Security Unfiltered

Outsmarting Cybercriminals: A Deep Dive into Social Engineering, Deepfakes, and Digital Defense with Aaron Painter

Joe South Episode 149

Send us a text

Prepare to have your mind broadened and your digital defenses bolstered as we journey with cybersecurity expert Aaron Painter, whose insights from Microsoft and NameTag are nothing short of enlightening. We tackle the increasingly sophisticated realm of social engineering, where attackers prey on human psychology rather than system weaknesses. Discover the chilling ease with which these modern-day digital pickpockets can orchestrate account takeovers, and how traditional security questions are no match for their cunning. It’s a deep dive into the human element of cybersecurity, with compelling anecdotes that reveal just how vulnerable we can be when our guard is down.

This episode isn't just about the problems; it's a treasure trove of cutting-edge solutions! We explore the terrifying capabilities of deepfake technology and its impact on identity verification with a story that sounds like it's straight out of a spy thriller—a finance controller tricked into transferring $25 million. But there's hope yet, as we uncover the groundbreaking methods NameTag employs to thwart these digital doppelgängers, reshaping the landscape of multi-factor authentication resets to outsmart even the craftiest of con artists. Aaron's narrative is a testament to the fine line between innovation and security and how we must tread it carefully.

Wrapping up, our discussion casts a spotlight on the shadowy operations of cybercriminal collectives and the ongoing battle against supply chain attacks. Witness the complexity of securing against compromised hardware and the constant threat of breaches that loom over every organization. We round out with a clarion call to action for heightened cybersecurity awareness and education—a beacon for anyone looking to navigate the treacherous waters of cyber threats. Aaron's stories and strategies, available through LinkedIn and getnametag.com, serve as a vital arsenal in the fight to protect our digital footprint in an age of relentless change.

Support the show

Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today

Speaker 1:

How's it going, aaron? It's great to get you on the podcast. You know, I think we've been trying to plan this thing for a while now and finally the stars aligned and we're able to get together.

Speaker 2:

It's great to be here, and the funny thing is it's no less relevant than when we started planning it. So things just get more and more exciting out there.

Speaker 1:

Right. Yeah, that's the interesting thing about security. You know it's evolving every single day. Tomorrow there could be a zero day that comes out. Knock on wood, right that now we're all working through the weekend and into the coming weeks, 24-7 a patch, but luckily that hasn't really happened, maybe in a year and a half. Man, I really need to knock on some wood here. I'm really playing with fate here.

Speaker 2:

Yeah, it's interesting. I've spent a lot more time with folks that are looking to get into the cybersecurity profession, you know, from other angles and other parts of their career, and one of the things that's been sort of telling for me is how much people are bringing fresh ideas and fresh way of thinking about vulnerabilities and exploits. That aren't always technical, it's not always, you know, deep understanding, command line interfaces and intrusions of sorts. It's oftentimes just human properties, you know, and thinking like a bad actor thinks or as a, you know, particularly in this field of social engineering and the like, particularly in this field of social engineering and the like, it just becomes too easy to interfere and sort of take over someone's account or gain access to a network using really non-technical means.

Speaker 1:

And so, as security practitioners, things certainly are evolving, in that it's not more appealing towards the social side of people, the human side of people, because the technical controls are, all you know, in place. They're there, they're working. You know, they probably even tried to poke around and, you know, get past them and they couldn't Right. So now it's time to appeal to the human side of this factor and it's a, it's a difficult thing to kind of ingrain into people. You know, every once in a while something will happen with my own personal accounts and whatnot, right, and I'll think to myself, like you know, I need to like almost retrain myself, and I live in this environment. You know, like I live in this field, it's a, it's a really interesting place that we're going, that they're kind of that the attackers are kind of extrapolating on, I feel it was one of the things that was very formative for me when we started.

Speaker 2:

Name tag was at the start of the pandemic. I had a bunch of friends and family members who had their identity stolen. So I'm a good friend and be good son, like let's jump on the phone. You know everything can move digital and you couldn't go in person and we still let's figure out what happened.

Speaker 2:

And we'd call these companies and they say, well, before I can help you, I need to verify you with security questions and they were sort of asked these bizarre things that were rather wildly simple or silly and complex you know what street did you live on in 19, whatever? Or you know what's your favorite color or your pet's name, and sometimes it's even just oh, what's your email address? I need to quote verify you. And you're like, how is this keeping my account secure? And you know, as a professional, that drives me crazy, but I think it drives all of us a little bit crazy. And in that context, at that time, what had happened is someone else called before we did and answered those silly questions and was able to take over our account. And that had nothing to do with the strength of encryption or, you know, MFA protections or other things. It had to do with simply social engineering or answering silly questions to a human, and that is very much a social science more so than really even a technical one.

Speaker 1:

Yeah, that's a. That's a really good point. You know, when you bring up social science, I feel like it's almost like a. It's a different wing of psychology or something. You know, I took one psychology class in college, right, so I'm really prepared to talk about it, talk about it. But you know, it feels like a separate section of that field almost. You know, because you're you're appealing to the person's.

