is a jungle.
Andrew Hendel: The dating apps all have a very big problem in that they don't do very much to identify users, and that's, in large part, why I created Marshmallo. Marshmallo is another dating app. There's lots out there. But what's different about it is that everybody has their government-issued ID checked. They have their selfie checked and their profile pictures checked. You literally can't post a picture of somebody that isn't yourself.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast where, each week, we look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hey, Joe.
Joe Carrigan: Hi, Dave.
Dave Bittner: We got some good stories to share this week and, later in the show, my conversation with Andrew Hendel. He's founder and CEO of a company called Marshmallo. We're talking about online dating. [ Music ] All right, Joe, before we jump into our stories here, we've got some follow-up from someone named Gareth wrote in with a question. I'll read it here. It says, "Hi, Joe and Dave. I've been getting emails like this for a few weeks from several different email addresses, usually a text string with no special characters in the subject. The capitalization makes me suspect it's supposed to look like a password. The body usually has a number string like the one I've forwarded here. It'd be interesting to get your thoughts on this. I think they're probably trying to get a reply email from a concerned citizen who accidentally got your email with a password and then follow on a conversation from there. And Gareth did send this along. And yeah, it's just sort of a random string of characters in the subject line.
Joe Carrigan: Right.
Dave Bittner: What do you make of it?
Joe Carrigan: The body -- the body is just a six-digit number.
Dave Bittner: Yeah.
Joe Carrigan: Looks random. My initial thinking on this is that this is somebody validating a list, a mailing list, that they've got a list of email addresses, and they've gotten an automated process that sends these out and then looks for the bounce backs --
Dave Bittner: Oh.
Joe Carrigan: -- and removes those addresses that bounce back from the list.
Dave Bittner: Right.
Joe Carrigan: So it's just a way of refining it. But the thing that points to that not being the case is Gareth says he's gotten a few of these. You only need to do that once to validate an email.
Dave Bittner: Yeah.
Joe Carrigan: And you know it's good. I don't know, Gareth might be right, that it's a -- it's an attempt to elicit a response. Don't respond, of course. That's the best thing.
Dave Bittner: Yeah.
Joe Carrigan: But yeah, my -- I still think this might be a -- somebody turning through email addresses just to verify them.
Dave Bittner: Yeah, that makes a lot of sense to me. It's a way to make their -- if it's someone who's selling a list of email addresses, it's a way to make that list more valuable --
Joe Carrigan: Right.
Dave Bittner: -- by saying this is a validated list.
Joe Carrigan: You know what? That's a good point. If they're selling that list, and they -- maybe one of their selling points on the black market, or maybe it's a real market, right? You know, could be a legitimate business practice, legitimate in quotes.
Dave Bittner: Right, right.
Joe Carrigan: They go through the process of validating the emails on a regular basis, you know, so, yeah, oh, we validate this every week by sending out an email that, you know, if we hear -- if we don't hear back from them, we know that the email is good. It's good address.
Dave Bittner: Right. Yeah. Okay. Well, that makes sense, and I'll go with that. Yeah. But I think your advice is good. Don't reply.
Joe Carrigan: Right.
Dave Bittner: All right. Well, of course, we would love to hear from you. If there's something you'd like us to discuss on the show, you can email us. It's hackinghumans@n2k.com. All right, Joe, I'm going to kick things off for us with our stories here this week. I've got a story. This came through Yahoo, Yahoo News, rather, and it's actually from the Australian Associated Press, article by Rex Martinich, and it's about a woman who was manipulated by hackers into money laundering. So it's kind of a sad story of a woman named Rossmani Eckl. She's 68 years old, and she was found guilty by a Brisbane Supreme Court, a jury, of five counts of knowingly dealing with proceeds of crime, basically, money laundering.
Joe Carrigan: Right.
Dave Bittner: Now, the way that this played out is that she had been previously victimized by a hacking group for $600,000.
Joe Carrigan: They got $600,000 out of her?
Dave Bittner: They got $600,000 out of her back in 2010.
Joe Carrigan: Wow.
Dave Bittner: So 13 years ago, and this was someone -- wait for it -- claiming to be a Nigerian political leader.
Joe Carrigan: Okay.
Dave Bittner: So in 2010, she fell for a Nigerian prince scam for $600,000.
Joe Carrigan: That's a lot of money.
Dave Bittner: That's a lot of money.
Joe Carrigan: Yeah.
Dave Bittner: It could -- who knows, you know -- her retirement account or family.
Joe Carrigan: Sure.
Dave Bittner: It could just be the money she had squirreled away over the course of her life.
Joe Carrigan: Right. That is a large sum of money, and she had lost it. A hacking group came along, and I'm going to put odds out here that it was probably the same group. Probably.
Dave Bittner: They knew that they had someone here who'd fallen victim to something, and they convinced her that they could help her get that $600,000 back if they just played along. And so what happened was over the course of about a year, according to this was between May of 2019 and July of 2020, she was basically serving as a money mule. She was using her bank account to be the go-between for funds that were transferred between folks who were cheating people out of money.
Joe Carrigan: Right.
Dave Bittner: And then sending it on to, you know, the ultimate -- who knows? -- could be another money mule or directly to the crooks here. Some of the attempts to pass money through her account got flagged and failed. There was one they call out here in this article that was $850,000.
Joe Carrigan: Huh.
Dave Bittner: And that got tagged and didn't go through.
Joe Carrigan: Right.
