Cyber Crime Junkies

Shocking New Ways to Stop Hackers 🔥 What You Must Know

Cyber Crime Junkies. Host David Mauro. Season 6 Episode 89

In this episode of Cyber Crime Junkies, host David Mauro speaks with cybersecurity expert Adam Benwell, CEO of Challenge Word, about new ways to stop social engineering, Shocking New Ai Risks & How To Stop Them

Send us a text

Growth without Interruption. Get peace of mind. Stay Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com  
 

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-4466

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss a video episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Youtube (FKA Google) Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

In this episode of Cyber Crime Junkies, host David Mauro speaks with cybersecurity expert Adam Benwell, CEO of Challenge Word, about how hackers are like sharks. 


summary

In this episode of Cybercrime Junkies, host David Morrow interviews Adam Benwell, a cybersecurity expert and founder of Challenge Word. They discuss the pervasive issue of social engineering in cybersecurity, the importance of penetration testing, and how Challenge Word provides a proactive identity verification system to combat impersonation attacks. Adam shares his journey into cybersecurity, the development of Challenge Word, and real-world applications that highlight its effectiveness. The conversation also addresses common objections to implementing Challenge Word and the future of cybersecurity in the face of advancing AI technologies.

takeaways

  • Social engineering is a major tactic used by hackers.
  • Penetration testing helps organizations identify vulnerabilities before criminals do.
  • Training alone is not enough to combat social engineering.
  • Challenge Word was created to provide a simple verification process.
  • The system generates unique challenge words for secure verification.
  • Real-world breaches highlight the need for proactive measures.
  • Challenge Word can be implemented easily and at no cost for small organizations.
  • AI deepfakes pose a significant threat to identity verification.
  • Cybersecurity is an ongoing battle against evolving threats.
  • Organizations must prioritize their vulnerabilities based on risk appetite.

Sound Bites

  • "We always find something."
  • "This is MFA for IRL."
  • "It's an AI arms race."

Chapters

00:00
Understanding Social Engineering and Its Impact

02:23
The Role of Penetration Testing in Cybersecurity

08:28
Adam's Journey into Cybersecurity

13:08
The Birth of Challenge Word

16:59
How Challenge Word Works

25:13
Real-World Applications and Case Studies

31:16
Overcoming Objections to Challenge Word

41:04
The Future of Cybersecurity and AI

TOPCIS: new ways to stop social engineering, Shocking New Ai Risks. How To Stop Them, how hackers are sharks, IDENTITY VERIFICATION RISKS, Shocking Ways To Beat Cyber Crime, How To Protect Ourselves From Cybercrime, How To Stop Shocking New Ai Risks, How To Stop Latest Social Engineering, 

Cybersecurity, Challenge Word, Social Engineering, Identity Verification, Risk Management, AI In Cybersecurity, Employee Training, Cybersecurity Solutions, Cybersecurity Awareness



Speaker 2 (00:06.392)
Social engineering. We talk about it a lot in this show, the manipulation of humans into doing something that they shouldn't do. And it's the most used tactic for that reason. One hacker told me on an episode right here on Cybercrime Junkies, "Why hack in when we can convince somebody to let us in?" In today's episode, we sit down with Adam Benwell, the founder of ChallengeWord, a game changing tool that's flipping the script on how people spot

deception. Here's the kicker. It's simple. It works. And yeah, you can start using it today at no cost. Stick around to the end to find out and also get exclusive insight on how to get started, how to train your team and how to stop falling for the same old tactics. Because in the war against cyber criminals, sometimes the most powerful tool is just one word.

This is Cybercrime Junkies, and now the show.

Speaker 2 (01:13.262)
Catch us on YouTube, follow us on LinkedIn, and dive deeper at cybercrimejunkies.com. Don't just watch, be the type of person that fights back. This is Cybercrime Junkies, and now the show.

