Dave Bittner: [00:00:00] Hey, everybody. Dave here with a quick request. If you could leave us a review on whatever platform it is you listen to this show, it'll help spread the word and grow our audience. So please take a few minutes and share why you think this podcast is a valuable part of your day. Thanks. Here's the show.
Andrew Shikiar: [00:00:16] For strong authentication to really take root at scale, it needs to be easy for people to use.
Dave Bittner: [00:00:23] Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:41] Hi, Dave.
Dave Bittner: [00:00:42] We've got some good stories to share this week. And later in the show, my conversation with Andrew Shikiar. He is executive director and chief marketing officer at the FIDO Alliance. And we're going to talk about why phishing and passwords remain such a big security problem and some of the potential options for doing away with passwords.
Dave Bittner: [00:01:00] But first, a word from our sponsors, KnowBe4. So what's a con game? It's a fraud that works by getting the victim to misplace their confidence in the con artist. In the world of security, we call confidence tricks social engineering. And as our sponsors at KnowBe4 can tell you, hacking the human is how organizations get compromised. What are some of the ways organizations are victimized by social engineering? We'll find out later in the show.
Dave Bittner: [00:01:35] And we are back. Joe, why don't you start things off for us this week?
Joe Carrigan: [00:01:38] Dave, this week, I found a really interesting article from Sophos. What Sophos did was they worked with a company called CipherTrace to track sextortion emails from September 1 of last year to January 31 of this year, 2020. And what CipherTrace does is they are a cryptocurrency tracking company. Their mission is to help banks with anti-money laundering operations because one of the big fears is that cryptocurrency can be used as money laundering. But CipherTrace takes a look at the block chain. And actually, one of the drawbacks of cryptocurrencies like Bitcoin is that it is a public ledger. So everybody can see where everything goes on the bitcoin blockchain. And CipherTrace capitalizes on that and helps banks make sure they're not helping criminals launder money.
Dave Bittner: [00:02:22] OK.
Joe Carrigan: [00:02:23] Sophos was tracking a - this sextortion scam. This is the scam where somebody says, hey, I got video of you while you were looking at this illicit site here, you know, and I've got some video of you doing some unsavory activities. And, oh, you have some weird tastes, they'll say.
Dave Bittner: [00:02:37] (Laughter) Right.
Joe Carrigan: [00:02:37] Oh, by the way, to prove it to you, here's your username and password, right?
Dave Bittner: [00:02:41] Right.
Joe Carrigan: [00:02:42] And it's a username and password or password from an old breach. It's just totally a scam.
Dave Bittner: [00:02:46] Yeah.
Joe Carrigan: [00:02:47] But these messages were so prolific that, at points in time during this campaign, from September to January, they were making up 4% to 20% of all spam traffic on the internet, right? It would range and it would peak in the percentage of spam traffic. And they have some great graphs in the article that you should go look at, and you can see how these spikes happen over time, and you can see when these scammers are sending out emails. Now, these emails themselves were actually very well-crafted to get by the spam filters. They did things like breaking up words with invisible random strings because a lot of email is done over HTML now. Almost all email is done with some kind of HTML.
Dave Bittner: [00:03:27] Right.
Joe Carrigan: [00:03:27] You can hide that string. But when a machine looks at it to analyze it for spam, it doesn't see the words that the human sees, right? So you and I would read it and understand the meaning, but because there's all this garbage text inserted that's not shown to the user, it doesn't work for spam filters.
Dave Bittner: [00:03:43] Interesting.
Joe Carrigan: [00:03:44] And the machines can't determine it's spam. They use some non-ASCII characters that - like Cyrillic letters - that are similar to English-language characters so that, again, you would see a letter, and it might be a rho or the Russian P - right? - the Cyrillic P, which is actually R in that language, but it looks like a P to you, and the spam filters couldn't determine that that was a word that contained a P. They'd think it was a word that contained the rho letter from the Cyrillic - I don't know if it's called a rho in Cyrillic. I know it's called a rho in Greek. So they would use a bunch of these obfuscation techniques, and sometimes they would actually include things in an image as well. So that's how they got by their spam filters to increase their penetration into the marketplace.
Joe Carrigan: [00:04:23] Over the course of this campaign, these actors used 50,000 bitcoin addresses, and only 261 of them received bitcoin during this timeframe, from September to the end of January. And the total amount of bitcoin they received was 51 bitcoin, or $473,000 - in the article. I don't know how they're calculating the value of bitcoin. I mean, that is such a wildly fluctuating value it doesn't...
Dave Bittner: [00:04:50] Yeah. Still, a lot of money.
Joe Carrigan: [00:04:51] This is a lot of money, right. These addresses would only be used briefly, about a 2.6-day average for a bitcoin address. So they were creating addresses and then deleting addresses or creating addresses and then not using them again. The article says that, as far as scams go and cyber operations go, malicious criminal cyber operations, this is a small payout of $473,000. But I don't take that stance. I agree with what you just said.
Dave Bittner: [00:05:19] (Laughter).
Joe Carrigan: [00:05:19] This is a big payout, OK? Because you look at it this way - the effort was minimal. This thing was probably minimally staffed. It may have been three or four guys, if that many. It's very inexpensive to pull off. Sending spam is cheap. Buying the email lists is cheap. Getting the information from these other marketplaces is cheap. And as the article points out, it requires very low skill, and there's no need to compromise a victim's computer. All you have to do is send an email to him and you've succeeded in the first step of this operation.