Speaker 1:

You know social aspect, right, they want to help you, they want to be a help, um, overall, you know, they want to get you the information that you need and whatnot, right, and so they have to go through this stupid process that their company put in of you know answer this, uh, you know, question of, like what's the maiden name of you know your grandma, or whatever it is. You know, these things are all readily available online, like there's, there's. There's actually like very little that we can do about it. You know, like it's, it's all relatively out there, it's very easy to piece it together and maybe they even prod in different ways, you know, and call you and impersonate you know some other company, right, just to get maybe one security question answered, you know, and then maybe they call a couple weeks later, you know, and they get another one answered, and they get another one answered.

Speaker 2:

It's a fascinating area, but we're going into a place where it becomes impossible to defend against, I feel, yeah, fraud and bad actors are out there doing social engineering. Right, they're using these techniques. They're looking at data that was released in a data breach by someone else or is publicly available or on a social network, and they're using sort of the human fallibility in a way to even earn credibility, right, oh, you know what's your manager's name. Oh, you know, I was on vacation and we just had a reorg and gosh, I'm not even sure who I report to anymore, but now I can't access my email. I've just got to get back in, right, it's kind of thing that's sort of relatable and, ironically, if you go to work at any sort of support organization customer support, it help desk you probably like helping people.

Speaker 2:

It's probably sort of a core requirement of the role. Yet you're often part of the responsibility is to be this identity detective and your job is really to interrogate someone when they first call you, to sort of identify who you're speaking with. It doesn't work on either side. It's frustrating on both sides, and then you're supposed to very quickly switch over to great. Now how can I help? I mean the chance of someone walking away and having a good experience out of that is slim and it's just not working. Today's techniques are not working and these bad actors are now increasingly armed with new tools like AI, deep fakes and other things to further social engineering, to further trick these sort of well-intended support reps.

Speaker 1:

It's a mess. Yeah, how? How are you seeing AI kind of change the game with this? You know, like I feel like almost every episode I do now we talk about AI, you know it's it's not, it's not me trying to, you know, and it's it's not, uh, it's not me trying to, you know, bump the numbers of the episode or, you know, get into some algorithms, right, like I think my audience knows like I'm terrible at that part, um, and so like that's why you know, my podcast probably isn't. You know where it could have been or where my some of my competitors are Right could have been, or where my some of my competitors are right.

Speaker 1:

But you know, um, just talking, just thinking about ai, it seems to be changing like everything with it. You know it's touching everything, um, and it's it's unlocking new capabilities that used to not be readily available. It used to not be, you know, readily, it used to not be readily available to get on a call with someone, have an AI, listen to that phone call and now, 30 seconds in, you can mimic that person's voice and so now you can go and call Chase and if they have some AI on their backend that verifies your voice, you're already verified. It's already one more step to that customer service person feeling good about giving you you know this information right, because you're like. Certainly you know he's not going to fake his voice.

Speaker 2:

Right. Those are, I think, convenience layers in a way that haven't been properly implemented or thought through. You know, the concept of my voice is my password is great from a convenience perspective. But, by the way, oftentimes, let's say, you go to the average bank account opening process and you go through a KYC, a know your customer flow. Maybe it's in person, maybe it's virtual, that's great, and they ask you to scan your ID and take a selfie of yourself, and it's kind of matched up.

Speaker 2:

Those tools were created in an era where regulatory compliance was the goal. In fact, their goal was to make it easy. You could essentially even say oh, you know, I don't need to take a photo of my ID, I'm just going to upload a PDF that I've scanned once before and saved. That was a great convenience play and satisfied the need. The problem today is you can essentially go to a chat GBT equivalent and say here's my photo, make me a California driver's license and, by the way, I'm going to export it as a PDF to conveniently upload into that tool.

Speaker 2:

And so there's a reason why, when you call the bank and the transact, they have to ask you security questions. They have to ask you these bizarre things because they don't trust the integrity of what that you know know your customer flow was. So let's say you've done that, you've opened the bank account, they've checked the regulatory boxes and you call into Transact and they go through a security question. They say well, you know what? Hey, to make this easier for you next time, why don't we enroll you in some sort of voice authentication service? Sounds compelling. The problem is that rep still doesn't really know who you are. The best effort to verify you, to send you to enroll into that voice verification system, are the security questions they asked. And so it's this sort of bizarre loop that is only as good as the element of secure enrollment. It's no different, by the way.

Speaker 2:

It drives me crazy the concept that you know we hire, say, a new employee in a company and HR will maybe ask IT to go provision a new email address or user account. And you know, pick your ID provider, active Directory and you put in a new hire name and Active Directory and you create a temporary password and then you send it, or HR sends it to someone's personal email address and so there, at that moment, you've just given network credentials to someone to show up for work that you sent to their personal email address, not actually knowing really who they are. Who's the recipient of that email account? If that email account was secured in the first place, that's enrollment, just like the hey.

Speaker 2:

I've asked you a few security questions. Let's hop you into voice authentication for the future. You don't know who the person is and it turns out, the risk is just as great on the other end, because all you have to do is pretend to be locked out or pretend to be a person who is locked out and needing to recover your account, and you're back to this sort of human level of verification and often these silly security questions. Those are the vulnerabilities today.

Speaker 1:

Yeah, that is. That's a difficult one to defeat. You know how do you, how do you protect an organization from that? Right, it sounds like it sounds like you almost need like a new process or a procedure or something like that. You know where do we go from here to kind of add in another layer of security on top of the 10 that we already have?