Dave Bittner: What's interesting is that this woman, basically, the judge went easy on her. The judge said that she has no criminal history. She lived in Australia since 1975 after migrating from Malaysia, and the judge said that posing a full-time sentence would cause exceptional hardship to her because she -- not the least of which she'd be automatically deported, and her family members rely on her for support. She has a degree in accounting. She works as a paralegal. So other than this, she's had no run-ins with the law and is, by all accounts, a good contributing member to Australian society. So the judge -- she was sentenced to three years imprisonment, but he ordered her to be released on $1,000 and a five-year good behavior bond and that she attend counseling for the next two years. So, you know, $1,000 is a bit of a slap on the wrist.
Joe Carrigan: Yeah.
Dave Bittner: And not to mention, I mean, of course, there's the $600,000 that she's out from the original scammers.
Joe Carrigan: Right, right.
Dave Bittner: You know what? I guess I think it's good that she got the light sentence that she got. But on the other hand, the judge points out that she knew what she was doing. She's an accountant.
Joe Carrigan: She's an accountant.
Dave Bittner: Right.
Joe Carrigan: She's very familiar with the practice of money laundering.
Dave Bittner: Right.
Joe Carrigan: Yeah.
Dave Bittner: Right, and -- but they went easy on her because of the circumstances that they felt like she was under tremendous emotional stress --
Joe Carrigan: Right.
Dave Bittner: -- from these hackers who were --
Joe Carrigan: Did she cooperate with the investigation to help them bust more hackers or anything?
Dave Bittner: You know, it's a good question. I don't know the answer to that. I know, you know, the police -- it was the large sums of money that were flowing through her bank account that made the bank take notice.
Joe Carrigan: Right.
Dave Bittner: And the bank reached out to law enforcement, and the law enforcement came and knocked on her door and said --
Joe Carrigan: What's going on here?
Dave Bittner: Yeah, we'd have to have a nice little friendly conversation with you. So I don't know. This article doesn't specifically say whether she cooperated. I would imagine that she did.
Joe Carrigan: Otherwise it wouldn't have had the outcome that it had. But it -- I think it's just an interesting sort of tale that's woven here. On the one hand, certainly, she was a victim. Right.
Dave Bittner: On the other hand, she did something that she certainly knew was wrong.
Joe Carrigan: Yeah. Agreed.
Dave Bittner: But the justice system here in Australia thought that there was extenuating circumstances and decided to go easy on her.
Joe Carrigan: I wonder how much she made while laundering money.
Dave Bittner: Actually, that was part of the story here. I'm glad you brought that up. They said that there was no evidence that she had directly benefited from this except, evidently, she spent $1,300 on a dental treatment.
Joe Carrigan: Huh.
Dave Bittner: So she wasn't taking anything off the top. It seems as though she -- the thing that was stringing her along was the hope that she would get her original sum of $600,000 back.
Joe Carrigan: I see. Okay.
Dave Bittner: You know? Which of course, you know, that money is long gone.
Joe Carrigan: Yes, yeah.
Dave Bittner: Any thoughts here, Joe?
Joe Carrigan: Yeah, it's interesting that she wasn't taking any money from this process. That's what makes me more okay with the light sentence, as if she wasn't profiting. If she had profited and made, you know, $600,000 or even more, then I'd be like, well, there's something else going on here.
Dave Bittner: Yeah.
Joe Carrigan: Right? But generally, when you're laundering money for somebody, you take a cut of that.
Dave Bittner: Right, right.
Joe Carrigan: You don't do that service for free.
Dave Bittner: Sure. It's something that has to happen this way. Maybe these guys were really coercive. Yeah.
Joe Carrigan: Or maybe they were just stringing her along, like you suggest and say, you know, when this is all over, you can have your $600,000 back.
Dave Bittner: Right, exactly.
Joe Carrigan: Yeah. If I'm, well, first off, I'm not going to do this, I hope. God, I hope I don't fall for this. But I'm going to want to see something up front, you know? I'm going to see -- want to see something from each transaction.
Dave Bittner: Yeah, it's interesting. It's a bit of a conundrum there too because, you know, she's -- if she were to demand money up front, then that changes the equation a bit.
Joe Carrigan: Right, of the sentencing, sure does.
Dave Bittner: Right, right.
Joe Carrigan: Right.
Dave Bittner: Right. So I don't know. I mean, maybe what she really should have done was gone to law enforcement right off the bat when this first came to pass.
Joe Carrigan: Yeah.
Dave Bittner: But, you know, she thought maybe there was a chance that she'd get that money back.
Joe Carrigan: Yeah, I'm smart. I can get this back.
Dave Bittner: Yeah, exactly, exactly. All right, that is my story this week. What do you have for us, Joe?
Joe Carrigan: Dave, my story comes from a listener named Doug, who is a host of a web page online, and that page gets around 15,000 page views a week.
Dave Bittner: Okay.
Joe Carrigan: So of course, hosting this blog cost Doug money. So he started an account with a company called Buy Me a Coffee. You ever heard of Buy Me a Coffee?
Dave Bittner: Yes, it does sound familiar.
Joe Carrigan: Micro-funding site, if you will.
Dave Bittner: Okay.
Joe Carrigan: They partner with a company called Stripe, which is a payment-processing company.
Dave Bittner: Sure.
Joe Carrigan: And when you have a Buy Me a Coffee account, they can either put money directly into your Stripe account, or they can put it in your bank account. Doug uses Stripe, which provides him with some interesting insights. And he got a few low-dollar transactions that failed on his Stripe account, and he sends five of them along in this email. Oddly, every single one of them was for $5, right? And Stripe provides a lot of information about these -- about these different decline transactions. Here's one where the status was not declined or failed, but actually called blocked. And it said you previously attempted to charge this card. When the customer's bank declined that payment, it directed Stripe to block future attempts. So Stripe doesn't even try that one anymore.