Joe Carrigan: [00:05:49] Now, on Twitter yesterday - and this is just anecdotal - but I noticed that there were a lot more of these sextortion emails going around. I was looking for the Catch of the Day and I see, like, sextortion email after sextortion email tweet yesterday, and they're all from yesterday. And I'm sitting there thinking myself, did somebody else read this article and go, huh, those guys made half-a-million dollars.
Dave Bittner: [00:06:10] (Laughter) Right. Right.
Joe Carrigan: [00:06:12] And now - because this article came out a couple of days ago, and I'm thinking there are people out there going, well, we should do this, too. I don't know how effective it will be in the future. Anyway, that's just me speculating wildly.
Dave Bittner: [00:06:25] The folks who are trying to track this money down - it's my understanding that there are services within this cryptocurrency world that will sort of mix your money with other money to try to...
Joe Carrigan: [00:06:37] Yeah.
Dave Bittner: [00:06:37] ...Make it harder to track where the money goes.
Joe Carrigan: [00:06:39] Actually, that's the next point - is what did they do with their money? And this article has a really great series of graphics. And CipherTrace has done a really good job of showing you where the money went because, like I said, if it's Bitcoin, it goes on the public ledger. And they found that about 10% of the money went to carding sites and other criminal marketplaces, right? So if you have money that you've gotten from criminal activities, it is absolutely no problem to spend that money on other criminal activities, right?
Dave Bittner: [00:07:07] Oh, I see.
Joe Carrigan: [00:07:07] And drug dealers have absolutely no problem giving another drug dealer $5 million. They don't have to launder that. They just go, oh, you want $5 million? Here. Here's $5 million dollars, and give me whatever drugs you want, right?
Dave Bittner: [00:07:18] Right. Right.
Joe Carrigan: [00:07:18] It's not a problem. The problem is when you want to use it. Here's something I found really, really interesting in this article or in the trace. Forty-four percent of the Bitcoin they collected went to exchanges. Now, an exchange is, essentially, something where anybody can keep cryptocurrencies, right? So you can go out to an exchange and open up an account, but the problem with these exchanges - or not really the problem but one of the things with these exchanges is if they want to operate legally, they have certain identification requirements. You have to prove you are who you say you are. And 44% of this money went into those kind of exchanges.
Joe Carrigan: [00:07:51] Now, 15% went into what the article classifies as high-risk exchanges. This is exchange where you don't have to provide your identification. Now, it's classified as high-risk because the people who operate the exchange may very well be planning on pulling an exit scam, which is where they essentially take all the money and just disappear. That's their goal. So that's why they're classified as high-risk, and only 15% of the money went to these exchanges.
Joe Carrigan: [00:08:18] And the rest of the money went to a variety of places, including some that went to dark market. It was a surprisingly low number that went to these Bitcoin tumblers. These Bitcoin tumblers, what you're talking about where they throw their money in there, and they just start mixing it up with other money, and then it comes out - I really don't think that that's a good way to hide money anymore. I don't - I think that companies like CipherTrace might do a good job of identifying what goes in and what comes out.
Dave Bittner: [00:08:43] Well, let me ask you this. If 44% of this money is going to exchanges and exchanges have reporting requirements...
Joe Carrigan: [00:08:50] Right.
Dave Bittner: [00:08:50] Wouldn't that mean that law enforcement would be able to swoop in and figure out who these folks are?
Joe Carrigan: [00:08:55] I think it may very well mean that. A lot of that money could be seized, or that money - or those people could be identified. There might be some plausible deniability. I don't know.
Dave Bittner: [00:09:04] Yeah. But they - maybe they're just in a place where they don't care about that. Their...
Joe Carrigan: [00:09:09] Right. Yeah.
Dave Bittner: [00:09:09] You know, their local law enforcement doesn't cooperate with international law enforcement, and so there...
Joe Carrigan: [00:09:14] It could be that as well.
Dave Bittner: [00:09:15] Yeah.
Joe Carrigan: [00:09:15] It could be that they're putting bitcoin into an exchange to exchange it for something like Zcash, which has anonymous transactions - right? - which you can do. You can change one cryptocurrency for another and then push it out of the exchange, and it's gone. And nobody will ever see it again. Interestingly enough, some of this money went to gambling sites, right? Two percent went to gambling sites. So these guys like to gamble online. And 11% went to private wallets, which is a wallet that somebody has set up on their own machine.
Dave Bittner: [00:09:43] I see.
Joe Carrigan: [00:09:44] If any of the wallets had IP addresses associated with them, all of those IP addresses were protected by VPNs, or they were associated with Tor exit nodes. So...
Dave Bittner: [00:09:53] Oh.
Joe Carrigan: [00:09:53] There is no way to identify, to geolocate these IP addresses because they came out the Tor network or VPN. I think this article is fascinating. I don't know. It doesn't have a really big social engineering component other than the source of the money, but I am absolutely fascinated by the concept of money laundering and how it works.
Dave Bittner: [00:10:10] Interesting stuff - so yeah, hats off to the folks over at Sophos and the team at CipherTrace for collaborating on this.
Joe Carrigan: [00:10:17] Yeah, it was good work.
Dave Bittner: [00:10:18] Yeah.
Joe Carrigan: [00:10:19] Check the article out.
Dave Bittner: [00:10:20] All right - good stuff. Well, my story this week comes from KrebsOnSecurity, Brian Krebs' well-known and well-respected online news publication. And this is titled, "When In Doubt: Hang Up, Look Up, And Call Back."
Joe Carrigan: [00:10:35] That's right.