Speaker 2:

Yeah, this was really formative for us. In building NameTag, you know, we set out to say why is it that someone goes through that KYC flow when they open a bank account and then it's not reusable and it turns out partly. We said can we, can we use one of the KYC tools and just make a product that makes it reusable so that every time you call to, let's say, transact, you can re-verify the person. But the input methods, the idea of being able to allow someone to use their web browser to verify themselves in the first place, wasn't sufficient. So we invented a way to use mobile phones and by using mobile devices, you can ask the end user for the same inputs.

Speaker 2:

In theory, you know, show me your ID and kind of take a selfie.

Speaker 2:

But you can do it in a wildly more secure way because you're using all the embedded features of a mobile phone, like their secure enclave in the cryptography, so that you know the camera that's being used is coming from the camera on the device. You can use things like the 3D depth camera. You can see that they're moving their phone as a human would, as they're moving, to turn their ID over or go to take a photo of themselves. There are all these data pieces that come up in a mobile device that, used in a smart way, can be just a better experience, but it can also be much more secure, and so we created this as a way for people to be able to solve those otherwise tricky moments of what could be a social engineering attack. You know it's someone calling the help desk and instead of the help desk rep having to ask you questions, they can send you a verification link and then come back with some confidence in knowing you really are the human behind the screen, and that's sort of been a formation of our company.

Speaker 1:

So what sort of information are you gathering? You know from that verification link right. Is it an ID? Or turn on the camera. Show me this ID, whatever it might be. What does that look like?

Speaker 2:

For the end users. As far as they're concerned, it's an ID and a selfie, it averages 23 seconds in a flow and it feels super slick and fast. The hidden behind the scenes is we're able to get a lot more data and how that was captured and, particularly, we're able to avoid things like injection attacks and injection attacks are not always understood, but they're really the key way that people use deep fakes and put them to work not always understood, but they're really the key way that people use deep fakes and put them to work and it means, simply, you're sort of tricking the system with a different feed of where the data came from. One of the best ways to look at this might be you know, you asked about AI and deep fakes and you know how more and more people are using them.

Speaker 2:

I think one of the most relevant examples we've had lately has been sort of this Hong Kong finance controller. I don't know if you followed this story. It was a multinational organization, shall we say, where the quote CFO was based in London and the finance controller was based in Hong Kong, and the controller allegedly got an email from the CFO saying hey, I need to do a bunch of wire transfers. Can you help me process these? The controller was rightly a bit suspicious and the CFO said hey, you know, a bunch of us are on a video call now why don't you join the call? I'll send you a link and then you can get all the approvals that you need. And it turned out, everyone on the video call was a live, deep fake emulator. And so the controller was like well, I recognize these people, I know these people, these are, you know, executives in my company. This must be okay. And they proceeded and, you know, transferred $25 million in wire transfers.

Speaker 2:

Wow, so it was sort of this wake-up call that, my gosh, the method that we thought kind of worked, that took extra effort of let's jump on a video call, really can't even be trusted. But it's a classic example of a few different things, one of which being an injection attack Because Zoom teams. It's intentionally easy to say let me select a different input camera or a different microphone, but that also means you could select an emulator that's projecting a deep fake in real time. Those tools weren't meant to stop fraud, they weren't meant for those sort of high risk moments and ironically now companies like Okta and others are recommending that when a user says they're locked out of multi-factor authentication. They're saying do what they call, you know, video verification or visual verification. Hop on a video call and make sure that you're speaking with the right person. Yet now we've seen that deepfakes has sort of even made that maybe not the best option.

Speaker 1:

Wow Did. Do you think Okta came up with that recommendation after they had their their fairly recent breach as like a measure to say, okay, you know, he kind of trusted the voice and trusted the situation right through this phone call? How do we prevent that? Video would probably be the next logical step. But you know, with deep fakes out there, it's how do you? How do you take it a step further, because the same thing will happen. Do you think that that's what prompted it?

Speaker 2:

Well, this is the challenge that MFA itself is secure. But MFA has this glaring kind of side or backdoor and it's this concept that all the user has to do is claim to be locked out and things exist. You know, self-service password reset exists, great. You know, email your personal email address and reset a password. But secure self-service MFA resets hasn't traditionally existed.

Speaker 2:

We've just brought it to market at NameTag as a way to surround your existing, you know, okta, duo, microsoft Entry implementation, because it's a glaring hole. It's this concept that when a user is locked out they shouldn't even have to contact the help desk. But traditionally the only way to reset your MFA is to contact the help desk. So we now take them through a flow that says, hey, what's your work email address, for example, let's go through a name tag verification flow, verify your identity and then we integrate directly with that MFA provider to let the user reset their MFA credentials. So it avoids a ticket to the help desk, it avoids that call and avoids the risk of social engineering. But, by the way, it makes it way faster and, frankly, way more cost effective, because support tickets themselves are pretty expensive. That's sort of been our solution as a way to bring to market and kind of close this kind of glaring hole that exists.

Speaker 1:

You know how did you get here. You know, you know where did you start. You know earlier on in your career that kind of led you down this path. You know, and I I asked people that because you know, especially when you start a company, right, there's a, there's a different kind of level of stress that comes along with it. And I feel like people that haven't started a company, haven't tried to do anything new, don't really understand that, because you're kind of locked in this nine-to-five bubble and it's safe, it's secure. Every once in a while people get laid off but you find another job.