Dave Bittner: Oh okay.
Joe Carrigan: So apparently there's a way for these -- for these credit card processing companies to receive information from the issuing institution that says don't process this anymore.
Dave Bittner: Right.
Joe Carrigan: Which is good.
Dave Bittner: Yeah.
Joe Carrigan: I think.
Dave Bittner: Yeah.
Joe Carrigan: The next one that he sent along is one that came from a MasterCard credit card, and that one was just declined. This was from an address in Ecuador. And then finally, he sent one along from a MasterCard prepaid card from Kenya.
Dave Bittner: Huh.
Joe Carrigan: So these are coming from all over the world, which is really interesting. Doug notes some interesting points here, and one of the first points is that the email address of all of these people on this list were for women. They were they were feminine names.
Dave Bittner: Okay.
Joe Carrigan: And his site caters largely to a male audience. Now, 5% of his audience may be women.
Dave Bittner: Okay.
Joe Carrigan: But the majority of them are men.
Dave Bittner: Okay.
Joe Carrigan: So that's weird that women would want to support this, or at least 100% of women with the failed transactions would want to support this.
Dave Bittner: Right.
Joe Carrigan: It's kind of strange.
Dave Bittner: Yeah.
Joe Carrigan: All the emails are from Hotmail, Google, or Gmail -- or Yahoo or Gmail.
Dave Bittner: Right, okay.
Joe Carrigan: Right. So they're all disposable email addresses.
Dave Bittner: Right.
Joe Carrigan: And he notes that the countries of origin for these are Ecuador, Kenya, Israel, Bolivia, and the UAE, and that these countries don't typically have an audience that would be interested in his site.
Dave Bittner: Okay.
Joe Carrigan: So what Doug thinks is happening here is that someone is using his site and his Buy Me a Coffee account to test stolen credit card numbers. And once they have that test comes back positive, then, if they can -- if they can charge the -- or donate the money to Doug, then they can go out and sell this as a good credit card or, you know, they can use it themselves.
Dave Bittner: Right, right.
Joe Carrigan: I picked this story because it's an actual inside look from a kind of an adjacent victim.
Dave Bittner: Yeah.
Joe Carrigan: I mean, Doug's not really losing money here, but he is being used to test these kind of -- he's being used in this criminal enterprise. I'm sure he's not happy about that.
Dave Bittner: Right.
Joe Carrigan: And Buy Me a Coffee and Stripe are also involved in this. And they're also probably not happy with it. Kind of provides a glimpse into the underworld of how this works.
Dave Bittner: Yeah. Yeah, and it's not surprising. I mean, I think we've covered these sorts of stories before where these folks are out there testing out the credit cards, as you say.
Joe Carrigan: Right.
Dave Bittner: And they'll use -- I guess that's one of the things with having things be online. It's not like you have to walk into a store and swipe a card. How hard is it to find an online commerce site?
Joe Carrigan: Right, it's not hard at all.
Dave Bittner: No, and I guess what they're presuming here is that someone like Doug, who has a small business, literally a small business.
Joe Carrigan: Right.
Dave Bittner: Is using a small service provider that typically handles small payments. So a small payment isn't going to cause a red flag.
Joe Carrigan: Right. You might have $1 value set.
Dave Bittner: Right.
Joe Carrigan: So notify me anytime something above $10 happens.
Dave Bittner: Right.
Joe Carrigan: Right?
Dave Bittner: But even like --
Joe Carrigan: All my dollar values are set at 1.
Dave Bittner: Yeah, but like even the Buy Me a Coffee people.
Joe Carrigan: Let me know when there's any transaction.
Dave Bittner: You know, they're --
Joe Carrigan: Right.
Dave Bittner: -- $5 is probably a pretty common transaction value.
Joe Carrigan: Oh, absolutely.
Dave Bittner: Yeah.
Joe Carrigan: I would imagine that that gets lost in the shuffle. Another interesting thing is that there's no -- this is not something that requires you to wait around for a product, right? You're not buying something online. You're just giving somebody five bucks.
Dave Bittner: Yeah.
Joe Carrigan: Or maybe two bucks, whatever. You know, these micro-donation sites are a great way -- a great way to test these cards out.
Dave Bittner: Yeah.
Joe Carrigan: They're a tool that -- like I say all the time -- a tool can be used for good, or it can be used for evil. So here we are seeing it being used for evil.
Dave Bittner: Do you suppose this is something where they could just script it so that they're just spewing credit card numbers at sites like Doug's in an automated kind of way?
Joe Carrigan: I'll bet absolutely that it's scripted.
Dave Bittner: Yeah?
Joe Carrigan: Sure. Yeah, in fact, I'm almost certain that it is. If it wasn't scripted, that would be a huge waste of manual effort, you know, copying and pasting credit card numbers.
Dave Bittner: Yeah. Although there's certainly plenty of places where labor is cheap.
Joe Carrigan: Yes, indeed. That's the case.
Dave Bittner: Yeah.
Joe Carrigan: But usually those places are also populated with people who can program.
Dave Bittner: That's true.
Joe Carrigan: And they can write a Python script that will do this all day long.
Dave Bittner: Yeah. All right. Well, very interesting. And thank you, Doug, for sending that in. We do appreciate it. Joe, it is time for us to move on to our Catch of the Day. [ Music ]
Joe Carrigan: Dave, our Catch of the Day comes from Brandyon who writes, "Hi, Dave and Joe. I got this one yesterday. To put an ad on my car seemed sus, and you would have to pay me more than $600 to turn my car into an advertisement for you. Thank you for the great podcast." It was a text message, Dave.