Dave Bittner: [00:10:36] This story traces someone who is tech-savvy who got taken for around $10,000. There is mostly a happy ending. He ends up getting most of the money back. But it's really a cautionary tale that this person thought he was doing everything right and speaks to some of the sophistication of the bad guys here, of how they lead someone along. So this person got a phone call from someone who claimed to be from his financial institution, and they called him and said that they had detected fraud on his account. The caller ID from the call matched the phone number that was printed on the back of his debit card.
Joe Carrigan: [00:11:11] Right.
Dave Bittner: [00:11:11] But, again, this person being savvy, being someone who actually knows a thing or two about security, logged on to his online bank account ledger and found that, sure enough, there were some small charges that were on his card that he had not done - withdrawals from his debit card, under a hundred bucks each. But there were also a couple of withdrawals - a few hundred dollars - from a ATM in Florida. Now, one of the things that this person thought was that if this was someone who was trying to commit fraud, they would likely ask for personal information, and the person on the phone did not ask for any personal information. This person just said that the bank was going to reverse the charges and they would be sending a new debit card via express mail. And so this - the person who was being scammed thanked the customer service person on the other line and hung up.
Dave Bittner: [00:12:04] So the next day, this person gets another call about some more suspected fraud on the bank account. And this time, more of the alarm bells were going off. So he decided to call his bank's customer service department, and this is something that, you know, you and I have said many, many times.
Joe Carrigan: [00:12:22] Right.
Dave Bittner: [00:12:23] Right? Rather than take the call, you know, hang up. Call the number that you have, the number you know is correct. (Laughter) Not necessarily the number you Google, right? Like, go to the...
Joe Carrigan: [00:12:33] Or the number that's on the back of your debit card, in this case.
Dave Bittner: [00:12:35] Right, right. Exactly. So what he decides to do is keep the customer service person - the alleged customer service person on the phone on one line - put that person on hold - and call the bank at the same time.
Joe Carrigan: [00:12:48] Right.
Dave Bittner: [00:12:48] Now, in the past, his financial institution had verified his identity over the phone by sending him a code on his cell phone number - basically, a verification code...
Joe Carrigan: [00:12:59] Right.
Dave Bittner: [00:13:00] ...Saying, OK, to make sure this is you, we're going to send you this code; read back the code. OK?
Joe Carrigan: [00:13:04] Yep.
Dave Bittner: [00:13:05] So that's what happened with the original person who had called him. They said, we're going to send you a code; please read back the code.
Joe Carrigan: [00:13:17] Really?
Dave Bittner: [00:13:18] Yeah. So he gets...
Joe Carrigan: [00:13:18] So the first person sent him a code. The scammer...
Dave Bittner: [00:13:20] First person sent him a code - who is the scammer - sent him the code.
Joe Carrigan: [00:13:25] OK.
Dave Bittner: [00:13:25] So he gets the code. Again, this is nothing out of the ordinary.
Joe Carrigan: [00:13:28] Right.
Dave Bittner: [00:13:28] This has happened before. He reads back...
Joe Carrigan: [00:13:30] It's easy enough to do.
Dave Bittner: [00:13:31] He reads back the code. The person on the other end is assuring him that he won't have to pay any of the phony charges. He checked his account over the next few days, and nothing bad had happened. The weekend goes by. And then on Monday, he logs into his account and he sees that $9,800 had been wire transferred out of his account, so he calls his financial institution.
Joe Carrigan: [00:13:55] Oh, I see.
Dave Bittner: [00:13:55] He gets put through to their fraud department. What do you think happened here, Joe? You want to make a guess?
Joe Carrigan: [00:14:02] Yeah. Let me see what happened here. So I don't know how they got the - they had his username and password or they were on the phone with his bank. The scammers were also on the phone with his bank looking to do - try to do a wire transfer impersonating him.
Dave Bittner: [00:14:17] Right.
Joe Carrigan: [00:14:17] So they call him. And they say, we're going to send you a text message. You know, we're from the fraud department. We're going to send you a text message. And then - it's essentially a man-in-the-middle attack from what I'm seeing, Dave. The bad guy calls his bank impersonating him and also, at the same time, calls him and says, we're - we've notice some fraudulent activity. We're going to send you a code. Then the bank says to the bad guy, in order to do this wire transfer and make sure it's you, we're going to send you a code. And then the bank customer gets the code and gives it to who he thinks is the fraud department, but that guy just turns around and gives it back to the bank and that authorizes the transaction.
Dave Bittner: [00:14:54] Yep. Yep. That is exactly right. That is - (laughter) that is - that is exactly what happened.
Joe Carrigan: [00:14:59] Right. OK.
Dave Bittner: [00:15:00] And they also - they speculate that, probably, this all began when his debit card and PIN number were skimmed at a gas pump or something like that.
Joe Carrigan: [00:15:12] OK. So...
Dave Bittner: [00:15:13] And that's probably...
Joe Carrigan: [00:15:13] So he got his debit card skimmed, and that's he's seeing the fraudulent transactions.
Dave Bittner: [00:15:18] Correct. Correct.
Joe Carrigan: [00:15:19] Interesting.
Dave Bittner: [00:15:20] Yeah, yeah. Another interesting point here is that the scammers had also called his bank and told them that he was going to be traveling, that he was going to be in Florida on vacation so that when the bank saw that these charges were coming from Florida, which is where the scammers were...
Joe Carrigan: [00:15:40] Right.
Dave Bittner: [00:15:40] ...It didn't raise any red flags because they had been warned ahead of time that he was going to be traveling.
Joe Carrigan: [00:15:46] Interesting.