Speaker 2:

So where did you start? That kind of led you down this path. I think balancing risk in your career is always sort of it's for the moment of growth, and so finding that balance that's right for an individual person is hard. But it really matters and it might be right at different times in your life but fundamentally to grow as a person you kind of have to leave your comfort zone, and so the degree to which you leave means more risk, maybe, but more opportunity for growth, and that's something that kind of everyone thinks through and struggles with and has to balance at different points in their life.

Speaker 2:

You know I spent 14 years at Microsoft. I started in product. I worked in Redmond and kind of Seattle headquarters. I was the first product manager for Office. Back in the day there were individual apps. We said how do we make it something integrated? We called it the system. You'd now probably think of that as 365. And I love that because it let me work with so many different teams and kind of reposition and bring together a product that was already being used by so many people.

Speaker 2:

But the rest of my career was outside the US and I focused a lot on helping Microsoft expand to new geographies. Ultimately, that meant opening, you know, 31 new offices, kind of who was the first person, who's the third person in a given country? I spent a couple years in Brazil, I spent five and a half years in China all kind of new markets, all trying to build stuff where it didn't exist before and so I had this opportunity to work in a big company but to kind of do new things and to do things that, frankly, were risky. They're risky for me, they're risky for the company. They were hard, but I grew a lot from taking on those risks and that was the right time for me and my career and kind of what I wanted to do in my life at that time. And I love Microsoft, I love the mission, the people I got to work with. I love Microsoft, I love the mission, the people I got to work with, I love the reach.

Speaker 2:

I left Microsoft eventually because I wanted to be more entrepreneurial.

Speaker 2:

I felt like I hit an entrepreneurial kind of max, particularly first and largest partner in Europe, and then it was in doing that and it was particularly in a lot of my work outside the US, where so many of the companies I spoke with had very similar challenges and a lot of them were large enterprises thinking about how to use technology in new ways, and security just kept coming up over and over again, as much as employee growth, employee loyalty, customer loyalty, kind of the business trends that relate to, you know, maybe having a security vulnerability or not, making customers feel like the platform they were using was secure, and so I really passionate about this area.

Speaker 2:

But security and I knew I wanted to solve something around it and then it was sort of that start of the pandemic when I had this personal frustration, that kind of just hit the max of why do I call people and they not know who I am and yet the only thing separating their safety in my account is our answers to these silly questions. Like there has to be a better way in this modern time to verify sort of the human behind the screen. And I was able to assemble a really great group of other folks, who were a lot of them with great security backgrounds and and a lot of creativity, and we're able to invent something new in this space that, uh, frankly, it's using identity as a way to make the perimeter more secure that's fascinating, that, uh, you know you kind of started at microsoft, right, and now you're Now you're doing all these different things, you're living all over the world.

Speaker 1:

Do you think that that type of personality is pretty common at big tech? I ask because you know you're thinking outside the box, you're open to the unknown, you are, you know, a bit more comfortable with being uncomfortable, right, and to a lot of people that's pretty scary. You know, like I, uh, you know, for instance, right like I love germany, right, so I love going to germany. I have been there far too many times. I'm neglecting the rest of the world, um, and so like that's why I'm like forcing myself to go to lond year, but I'm like, well, maybe I'll stop in Germany too, you know, and but that's a difficult thing. Not everyone thinks like that, and where do you think that mentality came from? Even for you, to, you know, be comfortable in that situation, because that, I mean that is a challenging thing, especially when you're starting a company in other countries. I mean, that's probably the most challenging thing that I could think of.

Speaker 2:

There are a lot of. I mean, sometimes I feel like, hey, we're still doing like bits and bytes and so forth. You know we're not saving lives, we're not medical doctors, like. There are other really important fields out there, of course. For me I was because I took risk and then grew through it. I got stronger Right. I was that concept of taking risk and leaving your comfort zone and then your comfort zone kind of expanding a bit. And so as I did that, more and more and more, it just kind of kept expanding.

Speaker 2:

And I think there is a role in any organization for people that have different styles and different ways of working and typically, I'd say, larger companies. One of the benefits is that it's not going anywhere. It's very much built with redundancy in mind. That also means one person the impact of one person is intentionally a little bit less right. One person can bring down a company and one person can make a big difference, but it's not going to radically transform a company necessarily and in general I think that's something just a large organization gets. That's part of its strength, that's part of its value proposition.

Speaker 2:

But when you have large companies that are constantly trying to innovate and they're trying to grow in new markets. You want to mix the personalities, you want to mix the styles, you want some people that are a little bit more comfortable trying new things and taking risks and leveraging the foundation the company has and growing into new areas. That's how you sort of stay relevant and I think we need it. I think tech is sort of a perfect platform because tech is such an industry that's changing so much that when you have these particularly larger tech companies now all of the ones, the big ones we think about they continue to evolve, they continue to sort of push the boundary and come up with new things and stay relevant. And that's because they have a varying degree of kind of styles in the company and divisions and product areas and ways to invest. Some of it's optimized and some of it's kind of invent. I think you need that balance.

Speaker 1:

Yeah, it's. You know, it's fascinating with the tech industry because it's kind of like a universal industry. I could take my skills and go to Europe and there will be companies there that need exactly what I know, exactly my experience and whatnot, and maybe it'll be a different opportunity. Same thing if I go to Russia. Maybe there's some challenges with that, of course. Same thing with China and whatnot, but it's an industry that you know translates very well, I feel. Is that the same way that you look at it as well?