Dave Bittner: Oh, okay.
Joe Carrigan: Yeah.
Dave Bittner: It says, "Hello, would you kindly permit Venom Energy Drink 10-inch logo or sticker on your bike, car, or truck and make $600 every week? Click the link to get started."
Joe Carrigan: And then there's a link to an office.com forms page. Dave, I would hereby like to offer my services to anybody that wants to pay me $600 a week to put a bumper sticker on my car about 10 inches long.
Dave Bittner: Sure. Who wouldn't?
Joe Carrigan: Who wouldn't, right?
Dave Bittner: Who wouldn't?
Joe Carrigan: This is almost certainly a scam.
Dave Bittner: Yeah.
Joe Carrigan: Because there are companies that will do this for you, but you will, first off, you'll never make $600 a week.
Dave Bittner: No.
Joe Carrigan: I looked around. You're going to make at most like $500 a month.
Dave Bittner: Oh, okay.
Joe Carrigan: Which is not chump change.
Dave Bittner: No.
Joe Carrigan: But your ad, the ad on your car, your car is going to be an advertisement.
Dave Bittner: Right, right.
Joe Carrigan: It's going to be huge. It's not going to be a 10-inch bumper sticker on your car.
Dave Bittner: No, I also -- I imagine those -- what are they called? The triangular ones you see on top of taxi cabs.
Joe Carrigan: Yes.
Dave Bittner: You know, that sort of thing.
Joe Carrigan: Yeah, it's going to be kind of like that.
Dave Bittner: That would make sense.
Joe Carrigan: That's actually going to be like all over your door, maybe even your window.
Dave Bittner: Right.
Joe Carrigan: You know, it's -- these things are huge. I see them frequently in Baltimore.
Dave Bittner: Oh, okay.
Joe Carrigan: And, you know, people are -- people have a -- have a side hustle.
Dave Bittner: Yeah.
Joe Carrigan: You know, they're doing this.
Dave Bittner: Yeah. Sure, if you're out there. I don't know. Let's say you were --
Joe Carrigan: An Uber driver.
Dave Bittner: -- an Uber driver. That's a great example, an Uber driver.
Joe Carrigan: Right.
Dave Bittner: Or I was going to say like a courier.
Joe Carrigan: Right.
Dave Bittner: You know, you're out -- you're out on the roads all day anyway. Why not make a little extra money?
Joe Carrigan: Yep.
Dave Bittner: With that?
Joe Carrigan: You make more money the more miles you drive.
Dave Bittner: Right, right.
Joe Carrigan: Would be best if you were a courier or an Uber driver.
Dave Bittner: Yeah. What do you suppose happens here if you try to follow through on that?
Joe Carrigan: That is a good question.
Dave Bittner: I have an idea.
Joe Carrigan: What's your idea?
Dave Bittner: Well, I'm going to guess that this is some kind of advanced fee scam, where they call and they say, listen, you're going to make $600 a week. All you need to do is pay $50 or $100 or whatever it's going to be --
Joe Carrigan: Right.
Dave Bittner: -- for the hardware that you're going to need to put on your car.
Joe Carrigan: Right.
Dave Bittner: Because we don't want to damage your car, Joe, so we're going to send you this special magnetic sign for $50, and then you'll be able to make $600 a week.
Joe Carrigan: Right. And then you send them the 50 bucks. You never hear from them again. Right, that's it. That could be it. I think that the information you enter in the forum is probably also good. I didn't click on the link to the forum. I didn't want, you know, in the event that this was some unique link, I didn't want them -- want to let the people know that Brandyon sent this to us or responded to the -- to the right link at all.
Dave Bittner: Right, right.
Joe Carrigan: So I didn't do that.
Dave Bittner: Yeah, we got a hot one, folks.
Joe Carrigan: Right.
Dave Bittner: Thanks to Joe. And that's when Brandyon stopped listening to "Hacking Humans."
Joe Carrigan: Right.
Dave Bittner: Because he spent all of his time deleting spam text messages. All right, very interesting. And thank you, Brandyon for sending that in. We do appreciate it. Again, you can email us. It's hackinghumans@n2k.com. [ Music ] Joe, I recently had the pleasure of speaking with Andrew Hendel. He is founder and CEO of an online dating site called Marshmallo. And they're taking a kind of interesting approach to online dating. I'd go so far as to say it's a niche approach.
Joe Carrigan: Yep.
Dave Bittner: And I think it's a really interesting run they're making it this. So here's my conversation with Andrew Hendel.
Andrew Hendel: There's a number of different online dating apps. I believe there's over 1,000, in fact. Some of the main ones that people may have heard of are Tinder or Bumble or Hinge. The dating apps all have a very big problem in that they don't do very much to identify users, and that's, in large part, why I created Marshmallo. Marshmallo is another dating app. There's lots out there. But what's different about it is that everybody has their government-issued ID checked. They have their selfie checked and their profile pictures checked. You literally can't post a picture of somebody that isn't yourself. In addition, we check over 300 government databases. There's 1 in all 50 US states, and we exclude over 700,000 registered sex offenders. According to FBI, over 1 in 10 registered sex offenders has an online -- a dating profile. They're not on Marshmallo.
Dave Bittner: Well, help me understand here for the other dating apps that are out there. It seems to me like by not being so particular about folks' identities, that decreases friction, and does that increase the number of users on their platform? Is that the rationale typically?