Dave Bittner: [00:15:47] Yeah, yeah.
Joe Carrigan: [00:15:47] Interesting.
Dave Bittner: [00:15:48] So these people knew what they were doing.
Joe Carrigan: [00:15:51] That is a very elaborate scam.
Dave Bittner: [00:15:53] It is.
Joe Carrigan: [00:15:54] That is remarkably good from an - a level-of-effort standpoint. I mean, these guys have more thought and savvy than the guys in my story do. Right?
Dave Bittner: [00:16:03] Yeah, yeah. And how interesting that just getting a few hundred dollars at a time from a stolen credit card wasn't enough for them - they decided to take it to the next level and had some success there.
Joe Carrigan: [00:16:14] Yeah. Well - and how much of the money did he get back?
Dave Bittner: [00:16:17] Pretty much all of it.
Joe Carrigan: [00:16:18] OK.
Dave Bittner: [00:16:18] In fact, I think he did get all of it. The story here says that the bank was able to claw back the wire payment before it went through. And the bank also gave him back the money that had been stolen over the - you know, the smaller amounts that had been stolen from his debit card. So it seems as though he was made whole. One of the other things the fraudsters did to keep from raising attention with the bank is they opened an account in the victim's name at another financial institution. And that's where they were transferring the large amount of money to.
Joe Carrigan: [00:16:51] Oh, wow. OK.
Dave Bittner: [00:16:52] So to his bank, they would see a transaction going from the victim to the victim. Same name - right? - same information. So that doesn't raise as much of a red flag as it would if it were a large amount of money just - you know, it just doesn't receive the amount of scrutiny that it would. And one of the things that Brian Krebs points out in the article is that if this person had placed a security freeze on his credit file with the consumer credit bureaus, the fraudsters would have had a much harder time opening the account in his name...
Joe Carrigan: [00:17:22] Yeah.
Dave Bittner: [00:17:23] ...Because - they wouldn't have been able to do that. That would have flagged that there.
Joe Carrigan: [00:17:27] That's right. Yep. That would have stopped that from happening. But the title of the article is "When in Doubt: Hang Up, Look Up, & Call Back." The one thing I don't like about that title is when in doubt. I say always hang up, look up and call back...
Dave Bittner: [00:17:42] (Laughter).
Joe Carrigan: [00:17:42] ...Because this guy had absolutely no reason to doubt what was going on.
Dave Bittner: [00:17:48] Right.
Joe Carrigan: [00:17:48] This scam is so well-crafted that this doesn't raise any red flags. Hey, your bank security department is calling you to talk about some fraudulent activity, and then you log into your bank - your actual bank account and you see fraudulent activity happening. In the process, they say, OK, we're going to send you a code and read the code back. I mean 'cause now they've told you something that is verifiably true.
Dave Bittner: [00:18:09] Right.
Joe Carrigan: [00:18:09] Right? Read the code. OK, here's the code. Well, that code enables them to transfer this money out to an account that is named in your name that they control.
Dave Bittner: [00:18:18] Yeah. So from your point of view, everything is running the way you would expect it to, the way that you've experienced it in the past.
Joe Carrigan: [00:18:24] Exactly. And this could have been stopped just by a phone call saying, look, I don't give this kind of information out; I'm going to call you right back. And then hang up and then dial that number on the back of your credit card and say, I need to talk to the security and fraud department.
Dave Bittner: [00:18:36] Right.
Joe Carrigan: [00:18:37] That would stop it...
Dave Bittner: [00:18:38] Yeah.
Joe Carrigan: [00:18:38] ...Because they can spoof the number from the bank pretty easily, right? But they can't reroute that call very easily.
Dave Bittner: [00:18:44] Right.
Joe Carrigan: [00:18:45] I'm sure it can be done. I don't know how.
Dave Bittner: [00:18:46] (Laughter).
Joe Carrigan: [00:18:47] But they have to intercept the number.
Dave Bittner: [00:18:48] Right. Right. All right. Well, again, that's from Brian Krebs's website. That's Krebs on Security. So do check that out. We'll have a link in the show notes. That is my story this week. It is time to move on to our Catch of the Day.
0:19:01:(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:19:04] Our Catch of the Day comes from Twitter user Necronomicon - @necr0nomicon on Twitter, except the first O is a 0, a coy zero, if you will.
Dave Bittner: [00:19:17] So - and this is one of the many coronavirus scams that we're seeing here. This particular one is requesting donations from Medicare Australia. And, Joe, you know what that means.
Joe Carrigan: [00:19:30] Yes, I do, Dave.
Joe Carrigan: [00:19:34] The master of dialects, Dave Bittner.
Dave Bittner: [00:19:35] (Laughter). It goes like this. (Imitating Australian accent) This is a nationwide appeal in efforts against coronavirus COVID-19. We're experiencing a high demand for our services due to coronavirus and the extra financial assistance to population. But financial resources are limited. The Medicare partners are looking for individuals who can support in the purchase of medical equipment and supplies, mental health support and welfare initiatives to support staff and more, not just now but in the weeks and months to come.
Dave Bittner: [00:20:04] Boy, this is - I'm losing the thread here.
Dave Bittner: [00:20:08] That's all right. It's all right. I'll keep going.
Joe Carrigan: [00:20:10] OK.