Speaker 2 (01:32.938)
All right, well, welcome everybody to Cyber Crime Junkies. I am your host, David Mauro In the studio today is Adam Benwell. Adam is a cybersecurity expert with over two decades of hands-on experience. He is a hacker by trade, a red team ethical hacker who has founded several different and been involved in several different.

entities. One is he's the founder of Pentest WS, which is a globally recognized SaaS platform that enables penetration testers to plan, execute and report on security assessments with greater speed and accuracy. He's also the founder and something we're very interested in discussing today. He's the founder of Challenge Word, which is a proactive identity verification system designed to stop real time impersonation attacks across voice,

SMS and in person. Adam Sir, welcome to the studio.

Thank you, David. It's great to be here today. I'm excited to talk with you.

Well, great. So tell us a little bit about your current roles. And then, and then I'd like to segue into that and get into kind of how you got involved in all this in beginning.

Speaker 1 (02:47.502)
Sure. So as you mentioned, I'm the founder of Pentest WS. I actually started that program about eight years ago while I was taking the OSCP certification.

And for the listeners, what is that certification focused on? Is it focused on ethical hacking, red teaming, things like that?

That's correct. It's called the Offensive Security Certified Professional and it is 10,000 miles wide and at least at the time it was a mile, it was about an inch deep. Yeah, maybe I don't want to say it that way. That kind of sounds like I'm bagging on them.

No, it's actually kind of interesting. it's, it's that certification at the time you took it was wider rather than going in depth in any one of the tactics and techniques were kind of almost similar to the CISSP. The CISSP is very wide. It doesn't go the testing anyways, doesn't go very, very deep into any one of those segments or chapters. Is that a fair statement?

Yeah, yeah, I think so.

Speaker 2 (03:50.786)
Yeah, makes sense. So tell me about the organizations that you help with that. Is it organizations that want to find out how they're vulnerable? You guys come in and pen testers can come in, use that platform, turn around their assessments and their findings in a way that's more easily translated for business owners?

Yeah, that's exactly right. It's built for the offensive side of the coin, right? So there's offense and there's defense and pentest.ws is offensive. So it's for the people in the field out there hacking on the machines, hacking on the people, they're able to, it just makes them more efficient in the way that they do it. It helps keep them organized. And then they can translate that into a report that they then deliver to the client.

That's great, yeah. And from a small business owner or leadership role, what's just high level? Like tell us all the benefits of having a penetration test and having red teamers engaging with groups like this to actually find it. Because to me, it's invaluable. You actually find how criminal hackers would actually exploit you even though this is.

armless in a sense, it shows you your vulnerabilities without having to undergo all that harm.

Yeah, a heck of a lot better for us to find it than the bad guys to find it. Right. Right. And, we always find something how severe that is. It kind of depends on the engagement, but we always find something. And so the defenders have got a really tough job. They've got to be right a hundred percent of the time. And we only have to be right once. And the bigger the company, the more infrastructure, the bigger internet footprint you have, typically the more vulnerable you're to be. And you would think it would be the other way around.

Speaker 1 (05:43.776)
because they're going to have more budget. They're going to be able to buy all the fancy toys and have all the scanning done. But it's just a matter of a numbers game, right? So the more servers you have, the more likely something's going to go unpatched or somebody's going to write a vulnerable web application. A lot of times this stuff goes forgotten about. So we'll find machines that they didn't even know were still online. yeah, I thought that was decommissioned, you know, five years ago. So it's still sitting around. So it's

We saw that recently in a couple of breaches, didn't we? Where kind of legacy systems got exploited. And they were just old, they were sitting there, they just hadn't been turned off, decommissioned, or they hadn't been updated and integrated into the newer systems. And they just sit there kind of as a back door so that people can exploit them.

Yeah. And it doesn't always have to be that they forgot about it. Sometimes they're just not able to decommission some of this old stuff, right? There's legacy systems that are sitting around that might depend on an old API. You take that offline. If you depend on a third party or third party, people depend on your API. Now you can't do commission your stuff. It can be quite a mess and it's a lot to try to get a handle on from a defensive point of view.