Speaker 2:

kind of like language. Right, when you have an underlying language, it's easier to communicate and do things. And certainly language of code and certain platforms and others, you can learn a new platform. But language of code is a little bit more universal. I struggled with still a bit of Western alphabets and other things not perfectly, but yeah, I think you're right in a way, because there's some commonality across and a lot of that also has to do with the infrastructure out there. Right, there is a set of large cloud players. So you think, okay, well, I'm going to develop skills in how to write or publish code to certain platforms and evolve them and tweak them and optimize them. Great, there's sort of a handful of them out there. They're almost like a language themselves. So, if you know how to work in AWS, azure, gcp, you know, maybe Alibaba, like you know, pick a few in terms of, some of those are more similar than others to each other.

Speaker 2:

You can kind of have impact and work in a lot of different places, but there's still a huge opportunity for culture relevance. How does it work? How do systems work? How do people and humans interact with machines in different ways and different geos? What are local regulations and things you need to work with. What are the problems you're trying to solve for? And, more interestingly, as tech just sort of permeates different industries, it's really a lot of opportunity for industry knowledge. What's happening? How do you apply tech to automotive or healthcare or financial services? It means you need people who understand tech and you need people who understand those given industries. And when you can bring those different sets of minds and experiences together, that's where I think you really can have fun in transforming whole industries.

Speaker 1:

Yeah, it's a really good point. You know, I kind of got my start more in the financial industry and ever since then it's just financial institution as a financial institution. You know. That, you know, is trying to poach me from the last one. And the big thing that they're looking for is the industry knowledge, the industry experience. And so, you know, when they bring up different compliance frameworks and whatnot, it's like guys, that's that's all I know. You know, I don't know HIPAA. I know PCI inside and out, I know NIST, you know like we can, we can, work with this and for some reason, you know they're not, they're not looking to really venture outside of that. They really want someone with that that experience which I've always found interesting. You know, I think that the experience overall is relatable, right, but I guess it's that industry of knowing you know kind of the ins and outs of when to pay attention to something and how to pay attention to it and you know how different systems are linked together and things like that.

Speaker 1:

I guess there is that benefit with that that you know when, when you're starting a brand new company, brand new methodology of securing you know this, this process of gaining access to an account, getting access to you know, personal information and whatnot. When you're starting that, how do you manage between building the product yourself, hiring the right people, and then splitting your time with finding the customers to pay those right people? You know, to balance it all. How do you find that balance? You know? Are you the person that is building it from scratch, or are you the person you know, writing it down and trying to be like okay, this is my vision, let me go find the right people? What does that look like?

Speaker 2:

the reality is, all of those things matter and you have to kind of find a way to um find the right blend, so to speak. You know, interestingly, the the ceo role in my second company is sort of ceo you're. You're constantly uh, typically the problems are things that land on your desk. Typically it's hey, something didn't work or this. This area needs more attention, and so you sort of wake up every day and you can have an agenda and things that you're trying to solve for. But you're kind of also helping to solve problems, and some of those could be, you know people issues or we need more resources on this, or um, gosh, this customer's's doing great and they want to 10x what they're doing. They're all things that typically the system can't process on its own, which is sort of fun, exciting, a little bit randomizing at times, but you are kind of chief problem solver in a way, for lack of a better term.

Speaker 2:

For me, the focus has always been on finding great people and building great culture, and when you have great people and you have great culture, that creates an environment where all the other things you talk about can happen. You can invent new things, you can solve problems, you can think about scale. You can be empowered to sort of solve a problem on your own, you know, sort of on behalf of the company, without needing to involve, let's say, me or my role in things. And so, as much as possible I always strive to say let's find great people who are good at what they're doing, be clear on sort of what we're trying to achieve together, be really good at listening. You know something I'm passionate about.

Speaker 2:

I wrote a book on the importance of listening, because when sort of employees in an organization feel like they're heard, like their opinions matter, then they're often carrying that to how they engage with customers. And when customers feel heard, they often feel respected by the way it can be a great source of ideas and feedback and features and what to go build next and how to evolve it. And so one of the things we try to put a big focus on is sort of that culture of listening and name tag. How do we listen to each other, how do we make sure we're open and respectful to different viewpoints and feedback? But then we carry that to often how we're engaging with our customers and frankly, we've been so shaped by that, by customer feedback, by customer ideas, that it's really helped us to differentiate in the market.

Speaker 1:

Yeah, that is. You know. That's a huge skill set that I feel like everyone in IT should be learning in the beginning of their career when they're on the help desk is, you know, listening to understand, not listening to respond. And you know it's interesting because all through school you are listening to respond the entire time. You know there is no understanding. It's like you understand the topic and you're listening to respond based on the information that you know. But when you flip it and you're on help desk, it's really important that you understand the problem, that you understand what's going on, and I always, you know.

Speaker 1:

Go back to this example where you know I was working with different federal government agencies and whatnot, and they're very cagey. They don't really tell you a lot of things over the phone, especially if they've never met you in person. They're very cagey with you and they always wanted this certain feature in our product, feature in our product. But my VP and the developers and the engineer that used to run the product they had a wrong understanding of why they actually wanted that feature. So when I went on site for the very first time, they're asking about it and I was like, guys, you always ask about it. Apparently, this is my first time on site, but I've heard that you bring this up a lot. Why do you bring it up, um? And they said, well, don't you have other customers that ask for? And we're like, no, we we actually have no other customers that ask for this feature, and so that's kind of why we just push it off. You know, we kind of need to know your reasoning behind it, and if it provides value, you know, it's an easier sell for me.