Dave Bittner: [00:20:11] (Imitating Australian accent) This is part of the government's response to coronavirus COVID-19. During this time of crisis, the Medicare will be there for you and your family. Now it's time to support all the Medicare staff providing that excellent care and say thank you. Please make a nominal donation aid in this crucial fight. Monthly financial reports will be provided to all our supporters in order to track the expenditures of every dollar spent in this fight against COVID-19. You can also do your part in saving lives by staying home. Stay at home. Only go outside for food, health reasons to work but only if you cannot work from home. Stay two meters away from other people.
Dave Bittner: [00:20:49] It's metric, Joe. They use metric over there.
Joe Carrigan: [00:20:51] Right. Yes, they do.
Dave Bittner: [00:20:51] (Imitating Australian accent) Wash your hands as soon as you get home. Donations made via bank transfer Medicare Australia.
Dave Bittner: [00:20:59] Gosh, it's - I can - it's almost as if we're there, Joe.
Joe Carrigan: [00:21:01] Right.
Dave Bittner: [00:21:01] I can just - I can see - I just see koala bears and kangaroos (laughter).
Joe Carrigan: [00:21:10] Yup, wallabies.
Dave Bittner: [00:21:11] Wallabies, yes.
Joe Carrigan: [00:21:11] Tasmanian devils.
Dave Bittner: [00:21:13] Mmm hmm. What are the deadly snakes they have over there?
Joe Carrigan: [00:21:15] All of them.
Dave Bittner: [00:21:15] Well, they have all the deadly snakes over there.
Joe Carrigan: [00:21:18] They have all the deadly snakes.
Dave Bittner: [00:21:18] (Laughter).
Joe Carrigan: [00:21:18] And spiders.
Dave Bittner: [00:21:18] Yeah. It's the continent that most wants to kill you.
Joe Carrigan: [00:21:21] Right.
Dave Bittner: [00:21:22] So - and probably after hearing my accent, everyone over there wants to kill me.
Joe Carrigan: [00:21:28] (Laughter) That's probably correct.
Dave Bittner: [00:21:33] All right. Well, unfortunately, a pretty obvious scam here. The money that these folks are requesting is not going to go to Medicare Australia. It's going to go to the scammers.
Joe Carrigan: [00:21:42] Yeah.
Dave Bittner: [00:21:42] So if you - when you see these things coming through - and there are a lot of them these days...
Joe Carrigan: [00:21:46] Right.
Dave Bittner: [00:21:47] ...Do double check them - should get in direct contact with these organizations. Don't click through and just provide money online because you never know who it's going to. And these days, there's a good chance that it's a scam.
Joe Carrigan: [00:21:59] Yes.
Dave Bittner: [00:22:00] All right. Well, coming up next, my conversation with Andrew Shikiar. He is the executive director at the FIDO Alliance. And we're going to be talking about phishing and passwords and some of the options that are available for doing away with passwords altogether. But first, a word from our sponsors at KnowBe4.
Dave Bittner: [00:22:18] And now we return to our sponsor's question about forms of social engineering. KnowBe4 will tell you that where there's human contact, there can be con games. It's important to build the kind of security culture in which your employees are enabled to make smart security decisions. To do that, they need to recognize phishing emails, of course, but they also need to understand that they can be hooked by voice calls. This is known by vishing or by SMS texts, which people call smishing. See how your security culture stacks up against KnowBe4's free test. Get it at it knowbe4.com/phishtest. That's knowbe4.com/phishtest.
Dave Bittner: [00:23:05] And we are back. Joe, I recently had the pleasure of speaking with Andrew Shikiar. He is the executive director of the FIDO Alliance. And we're going to be talking about phishing and passwords, why they remain a huge security problem and some of the options for doing away with passwords altogether. Here's my conversation with Andrew Shikiar.
Andrew Shikiar: [00:23:24] Historically, we've always relied on passwords. I mean, even predating computers - right? - I mean, passwords were a way of sharing knowledge. And they're based on what we call shared secrets, right? If you want to access something, I might hold the secret code to that. I - demand the secret code for me. You give it to me. Then I'll share information - right? - even in an offline, you know, scenario - old school. And our computer system's been set up the same way, right? Shared secrets where a server instead of an individual. A server holds that secret, the password. And then to access anything on that server, you have to provide the password. And once you provide that, you're given access to whatever that information may be. And that's how passwords work. They're very simple. The problem with passwords is that anything that sits on a server, you know, can be spoofed, can be stolen, and it will be stolen, as we've seen with the never-ending litany of data breaches that happen out there.
Andrew Shikiar: [00:24:19] So as a result, the industry has tried to move forward beyond, you know, just passwords to other forms of multi-factor authentication and easier forms of user authentication. Multi-factor authentication, of course, means having more than one way - you know, a second layer of authentication. So typically when it comes to authentication, there's kind of three key criteria. It's what you know - like a password - what you have in your possession - so proving that you're actually holding on to something - or the third one being, you know, who you are - so inherent, so something specific to you like a biometric.
Andrew Shikiar: [00:24:52] A lot of multi-factor authentication, you know, over the - it's not new - over the past decade or so has focused on a second factor device in your hand. So those who were in the enterprise will, you know, remember using RSA tokens or dedicated hardware tokens that have a rotating list of numbers or characters that you need to enter to, say, access a VPN or access some sort of system resource. You know, those have always been effective. But they don't scale terribly well. And ultimately, you know those codes are also sitting somewhere on a server, where they can still be stolen by a hacker through what we call a man in the middle or a replay attack. That's another kind of factor of a shared secret, if you will. That that's traditional MFA.