Andrew Hendel: Yeah, some of the dynamics they might focus on, onboarding users very quickly, there is some friction involved in checking people's IDs. There's also some cost involved in checking people's IDs. A lot of other dating apps, they might have a feature that's called verification, but it's not quite like what Marshmallo is doing. It might just involve somebody taking a selfie, and maybe they compare it only then and there to people's profile pictures to make sure they match. But then in the future, you can go ahead and upload, provide pictures of somebody that isn't yourself, and they'll still say that you're verified, even though you're representing you are -- or somebody other than what you actually look like. There's a number of things that people can do wrong. There's a number of reasons why people might want to catfish. People might be trying to scam you out of money. They may be insecure about how they look or how old they are. Or maybe, you know, they're doing something that's really harmful and trying to cover up and maybe even harm you.
Dave Bittner: You know, it's an interesting point about -- you remind me when you mentioned that, you know, folks will sometimes upload pictures that look younger than they are. I have jokingly suggest that everyone needs to have a best friend who lets them know when it's time to update their profile picture because I think we're all guilty of, you know, letting time go by, and suddenly that person in your profile picture doesn't really resemble you anymore. Is that a common problem here with a lot of the online dating platforms that what you see is not necessarily what you're going to get?
Andrew Hendel: People can post pictures themselves that are 5, 10, 20 years younger than how old they actually are. They might be going on dates with people, and they might be much older than what they are representing. People might not be who they are representing themselves to be at all. Somebody might represent themselves to be a woman. They're not a woman. They might represent themselves to be a man who's completely different than who they actually are. There's some very real risks that come with meeting a stranger off of an app, and to deal with those risks is a very big part of why I started Marshmallo and why I think it's a very good experience for a lot of people because there are all these extra safeguards that are in place.
Dave Bittner: Well, let's dig into some of the details there. I mean, from your point of view, what are the responsibilities of the platform that provides this sort of service?
Andrew Hendel: You know, dating app, they should be verifying people's identities. They should be excluding registered sex offenders. They should be making sure that people aren't posting pictures of somebody other than themselves. The people that you're talking to online, they should be that actual person. They shouldn't be somebody else. I do think that those are all responsibilities of these dating apps. A lot of them in their terms and conditions, they'll say you can't be a sex offender and join our app, but they don't do anything to track, whereas Marshmallo, we check. We exclude those people.
Dave Bittner: Where do we stand with dating apps in terms of selling your information? You know, that's a really common way for online platforms to make some extra money. Is that rampant throughout the industry? Are they taking your personal information and providing that to advertisers, for example?
Andrew Hendel: I can't speak for other companies. I know that Tinder does advertise, but I can't speak for them. Marshmallo does not share anybody's information with anybody else, and we don't advertise at all.
Dave Bittner: What are some of the other sorts of online problems that you're trying to solve here with Marshmallo? I mean, what are some of the common issues that folks run into when they're using an online dating platform?
Andrew Hendel: So sometimes people will match and maybe one or the other person will have second thoughts about it. They might not be as interested as they thought they were initially, and the other party, they might send a message, not get a response, send another message, send message after message after message, maybe getting a little bit irritated that they're not getting a response. On Marshmallo, you can't double text unless you get a response. So if, you know, a man matches with a woman, the woman thinks twice about it, the guy can't message her over and over and over again. The idea is to prevent unwanted messaging and prevent some harassment before that happens in the first place.
Dave Bittner: Can you take us through some of the process here, as you were planning out the features you wanted to include here? I mean, what was the -- what was the rationale, and what was the process? It sounds as though you were very deliberate?
Andrew Hendel: Yes, you know, I have a younger sister. She's nine years my junior. I see some of the risks that she takes when she's going out. As you touched on earlier, she'll always text a friend where she's going when she's supposed to be back. There's a lot of precautions that people have to take these days when they're meeting somebody online. I wanted to create a safer online dating experience, one that took technology from the banking world. I have a experience in financial services and use that technology to improve the safety for people in online dating.
Dave Bittner: And what are some of the technologies that you're using there? I mean, I mean, you mentioned the verifications. It strikes me that this presents a lot of upfront cost for you and your organization.
Andrew Hendel: There is a cost to checking people's IDs. Fortunately, with artificial intelligence, some of that cost has come down. Then the hope is that with more value being added to the network, we're verifying people's identities, their ages. We're excluding sex offenders. The goal is to then, you know, make some of that up in terms of lower support cost because we're not going to have fake users and maybe, you know, people be willing to pay a little bit more to participate in the app. It's a free app. Everybody can join for free. We don't charge anything to check IDs, but there -- we do have a freemium business model where people pay extra to get some extra filters that they can use to sort who they're looking for or to pay -- to buy super likes so they are preferentially shown to some people.
Dave Bittner: You know, it strikes me that this is a situation where folks are particularly vulnerable. You know, when they're out there, they're looking to start a relationship with someone. They're, you know, there's a certain emotional rawness that I think can come with that. What sort of recommendations do you have for folks who are starting this journey, who are looking to find someone they'll connect with, but, at the same time, you know, they want to do it safely.
Andrew Hendel: We have a number of safety tips that are on our website. They're not -- they're relevant for Marshmallo, relevant for any kind of dating app, or even any kind of dating experience. We have a list of tips for in-person dating as well. Some of the things that I think people should look for are a dating app that prioritizes user safety. It's always a good idea to keep personal information to yourself. On Marshmallo, we only share people's first initial. Your name is your business. If you want to share your name, you're welcome to do that. But we're not going to automatically just share your name. It's advisable not to send explicit photos. People can ask for explicit photos, and then you provide them, the other person might try to blackmail you with those photos or post them and embarrass you in some other fashion. It can be a good idea to video call first. Always good to take your time and ask questions. On a lot of dating apps, Marshmallo included, there's moderation that's involved in the text messaging. And what some people will try to do is they'll try to get people off the app right away and into another social network, where there might not be those precautions that are in place. Can be good to do a researcher date. And then, you know, if anybody asks for money, that's always a big red flag. You shouldn't be giving money to anybody that you've not met in person.