Speaker 1:

And they told me about a time when, you know, a very legitimate emergency happened and they had no clue where it took place, and so there was a lot of chaos, because this is, this is a federal agency in the middle of the mountains in West Virginia. They have it's basically it's a military base, without it being a military base. They don't have outside resources from local fire departments and they can, you know they can get that help if they want it. But it is all on site. You know, um, and they explained the situation to me and I said, oh, that's a life or death situation that we didn't account for.

Speaker 1:

The product that I was working with at that time was an E911 solution, right? So when someone dials 911, it gives exact location information, and this was a situation that we had never worked through before, and so when I took that back and I brought it up to my VP, he said, oh, we need to build that in. And literally two weeks later it was in and I was flying back out to this client to put it in, because now he understood. He said, oh, this is a gap, this is a very real gap. I wish that they would have just told me this two years ago, several years ago. I wish that they would have just told me.

Speaker 1:

But they're so cagey If you're not cleared, they won't even let you be on the phone with them, like that's, that's how this place is, and so, you know, I always took that away as kind of even bringing that into my security engineering. You know why? Why do we want this solution? What's the problem that we're actually trying to solve? And before I give anyone consulting advice, I want to hear the problem what are you trying to solve? With whatever solution, we'll go from there. It's a really good skill that everyone really needs to learn.

Speaker 2:

That's a really thoughtful story and example.

Speaker 2:

One of the things I take away from what you shared is the importance of building trust, because it's very difficult to have a healthy relationship in any part of life if there's not trust and, like you described, showing up in person and being there and showing your genuine curiosity curiosity to understand the problem and just even following up and saying, hey, look, we made progress on this and did it.

Speaker 2:

You probably continue to earn a lot of trust. I'm sure your relationship continued really well from there. And I come back to, it's very difficult to build trust if someone doesn't feel respected, and one of the best ways to feel respected is to listen to them and truly listen and truly be curious and want to understand what they're saying. And so I think you're absolutely right and in all aspects of um, what you described within that flow, even the fact that you went back to your manager and said, hey, I have a, you know, I've heard this and they listen to you is a really great cultural sign and that's probably why you were able to adapt and kind of give the customer what they needed and probably stay ahead of the market. But it's because you knew that you would be heard and you went out with that same sense of curiosity to listen to your customer. It's a great story.

Speaker 1:

Yeah, you know it was interesting too because you know, before that first trip internally, you know our team was like, you know, whatever it is, we're not going to do it, it's not that big of a deal. You know they had all this stuff like preplanned, and I came back and they were like, oh, we're doing this immediately and just book your flight now, because it's going to be done, you know, by this date. But it did build a significant amount of trust with me and that customer because now they were more comfortable with maybe not sending me log files, but they'll get on the phone and they'll tell me what the error is, right, like I'll have to walk them through it, of course, to a nauseating extent of you know, when you say space, I don't mean type the word space, I mean hit the space bar, right, like that's the kind of specification I have to tell these guys that I'm on the phone with. And of course the agency does that purposefully because you know they want someone that if your product is based on Linux, well, we want someone that's never even seen a Linux terminal before. Good luck, it's not on him, If it fails, it's on you.

Speaker 1:

You know they do that purposefully, but it kind of that experience kind of took my standards and expectation of customer service to a totally different level, right, and even now, even today, today, right, when I experience like really poor customer service, it like pains me to to such an extreme extent it's like, come on, guys, you could do so much better and it would provide such a you know better, more enhanced experience. Um, that's just, that's just me, right. Do you? Do you take that and do you really run that into the culture of your company as well? Because I feel like that is also something that a lot of security companies miss. You know they're they're used to selling that new thing, getting the phone call with the right person, getting the right email, that they kind of forget about the person on the other end of the line, right, do you also ingrain that into your employees?

Speaker 2:

I think we try, we really try and embody and live it and it's, for us, been very formative in how our company's evolved, because we set out, we built this more secure way to verify who someone was, sort of know the human behind the screen, and there are a lot of places, frankly, where you could apply that and there are a lot of places, frankly, where you could apply that. There are a lot of places in society that need that right now. But it was some of our early customers who said, yeah, I love this credit I could use here and there, but hey, I have this problem in that I have a large customer base. You know, I'm actually very public with it recently. A hub spot, you know, the marketing automation platform, amazing company, amazing people and their CISO. You know, eric said I we want to further protect our customer accounts. We're rolling out MFA to protect our customer accounts. It's great for the customer, but I'm seeing a corresponding increase in support tickets and they're really expensive and the customers that get locked down are unhappy and yet we have to do the right thing and protect their account because if we let the wrong person into someone's account, that's our credibility on the line, that's impact to our customers.