Andrew Shikiar: [00:25:35] The other way of proving possession - and more and more recently - is just, you know, being able to validate that you're in front of a device. And that's where we have things like - we call them security keys - popularized by companies such as Yubico and Google and Feitian and many more. These are more simple devices, frankly, where you just have to touch the device in your possession to prove that it is you in possession of that device on top of entering a password. And then more recently, I think that, you know, a popular form of authentication is biometrics. That's been popularized on leading handsets, through things like touch ID, face ID on iPhones, a variety of mechanisms on Android phones. And that is a, you know, very strong way of proving that, you know, you are both A, in possession device and B, that you are you - something unique to that individual. There's two factors actually in one gesture there with biometrics. And so we're seeing that become a more and more popular means of authenticating users to services, particularly mobile services on mobile handsets.
Andrew Shikiar: [00:26:39] But more recently, we're seeing this biometrics being built into PCs and netbooks. So entire authentication platforms, like Windows Hello for Microsoft, which is available on any Windows 10 PC, leverages, you know, device biometrics to allow users to authenticate rather than being dependent on a password.
Dave Bittner: [00:26:59] And what are the limitations of the systems we have in place today? How are they inadequate as we go forward?
Andrew Shikiar: [00:27:07] The key challenge we have today is a centralized means of authentication - right? - so this idea of shared secret authentication. That does not meet anyone's means going forward because that's what's been at the root of so many data breaches and phishing attacks and things like that, right? So FIDO Alliance itself was formed to - really to solve the data breach problem. And the tip of that spear are passwords, right? Passwords lead to, you know, the vast majority of data breaches, either by a password, you know, being hacked that provides access to system resources, or someone's phished and is spooked into providing access, or, you know, passwords are sitting on a server somewhere that gets stolen that provides, you know, access to even more sensitive data. You know, so the problem is this entire, you know, model of authentication, which is entirely unsuitable and not fit for purpose for, you know, today's economy, tomorrow's economy. And so what we really need to do is move beyond this model of depending on the server-side shared secrets, you know, most notably passwords.
Dave Bittner: [00:28:07] And so what do you propose going forward?
Andrew Shikiar: [00:28:10] So what FIDO allows you to do is leverage - is something called asymmetric public-key cryptography, which is obviously a mouthful, intentionally a mouthful.
Dave Bittner: [00:28:19] (Laughter).
Andrew Shikiar: [00:28:19] But it's public-key cryptography. Just because it's a mouthful doesn't mean it's hard to use. In fact, it's very easy to use. What this does is it introduces the concept of something called an authenticator, which is both a concept and a thing. And that sits between, you know, the user and the server. And even that's making it more confusing than it needs to be. It basically means using the devices in your hands today, all right? So I can authenticate locally to - you know, I'm looking at my desk right now. I have an iPhone and a Lenovo ThinkPad. I can authenticate to either one of those and have them basically serve as the intermediary to the service itself.
Andrew Shikiar: [00:28:53] What happens is I have a - what's called a key pair. I think this is a virtual key pair - that's created when you're using public-key cryptography - on the server, from a service provider instead of storing a password, all they store now is a public key. And then what's stored in my device is what's called a private key. I need to activate that private key. So I need to touch my device or look at my device or even use, like, a local pin all on my device to activate that private key. And then it matches with the public key on the server. And that's the way I can log into things, right? That sounds, you know, very complex, but it's very easy. What's now sitting on the server are public keys - right? - which is just, you know, a hash piece of code that has no material value to hackers, right?
Andrew Shikiar: [00:29:38] So even if and when, you know, a data breach happens, you know, what won't happen is a hacker harvesting these credentials and reselling them on the dark web, which is what happens today, right? I just was reading an article yesterday about, you know, half a million, you know, Zoom username credentials are available on the dark web. So, you know, really whatever you want to find, you can you can find there because these things have been hacked. They're in the public domain. And it's a self-perpetuating problem. And the only way to stop the cycle, only way to break the cycle is to break the dependence on server-side shared secrets - passwords and also OTPs and other things like that.
Dave Bittner: [00:30:19] So help me understand how this is different from a username and password combination. In other words, my - you know, my username's stored on the remote server, and my password is something that I have in my possession. How is what you're describing here - the public key - is not the username, and the - my private key is not my password?
Andrew Shikiar: [00:30:39] The equivalent in your analogy would be the password being the public key and the username being the private key.
Dave Bittner: [00:30:45] OK.
Andrew Shikiar: [00:30:46] That's loosely the analogy. The difference is that - OK, let's play that scenario. So the password's sitting on a server, right? And usually, the username's somehow associated with it, and all that information is sitting on a server. So when there's a data breach - right? - so say, the Yahoo data breach, which happened several years ago now - 3 billion credentials are stolen. Most of those - you know, speaking for myself, I don't really have anything of material value - or I didn't - on the Yahoo network at that point. In fact, what was most valuable there was that username-password combination because what happens is people then go and take that combination. They can steal - they can buy them on the dark web for pennies. And programmatically, hackers will go to every single website of any sort of value and try to stuff that username-password combination into a site to see if they can access it in hope...
Dave Bittner: [00:31:38] I see.
Andrew Shikiar: [00:31:39] ...That they can, you know, have success and then, you know, cause all sorts of, you know, damage to me. And that credential-stuffing activity is quietly, you know, a massive, massive problem, right? So in the U.S., you know, upwards of 90% - 80 to 90% of attempted logins to e-commerce sites are stuffed attempts - stuffing attempts, right? And that costs $5 billion a year to U.S. businesses based on successful credential-stuffing attacks. That's just from the fraud costs alone because 2% of these attempts are successful - right? - which is a crazy number. It's a very high number. So the damage there - so going back to what's the difference, the difference is that if someone, you know, goes - somehow steals a public key, there's no value to that, right? You can't, you know, reuse a private and public key pair on any other site, and the public key itself has no material value.