Yeah, absolutely. And then what's nice about having Red Teamers engaged is they're able to actually help an organization prioritize their vulnerabilities. There could be a hundred things on your list to fix, but the perspective that Red Teamers gives is, well, criminals today are really going after these top ones and they'll exploit those and then they'll help organizations shore those up so that they can be secure.

Yeah. One of the things that I found really interesting when I got into cybersecurity is that there's the concept of just accepting the risk. So if it's a critical and you're going to get hacked, you know, you need to fix this within, I don't know, let's say 30 days, for example, right. But there are some findings that we report where, and it's perfectly legitimate for a company to just say, well, we accept the risk, the chances of this being exploited.

Speaker 1 (07:53.696)
And then if it does get exploited, the impact that it's going to have, at least they're making that calculated risk, that calculated decision, right? Rather than just not knowing about it.

Yeah, it's really about their own individual risk appetite, right? And different organizations in different fields and industries have different risk appetites. So there, but the key is the service provides the ability to see those risks and then they can decide because otherwise they're just like.

Yeah, yeah, that's exactly right. That's exactly right. And also it has to do with priority, right? If we've got five criticals, well, they're going to go fix those first and they're just going to make the decision. I'm going to push the lower criticality ones to next year or to the year after. It's that I fully accept it, but at least I accept it for now.

And they're making an informed decision. Which is great. So how did you walk us through? Like how did you get into this field originally? Did you, were you somebody that has always been taking apart computers, working on code, et cetera, from a young age or walk us through it?

Yeah, 100%. I started programming at a really young age. And I think it all kind of goes back to the movie War Games, right? With Matthew Broderick and Shee-shee-shee-shee-dee. And I saw that and every kid wants to break into a school and change his grades. How cool is that?

Speaker 2 (09:27.576)
doesn't want to do that, other than the getting caught.

Yeah, yeah, I don't actually want to do it, but I want to know how to do it. And so so from there, I picked up QBasic, right, because it kind of came out the same time and it was accessible to me. And I ended up writing, I mean, talking about taking things apart. I was more of a builder and I ended up building a form of voicemail. But I used a modem, an answering machine and a pager to get that done.

right.

Speaker 1 (10:02.602)
Yeah, it was just kind of a challenge and it was was just fun to do I didn't realize what I was building at the time I just had this idea that you know you could get that done so from there I kind of dated myself here with that I mean I could tell you it was an old like yeah the bottoms and whatever but so so anyways I went on and

When I was a freshman in high school, right, a friend of mine, her dad saw that I was talented with computers and I was really interested in it, but it wasn't really a career for me yet. And he handed me this book called Teacher Self Visual Basic in 21 Days. And he was like, yeah, if you read this book, I've got a job for you. And I couldn't be happier. mean, I was 14 years old, read the book in a week.

yeah.

And I came back and I said, okay, I'm done, know, and sure to his word, he gave me a job and it was at the local police department. Great. And so,

What all were you doing at that age? Job like?

Speaker 1 (11:07.566)
So it was building applications on a pen based computer. And it's a lot like a tablet, but way before tablets were a thing, you know? And it was all written in Visual Basic. I was helping him. were taking forms that an EMS, like an ambulance would have to fill out when they went on site. Instead of filling out forms on a piece of paper and a clipboard.

and then they'd get to the hospital and they would hand over that clipboard, then the doctors would start triaging that patient. What we were doing is we were putting everything on a pen computer. They could fax it to the hospital ahead of time. And that way, by the time the ambulance got to the hospital, the doctors and the nurses and everybody are waiting on the curb with everything that they needed already to start treating patients immediately.

So that was way ahead of its time. When you think about it back then, that is really an early adopter trying to leverage advances in technology and thinking ahead of time. Because that is just brilliant, right?