Speaker 2:

And so I said, hey, can we apply this technology you created as a more secure way to do these sort of MFA resets or account lockouts? And we saw that that's actually really clever. But that was from listening. That was from listening, that was from building trust and having the strength of that relationship. Where Eric felt comfortable bringing that to us, we felt we were there listening and hungry and eager to learn. And it only expanded from there because it went from giving their tool to their help desks so their help desk agents had something higher caliber and higher fidelity, to know who's behind the screen. But also actually now they've integrated into their product. So if you're a HubSpot customer and you go and you say, hey, I'm locked out, I need to reset my MFA, it takes you to a screen and says would you like to contact support this might take up to 48 hours or would you like to do it immediately and use name tag? And it's super cool and you know people use it and they love it and, um, it's, it's totally changed the game and them feeling like they're having a good customer experience with HubSpot, like HubSpot cares and protects their account. And, by the way, hubspot has a ton of money because they don't have as many support tickets from all these users who are logged out.

Speaker 2:

But that whole application of our technology which frankly was a little bit ahead of its time in the sense that MGM then happened and other breaches starting last year in particular, that got very public targeting the help desk, this concept that Eric saw that it was a vulnerability and you know Eric is a proud Okta customer.

Speaker 2:

Eric is on stage at Octane and talks about Okta, how great they are, how great he uses Okta but he recognized this as a clear vulnerability before others did, and he took smart steps and so we built a solution that's uniquely targeted to do it. And then, by the way, it happens to be the epidemic of the moment where hundreds of companies are being targeted at the moment exactly this way People are calling the help desk, they're taking over customer accounts or they're taking over employee accounts to gain access, and so it was all because of that insight and our ability to listen that we're able to develop a product that, frankly, is what the market now really needs at this moment so you know, you, you have a product that is absolutely ahead of the curve.

Speaker 1:

You know it beats all of the legacy uh solutions that we we had previously applied to this problem, and surely they're not going to get past this one, right? Surely they're not going to get past this one, right? Surely they're not going to get past. You know device authentication and things like that, right? Where do you see the threat landscape going in the next five years with the evolution of AI, and how quickly AI is evolving, how quickly it's being included into everything that we do now, it seems, especially with how good deep fakes will become and things like that. Are you looking for? I mean, I don't know if it's even possible, right? I'm not trying to poke any holes or anything like that, but maybe there's a deep fake to. You know, show someone with their ID through the phone and the camera. You know, like, maybe there's something like that. I don't know what's that thought process like. Are you thinking about that next generation?

Speaker 2:

We're constantly thinking about it. Actually, it's really fun. It's actually really fun to the degree to which we've seen very bad actors repeatedly try and get through, and they're testing us and we're learning from them, and so we do a lot of analysis on those. We learn when we're successfully what did they try? And often it spurs new ideas for new antifraud techniques that keep us ahead, and so, you know, there are examples of ones that we've invented now, two years ago, that we're now seeing come into market, of people trying and we're thrilled. We're like like, wow, that that worked. But the team feels really successful. Wow, we, we stopped something. We, you know we were a couple steps ahead, but I'm a firm believer that ai alone cannot defeat ai. Now we have a problem in that bad actors are using ai more than good actors are to prevent it.

Speaker 2:

However, I feel there will always be an arms race of AI versus AI if those are your only tools, and so our thought process is we need to take broader tools that are proven, that exist in the market, like cryptography, like biometrics, like the technology behind mobile devices and AI to defeat AI, and that alone is those are a much stronger arsenal to bring against sort of an adversary who's trying to use a deepfake If you're is. Those are much stronger arsenal to bring against sort of an adversary who's trying to use a deep fake. If you're using, you know, device telemetry, 3d cameras, the cryptography in modern mobile devices, a whole bunch of things. This is not us updating our AI model to detect a deep fake as fast as someone's making a deep fake. That will always be an arms race. Some companies will inch ahead and then they'll inch behind. We believe you just need to bring more to it, and that's been sort of the foundation of our approach.

Speaker 1:

Yeah, I think that's a really good way of approaching this problem. I mean, that's probably probably the only way that you approach this problem and be effective against it. You know, out of curiosity, have you seen any patterns of different kinds of attacks against you know? Identity fraud, right, like maybe, maybe I don't know, some group in you know Poland or something like that? Right, I'm trying to stay away from Russia and China because I always say I'm, and now I'm blocked in our countries. You know, but, like you know, in another region, do you see? Oh, this is typically used. This method is typically used from a hacking group in this region. Are you able to see that telemetry, that kind of data, or is it kind of just, you know, spray and pray, almost you know, everyone kind of uses the same stuff at this point.

Speaker 2:

There's definitely a lot we learn in patterns that we see from fraudulent acts. I'd say there is one group in particular that's got a lot of variety. They're very public about it and it's really targeting this current exploit. They go by various names scattered spiders, probably their most common and that's the group, frankly, that impacted MGM. So you asked a little bit about Okta earlier and it was an interesting timeline because in early August Okta came out with sort of a blog post and said hey, we're seeing some concern with customers. We recommend that you be thoughtful about your account recovery workflows. We recommend visual verification. People sort of made note but it didn't quite ring too many bells.

Speaker 2:

And then by late August, mgm was following the new SEC disclosure rule which is now impacting a lot of companies so you have to disclose a cyber incident and so they came out proactively. The deadline hadn't come yet but they said, getting ready for this new disclosure law requirement, we're going to disclose a breach that we had and that was the breach that you know we've been hinting at. That was this breach of a bad actor, scatterthbiter, who claimed they went and they researched an employee basically on LinkedIn, called the MGM IT help desk and said I am that employee. I'm locked out. It was a 10-minute call. They got in, they took over credentials and, as you said, people couldn't check into the MGM hotels. The whole system sort of went offline for days and days and then that's only continued. Then we heard Caesar's Entertainment. Next then we heard Clorox. Clorox had something that was like a 24% drop in revenue because of supply chain disruptions because of this exact attack factor, and so by some accounts, last Q4 alone this group's targeted at least 230 large organizations and we're just we're seeing it continue at a crazy clip.