Dave Bittner: [00:32:32] I see.
Andrew Shikiar: [00:32:33] So you really need to break the cycle. You need to take away the server-side, you know, password and using password credentials to stop this cycle. And the good news is as biometrics on handsets have really taken off, people have gotten accustomed to, you know, doing things like using your finger or your face to unlock a device, which was, you know - was a new concept, you know, only five years ago, right?
Dave Bittner: [00:32:56] Right.
Andrew Shikiar: [00:32:56] I mean, Touch ID for the first time had - you know, Apple did the industry a great service by educating them on the benefits of touch. You know, the leaps that people need to make and will be making is that - what used to mean unlock now means log in, and those are the types of things that we want to enable if you're using, you know, biometrics on a device.
Dave Bittner: [00:33:13] And how do you envision this transition taking place, the switchover over time?
Andrew Shikiar: [00:33:18] There is a education and kind of a behavior modification change that needs to happen, and I think we're well aware of that. The good news is that, again, I think that the precedent has been set for people to adapt to easier unlock, and we think that people will do so for easier login as well. Now, there's some more nuance to these cases as well, right? So other things you can do is, say, use your phone to unlock your PC or use your phone to authenticate a transaction on your PC. These are all things that are enabled by our specifications and by public-key cryptography in general.
Andrew Shikiar: [00:33:52] And so I think the more, you know, advanced, things will take people a while to get used to. But generally, people are attracted to ease of use, and that's a key thing that Fido, at least, is trying to do with our, you know, authentication specifications - is make logging in not just more secure but also easier, all right? In fact, our tagline is simpler, stronger authentication because one thing, you know, data shows is that if something is too hard for people to use, they won't use it, right? So...
Dave Bittner: [00:34:18] Yeah.
Andrew Shikiar: [00:34:18] Traditional opt-in rates for multi-factor authentication - right? - opt-in rates for things like really complex PKI or even the dedicated OTP tokens I was talking about - you know, their success rate's very low because people stop using it because it's too hard. So if it's too hard, I'm not going to use it. So for strong authentication to really take root at scale, it needs to be easy for people to use, and that's what we're trying to do, right?
Andrew Shikiar: [00:34:43] So let me give you some examples. Actually, let's give you some other data points. So the challenges of passwords - you know, if you ask them if they like passwords, some will say they like it because you're used to it. But ultimately, passwords cause barriers. You know, we've seen data that shows up to 50% of shopping cart abandonments are due to, you know, people and password issues, right? So I go to a store. I browse around. I put something in my cart. I'm there to - ready to make my impulse buy, and, oh, shoot. I don't have my password, right? And that stops you from making that transaction. This happens with high frequency, right? It's just one more barrier to someone, you know, doing something.
Andrew Shikiar: [00:35:19] And so I think that, you know, getting rid of that necessity to have a password really, you know, makes things a lot easier and will help people, you know, take part in the network economy a lot more effectively. So one cool example this most recently is eBay. eBay is now supporting FIDO, too. They're fighting the fight of specifications in - for user authentication. They're rolling it out gradually on new platforms. But right now if you go to ebay.com, say, on your Android handset - if you go to the website on your Chrome browser on Android and you go to log into your account, you know, they'll give you the option to just use the native biometrics. You can ditch your password. You don't need to use your password. You can just use the biometrics on your phone.
Andrew Shikiar: [00:35:59] And bringing, you know, this capability to the web on the whole is something that FIDO's focused on with our partnership with W3C. 2019, we released something called Web Authentication or WebAuthn, which is part of the - you know, the set of FIDO2 specifications that allows websites to actually, you know, bring this capability into production to address, you know, a very large number of devices that can actually support this natively, you know, on handsets and on PCs. So we think that, you know, now that, you know, all the ingredients are in place - both a very large (unintelligible) user base, you know, with - who have, say, Android phones and Windows desktops and other platforms as well - we'll see more and more websites, you know, actively, you know, choosing to deploy, you know, FIDO authentication through WebAuthn to their users.
Andrew Shikiar: [00:36:43] You know, users may or may not be aware that they're actually using, you know, the FIDO specifications, you know? All they really, you know, need to be aware of is that this is a brand they trust and that it's a very easy user experience. Now, that being said, we will be introducing some consumer marks, consumer brands and logos so that over time, consumers will start feeling more comfortable with these kind of passwordless logins from service providers to support these specifications. So the analogous is seeing, like, the Bluetooth symbol or Wi-Fi symbol when they - at the point of login, you know, users will be, you know - see a familiar user experience, logins, across leading service providers.
Dave Bittner: [00:37:22] All right. Joe, what do you think?
Joe Carrigan: [00:37:24] Dave, authentication is one of my favorite subjects. I love it. It's awesome.
Dave Bittner: [00:37:29] (Laughter) You're just - you are a fun guy to hang out with at a cocktail party.
Joe Carrigan: [00:37:32] That's right, man. Let me tell you about authentication.
Dave Bittner: [00:37:36] (Laughter).