Yeah, it was cellular fax modems because we were, like I said, we were faxing, you know, this wasn't just dropping an email. We had to fax these things. So yeah, it was really fun. You know, I got to go to the police department and you walk into this building and they've got this glass reception desk. But if you turn around in the corner, there was this elevator and I kid you not, there was like a fake palm tree in front of it. So it was kind of out of the way.

but there was an elevator, you get in there, go down two floors, so you go down into the basement, and that's where I got to work every day after school. Was it the pay?

Speaker 2 (12:47.726)
That's like a kid's dream. That is a cool gig. That's a cool gig for a young lad. That is very cool. That's cool. So now what did you do from there? Did you, once you got to college or once you got out of high school, you were like, I'm gonna get certs, I'm gonna drive this.

I

Speaker 1 (13:07.53)
Yeah, I never stopped programming. basically started my career at 14 and after that I went to work for a buddy of mine and I ended up working with him for about 20 years, little over 20 years. So I didn't end up going to college. I'm all self-taught as far as.

as are many in cybersecurity, right? Because there's absolutely nothing wrong with that, right? Like that is fantastic. So the transition from that to you recognizing social engineering is out of hand, identities are for sale on the dark web like...

T-shirts are on Amazon. It's horrifying. How did you come up with the initial idea for Challenge Word? And then walk us through kind of what all it does for organizations.

Yeah, sure. I mean, I had spent 20 years as software developer, but I did transition into cybersecurity when my business partner, he ended up being my the best man at my wedding, right? He decided that he wanted to retire. So I took that opportunity to transition into cybersecurity. Right. And I mean, I was always fascinated by it. Like it goes back to the war games thing. It's like, it's the cool part of being able to do this stuff.

So in identifying a void in the market or the need for challenge word, what is it that you started to see? Like social engineering, like every organization can invest in services or they could build it, they could buy it any way they want. They could have all the tools, all the detection mechanisms. It's great, right? It does help, but.

Speaker 2 (15:00.534)
It doesn't really help as much when people are letting the threat actors in voluntarily, right? Or they're not using basic cyber hygiene and then the bad actors are logging in as us, right? It's one of those two things it seems that are just so common today. What was it that you saw that you were like, we need to develop this concept of challenge?

Well, I think what I saw was, I mean, I was frustrated with how easy it is in order to do this just repeatedly. Right. And when we would like debrief this stuff, the, company has really only had one response and that was more training was like, okay, well that particular person needs to go through more training. And I really don't like to single out a single person. Right. I don't like to say that, we got in because of this person.

because it is just a numbers game. again, the bigger you are, the more vulnerable you are because the more employees you have, the more targets I have as a social engineer. So the training is just not enough. Whether that's a yearly training course that you have to go through or whether that's something more proactive like a social engineering simulation exercise.

The end goal is still the same, right? It's to train you to spot the signs of social engineering, or it's to train you to know the tricks that they use, like authority and urgency, right? And those techniques are very highly effective. But you're expected to be an expert lie detector, right? And especially over the phone. I'm going to call you and the only thing you have to go on is my voice.

And then maybe it's been six months since you had that training and it's going to be a random Friday afternoon. And you're thinking about the vacation that you've got coming up and all these things that you're just not really focused. I just don't think that it's a realistic ask of your employees. Right? So training alone isn't the solution and we need a simple human protocol that people can use, you know, over phone or video.

Speaker 1 (17:09.71)
text in your DMs, it doesn't matter. We need something that the company can say, listen, this is how we conduct business on the phone. There's no ifs, there's no buts. This is just our procedure for conducting business on the phone or video, right? And that's how I ended up inventing a challenge word. It was one of these 2 a.m. moment of inspiration that you wake up and you go, my gosh, I've got to write this down so I don't forget it.

but instead of writing it down, I got up and just started experimenting with different ideas. I knew that it needed to be non confrontational, right? I knew that it needed to be non-technical, low friction, super easy, fast, but, but at the end of the day, it needed to be secure. And, yeah, there's, there's nothing else like it. That's why.