Speaker 2:

Right now they're particularly active in healthcare, healthcare and degree financial services and sort of layers where they can get more reach. So you know storage providers and Okta themselves, because if you can find a way into Okta support infrastructure, then you can target companies that are using Okta sort of getting very sophisticated about going one level deeper as a way to get into many other customers, and so it's crazy that group at the moment is sort of running wild. We don't quite know where they're from. People thought they were US based. They were surprised the FBI hadn't kind of cracked down on them. The FBI took down their website a couple months ago. They put it back up. They made references that now they're really going to go wild, except in sort of Russia and affiliated Russian states kind of implying maybe they have some affiliation there. The truth is we don't really know in a public sense. What we do know is that they're having significant impact and they're being very successful because there aren't good defensive mechanisms in place.

Speaker 1:

Oh, yeah, it's. You know the supply chain attacks. They're not anything new, but they always kind of up the ante, right. They kind of there's like these moments in security where it kind of up the ante, right, they. They kind of there's. There's like these, these moments in security where it kind of changes your mentality or your thought process with what's possible, with what you should actually be looking at.

Speaker 1:

It's very easy for me to look at my kind of report and see all these green scores, you know, and focus on, you know, a couple subpar ones, right, and think that I'm secure. But when you start talking about supply chain attacks, it's like, okay, where does this end? You know like, how, how, how can we limit? You know this because we're a company, we need to buy other products from other companies. They have chips in them. These chips can be compromised. And then take it a step further oh, where's the country of origin, right? Oh, it's China. Well, there's a very real percentage chance that there could be a backdoor in that chip that's coming from China to give them access to your entire company, right, and it's a difficult time, I feel, to be a security practitioner because you know, right now, right, we haven't had a major breach in you know six months or something like that.

Speaker 1:

Right, we're all kind of holding our breath and saying like, okay, when's that next zero day popping? Right, that is probably even used in the wild right now against you know very real infrastructure and companies and things like that, but no one knows about it. Where is that thing going to come from? What's it going to do? You know all these different things and, of course, you know what comes to mind is these different tool sets right, getting released potentially from bad actors within government agencies that open up a whole other can of worms with creating zero days and problems and things like that, with creating zero days and problems and things like that. So, you know, in a field that is forever evolving and ever vulnerable to people, you know, I feel like your solution is a step in the right direction that we really need to go to. You know, ensure that another MGM doesn't happen or another Okta doesn't happen.

Speaker 2:

The sad thing is it will. The sad thing is the leading attack factor at the moment. Is this the way to take ransomware for the leads data breaches? Is this concept of social engineering attacks at the help desk because it is unpatched, so to speak, and there is so much to worry about? You're right as a security leader and there's so many concerns you can have. This at the moment is kind of the lowest hanging fruit and it's not terribly sophisticated of an attack. It's not some wildly advanced at the chip level that was deposited here. This is just basic social engineering and we've all been through it. Because it's so obvious that if you do your own penetration test that's one of my key pieces of advice today to organizations Do a penetration test of your help desk. Call and pretend to be locked down and see how it goes. Chances are it's not going to be that hard to get back in.

Speaker 2:

And the other interesting thing we found in this space has been security really matters and this is a great security driver, by the way. It was actually a problem before deep fakes. It was a problem actually since you rolled out MFA. These are the hidden risks and increasingly hidden costs of MFA. You can actually go to your IT department as a CISO, go to your CIO and say I think we can save a bunch of money.

Speaker 2:

You know, up to half of our support tickets are people who are locked out of their accounts. Like, can we just automate that? That's a huge cost saving factor. And then it turns out your employees weren't that happy. For example, they didn't like having to call the help desk when they got locked out because they upgraded their phone. Like wow, so you can improve employee experience, you can save money. Oh, and, by the way, shut down the leading security vector. This is kind of a no-brainer. And so, while there are so many things on the plate of a CISO today, for example, or a security leader, I would strongly advocate you look into this area as kind of one of your lowest hanging fruit initiatives in the coming year.

Speaker 1:

Yeah, that's a really good point. This is absolutely a low-hanging fruit that can really make a huge difference in more ways than one. You know, aaron, I really enjoyed our conversation. This is a fantastic conversation. Unfortunately, you know, we're at the end of our time here and I try to be very cognizant of everyone's time because we're all so busy. But before I let you go, how about you tell my audience where they can find you if they want to reach out, where they can find your company and all that information that they may be looking for?

Speaker 2:

Yeah, we're super active on LinkedIn in particular, so check me out Aaron Vander looking for. Yeah, we're super active on LinkedIn in particular, so check me out Aaron Painter will have a link, I'm sure, in the show notes. Our website getsnametagcom. We have a ton of content and a lot. We really try and cover some of these recent breaches. You can follow along on these kind of help desk hacks as they're happening and what we're learning from different companies, and we have really good explainers, even on things like injection attacks, on things like deep fakes, trying to just keep people educated so you can better respond in your own organization.

Speaker 1:

Awesome. Well, thanks everyone. I hope you enjoyed this episode.

People on this episode