Dave Bittner: What's been your experience so far as you've been, you know, spinning up this startup company and making a run at making a dent in the online dating world? How's it going?
Andrew Hendel: It's going well. We're hearing a lot of positive feedback from our users. There's been a lot of press interest. Recently, Tinder and Garbo, they split up. Tinder was doing these background checks through Garbo. That's no longer happening. With Marshmallo, we have, you know, verification that's in place, so you can be sure that people aren't a sex offender, mitigate some of the need for a background check. And we're hearing people really like that feature that's built into Marshmallo.
Dave Bittner: Suppose that, yeah, I was someone who was trying to get on to your service here and not say that I am who I am. You know, what would be the things that would catch me along the way there?
Andrew Hendel: You'd be caught right away. You have to give a government ID to join the app. We use the same technology provider that's used by major financial institutions. So if you're spoofing me and them, you're also going to be able to spoof banks. There's not a lot of people who are going to be that sophisticated. I've tried doing it with, you know, fake ID kind of created that was online, or, you know, people have tried to attack the system, and it's caught those attempts to attack the system. So you wouldn't be able to join without your actual driver's license. And then the next thing we do is we check your selfie. So that has to match your driver's license. You can't use a driver's license that's somebody else. It has to be your own driver's license. And then when you go to put pictures on your profile, we use artificial intelligence to make sure that those pictures, they match your selfie and your government ID so that you can't post a picture of somebody else. I tried to post a picture of George Clooney. I think there was a resemblance. The app would not let me post that picture of George Clooney.
Dave Bittner: It must have been very disappointing for you, Andrew, right?
Andrew Hendel: Absolutely. [ Music ]
Dave Bittner: Joe, what do you think?
Joe Carrigan: Tons of dating apps there are.
Dave Bittner: Yeah.
Joe Carrigan: I mean, you can look them up all the time, and they're always changing. New ones are coming up for special niche markets.
Dave Bittner: Right.
Joe Carrigan: But this one, they're -- Marshmallos' niche is verification.
Dave Bittner: Right.
Joe Carrigan: Right, and they're using a lot of tools to make sure that you are who you say you are so that when it comes time to interact with somebody, you're much, much, much more likely to be talking to a real person.
Dave Bittner: Right.
Joe Carrigan: Right?
Dave Bittner: Right.
Joe Carrigan: Interesting about the 1 in 10 registered sex offenders having a dating profile.
Dave Bittner: Yeah.
Joe Carrigan: That was -- that was new information to me. I'd like to see where that came from. He said it came from the FBI. I could go down a rabbit hole on this, you know?
Dave Bittner: Have you ever looked up in your neighborhood to see --
Joe Carrigan: Oh, yeah, absolutely.
Dave Bittner: Yeah.
Joe Carrigan: I have kids. I want to know where the bad guys are.
Dave Bittner: Yeah, I mean, look, obviously nobody -- it's good that we have these lists, and everybody wants to be mindful of it. I will just say that there are things that can get you on the sex offenders list like public urination.
Joe Carrigan: Right.
Dave Bittner: That I think are, you know.
Joe Carrigan: Yeah.
Dave Bittner: Okay?
Joe Carrigan: How does that make you a sex offender?
Dave Bittner: Right.
Joe Carrigan: Right, it's not -- you're not a risk to somebody else.
Dave Bittner: Exactly.
Joe Carrigan: You just happen to relieve yourself in public.
Dave Bittner: Right, right.
Joe Carrigan: I don't know.
Dave Bittner: Yeah, yeah. At the same time, you know, I think it's good that we, as a community, it's good that we can have a list and check and be aware to see what's going on near us. I guess the only reason I bring that up is just be mindful to not pass judgment too quickly without getting the whole story.
Joe Carrigan: Right.
Dave Bittner: You know, before you bring down the hammer and try to have somebody run out of your neighborhood.
Joe Carrigan: Right.
Dave Bittner: Just because they're on the list, you know?
Joe Carrigan: Yeah.
Dave Bittner: Find out what happened.
Joe Carrigan: Right.
Dave Bittner: Oh, I'm sorry, that was a -- that was a bit of a tangent there.
Joe Carrigan: That's okay.
Dave Bittner: Let's get back to Andrew.
Joe Carrigan: I was going to talk about the percentage of people that's like 0.2% of people are registered sex offenders, so that means 0.2% of these people have dating profiles. I don't know what percentage that makes up of the dating population.
Dave Bittner: Yeah.
Joe Carrigan: But, according to Andrew, none of them are on Marshmallo.
Dave Bittner: There you go.
Joe Carrigan: Which I think that would be a selling point for me.
Dave Bittner: Right.
Joe Carrigan: A lot of dating apps have it in their terms and conditions that you can't be a registered sex offender and then don't do anything to verify it.
Dave Bittner: Yeah.
Joe Carrigan: Right, here we are with big tech again, moving fast and not being able to do things at scale.
Dave Bittner: Yeah, yeah. I mean, I think that's probably more to the legal department so that they have --
Joe Carrigan: Right.
Dave Bittner: -- plausible deniability should something go bad.