think it's brilliant. you know, when we're doing live lunch and learns or live trainings for organizations, we always tell them like within families to have a safe word or phrase, right? Because there are those AI deep fakes and scams where somebody is calling grandma or the parents and they're saying, Hey, this is, this is your son or your daughter.

and just got in a car accident, I need $2,000. I don't want to handle it with insurance. Can you just wire that to me or can you just, you know, sell it, send it by Zelle to me, whatever it is. And it sounds like them. It sounds exactly like them. You know, it's, is one of those that it has all the elements of good social engineering. It creates a McDilla hijack in you, right? It creates that fight or flight, that emotional response. There's a sense of urgency and

We've seen so many organizations be recommending, well, sure son, I'll be glad to. What's our safe word? What's our family word? And they're like, come on dad, I don't have time for this. like, my son would know what the family word is. What is it? And then I will wire you the money. Because that way you know outside of technology, right? That way you know human to human that that really is your son.

Speaker 2 (19:26.698)
And challenge word seems to operate on the exact same way, right? Like you, your organization has, has a challenge word that they use and you've set it up so that it randomizes and changes, but that all of the vendors that they would deal with, they would be aware that this is how you do business. And so then they would walk us through it. Like, do they log into your instance of challenge word or will they have access to it where they'll be able to?

to check it out so that you can both, so that the employee knows that the vendor is giving the right challenge.

Yeah, yeah. So that was actually our first iteration of the solution was a word a day, right? So a company would have like today's word is table and we poked holes in that pretty quickly just gaming it out that if I could call one of your employees and like get them to tell me the word first, right? Then I've pretty much got the rest of the day to hack anybody I want to because now I can prove, know, quote unquote,

So true, because then you can socially engineer the employee to get this social engineer key to the castle, right? then leverage. Great point.

So what we do is it is tied to you. The word is tied to you, right? So you SSO into the platform and that way the application knows who you are, right? And if you lose control of your of your Microsoft account, you probably got bigger problems than social engineering at that point. Yeah, yeah. So the system knows who I am. And then when I need to prove myself, right, it will assign me me particularly a challenge word.

Speaker 1 (21:08.558)
And that can be a word. also support like pins like your classic MFA style pins. We support alphanumeric codes, but for our purposes, we'll just say it's a challenge word. And that word is only good for 45 seconds. It's very short. And that's long enough for in the moment when I need to prove myself to you, David, right? I can say, okay, well, my challenge word is, uh,

And you can put it into your end because your SSO into your side of challenge word. can say paper. Yep. Okay. And it says, yeah, you're really talking to Adam.

So it'll verify that the person is who they are actually on the other side.

That's correct. There's a little bit more to it, right? It'll give you a list of names that you have to click on. So I couldn't just randomly put in words and figure out somebody's real challenge word. So it's sophisticated. you know, normally my Adam, I'm not actually assigned a challenge word. So it doesn't matter what you try to do. You'll never be able to impersonate me.

fantastic.

Speaker 1 (22:14.286)
unless it's that 45 second window where I've decided that I need a challenge word and I give it to you. And then once you confirm who I am, that challenge word goes away. It can't be used twice, right?

audit. That's great. And so in reality, when a business wants to roll this out, do they get with it? Do you look when you're onboarding challenge or do you just get the identities of the vendors that you're dealing with and make sure that they're made aware? Hey, we're using challenge word as a second layer of defense. Now, you know, log into this, you know, should I request it or should should

should a scenario comes up where you're asking for sensitive information, we will go into this platform for verification.

Yeah, that's correct. We've got a lot of different ways to connect in ChallengeWord. We call it our ChallengeWord ecosystem. I mean, just by default, anybody that's part of the same company can do ChallengeWord verifications with each other. We call that employee to employee, right? We've also got organizational level where a parent company and all of its subsidiaries are all part of the same ecosystem. cover company to vendor. So that's our business to business.

connections where you really do have an outside party. If I'm working with an external cybersecurity company for my bank, I want to be able to verify those people when we talk on the phone, right? that would be business to business.