Joe Carrigan: [00:37:36] You've got to understand. What you're doing when you're authenticating is you're proving to the system who you are. You're proving your identity. But Andrew is absolutely correct that passwords are probably the easiest thing to steal, and it is a shared secret that it's all kept in one place. And his comment on authentication tokens, like the one-time passwords, the time-based passwords, is also correct. That is just another shared secret. Either it's short term in the case of just the number - right? - the one-time password that we're getting, much like the - your story today, that was - that's a one-time password. Or it can be a long-term problem, too. If someone steals the seed to your password-generating algorithm, they essentially have your one-time passwords forever. That's still better than just a password because those things are pretty secure, and they're not easy to guess.
Joe Carrigan: [00:38:29] But if I were to get ahold of an organization's seeds that their users have, I have all of their one-time passwords. Public keys, however, are useless for gaining access. I can keep a large collection of public keys on a service, and if they get breached, very little is gained, almost nothing. In terms of getting into the system, nothing is gained. So what public key authentication does is it essentially distributes these authentication tokens so a bad actor can't just go to one place and get them all, right? So in other words, let's say you and I go to use a website that we use a FIDO means of authenticating, right?
Dave Bittner: [00:39:11] Right.
Joe Carrigan: [00:39:11] Your public key's on the server. My public key's on the server. Now, somebody goes and they steal the public keys, they don't gain anything. All they know is that - what our public keys are. But if they want to get access for me, they have to steal my private keys. And then if they want to get access for you, they have to steal your private keys. And imagine that scaling up to a million users. Now they have to go out and steal a million user's private keys if they want to get all that access to sell. It makes it much more difficult to do.
Joe Carrigan: [00:39:38] I do take issue with one of the things that Andrew said. He said you can't reuse a key pair, a public key and private key pair, on any other site. And that is not exactly true. In fact, I did just that yesterday. So there is a use case where I actually did use - reuse the same public-private key pair on multiple machines. That's not for, like, web authentication. What I would say is that if you're rolling out a FIDO thing - and maybe this is part of the FIDO protocol. I don't know. Or the...
Dave Bittner: [00:40:03] Yeah.
Joe Carrigan: [00:40:04] ...That you have to use a unique public-private key pair to be considered compliant. But the risk is that if I'm using one public-private key parent access everything, it's just like password reuse, right? If someone gets ahold of my one private key, they have access to everything that I do. Also, the public keys will all be the same. So if somebody breaches multiple sites and sees the same public key in two different places, they'll know that's the same person.
Dave Bittner: [00:40:32] I see.
Joe Carrigan: [00:40:33] So it's useful to - it's - he's actually correct that you should be using different private keys to access different things.
Dave Bittner: [00:40:40] And you should require it.
Joe Carrigan: [00:40:41] And you should require it, right. If you're building a solution or building an app, you should absolutely require it. That's right.
Dave Bittner: [00:40:47] Yeah. Yeah.
Joe Carrigan: [00:40:48] There's another solution that's kind of similar to this called SQRL, or SQRL. A listener hit me up on this a couple months ago on Twitter, and I looked into it. It doesn't use public key-private key cryptography; it uses zero-knowledge proofs to do something very similar. I don't know that that's any better. I think public-private key is probably sufficient for now. Zero-knowledge proof does offer a little bit more security for the user. It can offer some concealing of information that you may not want to make public. I don't have any idea how zero-knowledge proofs work.
Dave Bittner: [00:41:21] Yeah.
Joe Carrigan: [00:41:21] I've actually sat down with Matt Green in his office and had him explain it to me.
Dave Bittner: [00:41:25] (Laughter).
Joe Carrigan: [00:41:26] And I walked out of there knowing I lack the basic fundamental understanding to know what's going on in a zero-knowledge proof (laughter).
Dave Bittner: [00:41:31] (Laughter) Yeah. Matt Green is a very well-known cryptographer at Johns Hopkins...
Joe Carrigan: [00:41:35] Right.
Dave Bittner: [00:41:35] ...Perhaps one of the best-known cryptographers out there.
Joe Carrigan: [00:41:38] Yeah.
Dave Bittner: [00:41:39] Nice to have access to him, Joe.
Joe Carrigan: [00:41:41] Yeah, well, I get...
Joe Carrigan: [00:41:43] It's one of the perks of the job, Dave.
Dave Bittner: [00:41:46] (Laughter) To that point, I want to thank Andrew for coming on and explaining this stuff. I think - for me, personally, I think we're so used to usernames and passwords, I think as you kind of heard in the interview, it took me a little while to wrap my head around exactly what the differences are to get that aha moment of what's being stored where and what happens when things are breached and how this is better.
Joe Carrigan: [00:42:07] Right.
Dave Bittner: [00:42:07] And Andrew did a great job explaining it. So I...
Joe Carrigan: [00:42:09] He did. That was a very good interview. Everybody should know this is not something new. Systems administrators have been doing this for years for gaining access to SSH connections, you know, Secure Shell connections. I've been doing this even though I'm not a systems administrator. I set up SSH connections whenever I have to remotely access something so there is no password. I don't have to use a password. It's a public-private key solution for authenticating.
Dave Bittner: [00:42:32] Yeah. Yeah.
Joe Carrigan: [00:42:32] And then I set the Unix server - or Linux server, rather, to not accept passwords on remote login, period.
Dave Bittner: [00:42:39] I see. Yeah. Well, I mean, again, thanks to Andrew for joining us and appreciate their efforts at the FIDO Alliance for trying to move things forward in this way.
Dave Bittner: [00:42:49] And of course, we want to thank all of you for listening. And also, we want to thank our sponsors at KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training.
Dave Bittner: [00:43:07] Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: [00:43:14] The "Hacking Humans" podcast is probably produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:43:29] And I'm Joe Carrigan.
Dave Bittner: [00:43:30] Thanks for listening.