Joe Carrigan: Yeah. Well, we told those registered sex offenders to stay off our platform.
Dave Bittner: Right.
Joe Carrigan: He violated our terms and conditions. That's on him.
Dave Bittner: Right, exactly.
Joe Carrigan: Right. Yeah, I don't think that's going to -- if you -- if you're -- if you're somebody that has a dating site, and you're not take -- doing due diligence to keep sex offenders off your site and somebody gets harmed as a direct result of using your site, I don't think that's going to hold up very.
Dave Bittner: Yeah, who knows?
Joe Carrigan: I mean, especially now that there's a company like Marshmallo out there that just does it, right?
Dave Bittner: Yeah.
Joe Carrigan: That's another question for Ben, I would guess, though. We need to have him on call.
Dave Bittner: Sure, on speed dial.
Joe Carrigan: Right.
Dave Bittner: To answer our legal questions. Sure. That wouldn't be annoying to him at all.
Joe Carrigan: No. There are all kinds of bad reasons why people will be dishonest on dating platforms, right? It ranges from the, you know, the what we've been talking about here to just someone putting older pictures on themselves so they appear younger in their profile.
Dave Bittner: Right, right.
Joe Carrigan: Right? I like your point about having a friend that tells you when it's time to update your profile picture.
Dave Bittner: Right.
Joe Carrigan: Right?
Dave Bittner: Trusted friend.
Joe Carrigan: Might be time for me to update my profile pictures.
Dave Bittner: Right.
Joe Carrigan: Because my hair is a lot grayer than it used to be.
Dave Bittner: Yeah.
Joe Carrigan: Or maybe I don't want to do that. Who knows? But there's always some big risks involved with dating sites and dating in general. And there are some basic requirements, I think, for a dating app that should be in the system for safety. I like the no double texting. Right? You can't be harassed. I like the idea of not selling information. That would be good. These are more privacy concerns, as I -- as I go on. The double texting is more of a security concern.
Dave Bittner: Yeah.
Joe Carrigan: But no ads, I would like to see that as well. There is a cost to doing this verification upfront, but I think Andrew's point is 100% valid that when, down the road, you don't need to go hunting for these bad accounts because, up front, you verified every single account.
Dave Bittner: Right.
Joe Carrigan: So there is no use case where somebody says, "Hey, this account is fraudulent." I mean, I think at some point, there will be that use case. Somebody will get through the system, but those are going to be very few and far between.
Dave Bittner: Right.
Joe Carrigan: And that is going to be a huge cost savings. Safety tips for dating in -- on apps or anywhere, really. Keep your personal information private. I like what Andrew is talking about in how you can keep your religion private, unless the person shares a religion with you.
Dave Bittner: Right.
Joe Carrigan: I think that's a great idea.
Dave Bittner: Yeah.
Joe Carrigan: I think that's wonderful. And you can do that with political beliefs too.
Dave Bittner: Yep.
Joe Carrigan: That's fantastic. One of the big things, watch out for platform switches. This is one of the biggest red flags in any scam.
Dave Bittner: Right.
Joe Carrigan: Because -- and it doesn't matter where you are. It doesn't matter what you're talking. If you're on Facebook Marketplace, if you're on match.com, if you're on Craigslist, somebody starts saying we need to move over to Signal, or we need to move over to Telegram, you're done.
Dave Bittner: Yeah.
Joe Carrigan: You're done with the conversation.
Dave Bittner: Yeah.
Joe Carrigan: Because that's just how they're going to escape being hammered by those companies, getting the ban hammer, if you will.
Dave Bittner: Right.
Joe Carrigan: Don't provide explicit photos. I can't say this enough. I'm surprised that people still do it. But so many cases we've all heard of where this goes bad, even with people that you know and trust.
Dave Bittner: Right.
Joe Carrigan: Right? Down the road, you don't know how that's going to turn out. Don't do that. Don't send explicit photos to somebody.
Dave Bittner: Yeah. I mean, I -- yeah. I think that it's a good safety tip. At the same time, I'm careful not to pass judgment on people. You know, not to yuck someone's yum.
Joe Carrigan: No, I get it. I know why you're doing it, and it's --
Dave Bittner: Yeah.
Joe Carrigan: You know, and it maybe it's --
Dave Bittner: I guess it's just one of those things that if you're going to choose to do it.
Joe Carrigan: Right.
Dave Bittner: -- be extraordinarily careful.
Joe Carrigan: Extraordinarily selective.
Dave Bittner: And your care should be commensurate with the amount of risk that is involved here.
Joe Carrigan: Right.
Dave Bittner: And when you're -- if you're sending someone an explicit photo, the amount of risk is huge.
Joe Carrigan: Right. Just remember that there's always the chance that that is published one day --
Dave Bittner: Right.
Joe Carrigan: -- in an attempt to embarrass you.
Dave Bittner: Right, or leaked, you know?
Joe Carrigan: Or leaked, right.
Dave Bittner: Or out -- of out of control of either you or the person that you're sending it to.
Joe Carrigan: Yep.
Dave Bittner: It happens all the time.
Joe Carrigan: Yep.
Dave Bittner: So it's not that you don't trust the other person. You also have to trust --
Joe Carrigan: Everybody that touches that data along the way.
Dave Bittner: The people who own that platform or the people who may buy that platform in the future.
Joe Carrigan: Right.
Dave Bittner: Right?
Joe Carrigan: That's a good point.
Dave Bittner: Yeah.
Joe Carrigan: There's a lot of implicit trust there, and I just don't have that much implicit trust for anybody.
Dave Bittner: Right, right.