Speaker 2 (23:44.36)
or any other vendor, right? When you think of some of the breaches, they come in through vendors oftentimes. And so this way, you know, vendor that's doing business with us, all of them would get this alert and get this notice that we're using Chubb.

That's right. That's right. And sign up is, is instant. It's free. It's low friction. Anybody can go get up to 10 users. Right. So if you've got a solo entrepreneurial vendor that needs to be covered, it doesn't cost them anything. You guys can create a B2B connection on Challenge Word. So there's really tried to make it as low friction as possible. And the more people that use it, the more secure you are. Right. So

It goes back to if you're a company, if you only onboard your C-suite, for example, then only your C-suite's protected. But that still means that I can call anybody in accounting or I can call somebody in any of the other departments if they're not.

Yeah, I would think that having it in accounts payable and accounts receivable would be key, right? Because they're the ones through business email compromise that get asked, you know, from a familiar vendor that they know that they've dealt with to change the wiring instructions. We see it all the time. So I could see how it could be really, really helpful for organizations addressing that.

Yeah. Yeah. And we've got all kinds of mechanisms to keep challenge word front of mind because it does, you have to use it in the moment, right? Kind of goes back to training. You've got to think about your training, but in this case, you use it more often. You're not going to have to use it as often as your normal MFA, right? You're not going to have to use it every time you sign into your own account. You're only going to have to use it when you're

Speaker 1 (25:24.908)
doing business over the phone, if you're taking a sensitive action, if they're asking you for sensitive information, it just becomes your standard operating procedure and you just get used to it over time. You what's your challenge word? Right. Right. And that question is so low confrontational that I'm not calling you a liar. I'm not saying I don't believe you are who you.

You're simply saying, hey, I've got to follow this policy. I've got to follow this process. It's for both of our benefits. What's the challenge?

Yeah, yeah, it's oddly a technical procedural solution for a very human problem.

That's really good. So what was it that you, was there a crazy real world breach or hack that you saw and you're like, if they only could verify just from themselves some way, independent of the email that they got with the vendor's new invoice that had the new wiring instructions or the call that they got, were there any

crazy real world stories that you were like, that is a great example of where a challenge world could sell.

Speaker 1 (26:37.134)
Yeah, we've got some interesting case studies on our websites where you can go and read about these high profile ones. And I think the craziest one for me, at least that we've seen so far, because this stuff is getting better and better all the time, is in 2019, there was a UK energy company and the CEO got a call from his parent company's CEO.

Right? So these are two high powered individuals and it was the parent company's CEO that was being faked. They were using AI generated voice technology to impersonate the CEO of a parent company of a UK energy company. And they used, you know, authority, right? They used a time pressure and eventually, I mean, on the call, it was a single call, right? They ended up getting the guy to transfer like a quarter of a million dollars.

I remember that. to some Hungarian supplier, I think it was. Yeah. Right.

I remember that one. Yeah, it was one of the very first case studies of like AI deepfakes that are out there, right? I mean, because they can take a very short clip now of someone's audio or video and make it say and do anything.

Yeah. And, and that's a good point. It's a very short clip. So anybody that's a public speaker is, is pretty easy to target, right? Anybody that's got a YouTube video out there is pretty easy to target. I think the thing that really, saw a demo the other day where you're able to do live face swapping by a single picture, just one picture. That's crazy. That shouldn't exist.

Speaker 2 (28:21.438)
No, no, exactly. Because the creative element is great, but it's also scary, right? Like the ability to create new content and have, you know, leverage advances in technology and leverage AI, but the, but the danger there and the risk. Yeah, it almost shouldn't exist because it's just like, how is that going to be used for good? I see some of these advancements and I'm like, that's just not good. Right.

Just because you can doesn't mean you should.

Right. Well, and meanwhile, us Americans are curating our lives on social media, tick tocking everything in front of our schools and our homes. And again, nothing wrong with the technology. It's great. Nothing wrong with that. But it's the it's the reckless use of it. And it's the use of it without the foresight of the risk that you're in, you know, undergoing that really kind of gets people affected.