Joe Carrigan: I like Andrew's tip about having a video call. Have a video call with somebody. If they don't turn their camera on, and they give you some BS reason for the camera not being -- not working, or I don't have a camera or something like that, hang up. You're done. That's it.
Dave Bittner: Right, right.
Joe Carrigan: Chances are that's a scam. Everybody has a camera now.
Dave Bittner: That's true.
Joe Carrigan: Everybody has a camera now. If you're going to meet somebody in person, meet them in a public place, and drive your own car. That's another thing. Don't, you know, be ready to leave that area as soon as you need to. And here's a great thing. This happened recently with -- I can't remember who it was -- who it was, but somebody in my family was meeting somebody. And we said, "Do you need us to get a table at the restaurant? They don't know what we look like. We can be sitting there at another table, just in case things go a little bit weird. We'll be there."
Dave Bittner: Oh, okay.
Joe Carrigan: So if you have friends you trust, have them do that.
Dave Bittner: Right.
Joe Carrigan: Whoever you're meeting won't know who your friends are.
Dave Bittner: Yeah. Yeah, and I think it's pretty -- a pretty common tactic these days for someone to, again, be in touch with a trusted friend and say, "Hey, I'm going out on a blind date tonight."
Joe Carrigan: Right.
Dave Bittner: Or whatever, you know? If you don't hear from me, at this time, text me, and I'm going to use that as my excuse to get out of the date.
Joe Carrigan: Right.
Dave Bittner: Or something like that, right, but -- and that way, somebody knows where you're going. It's all those safety things that, sadly, are necessary these days, but you got to be safe out there.
Joe Carrigan: Yeah. We used to have a code word in college called the lizard woman.
Dave Bittner: Go on.
Joe Carrigan: So okay, here's how this worked. Because me and a group of my friends were all socially illiterate, socially not astute, we miss social cues.
Dave Bittner: Oh okay.
Joe Carrigan: A lot of us do.
Dave Bittner: Right.
Joe Carrigan: So we had this plan, that if we noticed that somebody in our social group was being hit on by somebody at a party, we would walk up and tap the person on the shoulder and saying, "Hey, by the way, the lizard woman's here," right?
Dave Bittner: Oh, okay.
Joe Carrigan: That was the secret clue that you knew, okay, this person is -- has some kind of romantic and or maybe not romantic, but just infatuation, whatever.
Dave Bittner: Yeah.
Joe Carrigan: Some kind of attractive intent.
Dave Bittner: Right.
Joe Carrigan: You could respond in a couple of ways. You could say, really? I hadn't heard that. I'll have to -- I'll have to catch up with her. And that meant I didn't understand, thanks for the heads up.
Dave Bittner: Okay.
Joe Carrigan: Or, yeah, I saw her walk in. That meant I understand. I know what's going on. And the other one was, hey, she owes me money. Excuse me for a moment, and then you could walk away from the conversation.
Dave Bittner: Oh.
Joe Carrigan: If you were in the conversation, you didn't want to -- didn't want to be in it.
Dave Bittner: Okay.
Joe Carrigan: So you could actually walk away because of that -- because of this secret code word we had.
Dave Bittner: Okay. I'm just imagining like, over time, you know, all of the women in your friend group trying to figure out who the heck is the lizard, what, is it you? Is it me? I don't -- they keep mentioning this lizard woman. Has anybody seen her?
Joe Carrigan: Right.
Dave Bittner: No, but these -- no wonder these guys can't get a date, right? You know?
Joe Carrigan: Well, there were women that we would say this too as well. You know, women are our friends --
Dave Bittner: So they were in on it?
Joe Carrigan: Yeah.
Dave Bittner: This wasn't just a -- just a, you know, bro kind of thing.
Joe Carrigan: No, no.
Dave Bittner: Okay, all right.
Joe Carrigan: No, this was -- this was a lot of us.
Dave Bittner: Yeah, yeah. How'd that work out for you, Joe?
Joe Carrigan: Nobody ever told me the lizard woman was there. Probably because no women were ever expressing interest in me at a party.
Dave Bittner: Oh, you've been happily married for a long, long time now.
Joe Carrigan: I have, yeah. Yeah, and we didn't meet at a party.
Dave Bittner: So I'd say it's all parts well that ends well.
Joe Carrigan: It is -- it is very good. I'm fine with it. I'm fine with the way things turned out.
Dave Bittner: There you go. All right. Well, again, our thanks to Andrew Hendel. He is the founder and CEO of Marshmallo. We appreciate him taking the time. When we have guests like this, who represent a company, I'm always -- I hesitate sometimes because I don't want it to sound like a commercial for their company, you know?
Joe Carrigan: Right.
Dave Bittner: Because in a way, we are promoting the company.
Joe Carrigan: Right.
Dave Bittner: But I think the flip side of that is when someone comes along with something that is a clever approach to something that we're all familiar with, and I think Marshmallo is doing this --
Joe Carrigan: Right.
Dave Bittner: -- I think it's worth talking about in that sort of framework. So apologies to our audience if it sounds like a little bit of an ad for Marshmallo. I don't intend for it to be that.
Joe Carrigan: Right. But they've got some real market differentiation.
Dave Bittner: Yeah, exactly, and it leads to a good conversation. I think about some important things.
Joe Carrigan: Yeah, hopefully, other dating apps will pick this up.
Dave Bittner: Yeah. [ Music ] All right. Well, that is our show. We want to thank all of you for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. N2K's strategic workforce intelligence optimizes the value of your biggest investment -- your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: And I'm Joe Carrigan.
Dave Bittner: Thanks for listening.