Yeah, this this technology is is prevalent. It's convincing. It's getting easier and easier every day. Right. it's

It's virtually undetectable. I've got so many examples of AI deep fakes now I have a whole collection of them because just a couple years ago they were pretty rough. Like it was pretty obvious to to catch and now I had Perry Carpenter on from Know Before who came out with that book Fake and he's really dug deep into it and I'm just telling you like some of the examples that I've I just

Speaker 2 (29:57.954)
kind of capture just to raise awareness for business leaders. It's remarkable. It's virtually undetectable by the human eye and human ear. Like it's really good now. And that's great for creative, right? But it's also very, very risky for our daily lives because we can just see how many and we see it leveraged more and more.

yeah, yeah. I mean, if you think about the classic email phishing, right? You used to be able to spot those just by the broken English in it. But now it's perfect English and it's perfect Spanish and it's perfect German or French. doesn't.

regionalized and it's regionalized right like you can have AI craft that email to sound like you are from this region in this country or this southern part of the United States right like like and you can use local local you know references and it's very very good there's no spelling errors a lot of those typical red flags have gone away now

Yeah, I remember when generative AI first came out and it was fun to make it talk like a pirate or talk like Shakespeare. Well, little did we know it's that same technology that says, okay, well talk like a person from this city and this state.

Exactly. it's really remarkable and I just don't think people really are aware of it, right? It's it's it's unbelievable. So let me ask you when in social engineering attempts one of the things that I business leaders mistake is they think, my employees an idiot or my employees just you know, I can't believe they didn't pay attention to that training we ran a year and a half ago and they didn't remember this when in reality

Speaker 2 (31:52.622)
When you look at the breaches, some of the people that are compromised are excellent employees. Like at law firms, they're the managing partner. These people aren't dumb. They're not like, they're physicians, right? Like they're just busy and they're distracted. Right. And that's where, that's where it's so impactful. So what are you seeing? What are you enrolling out challenge word when you're rolling it out for an organization?

What are some objections to it? What are some common things that somebody would say, this is going to be a hassle for our employees or we already have, we don't need it. We already have multifactor authentication. And then you have to explain, no, no, this isn't multifactor authentication. It is social engineering, multifactor authentication, essential.

Yeah, that has been a struggle comparing it to multifactor authentication. Like we like to call it it's MFA for IRL, right? It's multifactor authentication for in real life. And it's sort of blurring our message about this is not multifactor authentication in the way you think about it, because this is something totally new. This is something that nobody has seen before at scale, right? And so we do have to explain the solution, the problem that this is solving.

Right. They are aware of, of smishing, which is text-based social engineering. They're aware of, of fishing, which is voice-based. Right. And as I mentioned, their solution right now is training, but now this comes along and this is just like MFA for a conversation. Right. And, and that has been one of the bigger challenges is getting past that preconception of what MFA is and effectively bringing that solution into the real world.

And I think once they understand that, their ears perk up, they're very much more interested. And then their concerns become, well, how much is this going to slow my employees down? Productivity. And I think that some of that can stem from going back to MFA and how often you use MFA. I'm always on my MFA signing into this or signing into that. And it's

Speaker 2 (33:51.406)
I'm

Speaker 2 (34:06.424)
This would only this only gets used at the time when sensitive information is being requested. And MFA doesn't cover the other side like MFA shows that I am who I am and I'm logging into my Microsoft account. OK, great. I'm in. But now when somebody calls and I don't know who they are, they say they're my trusted vendor and it sounds like Bob.

Right, who I've talked to before, but with AI deepfakes, anybody can sound like Bob. So Bob is calling and he's got to change his wiring instructions or he needs me to send the W-2s because of this merger we're doing or whatever, right? And I'm about to release sensitive information. I need to know that that's Bob for real. And so a non-threatening way is to go, Bob, buddy, what's our challenge word? And Bob goes in, he sees I'm who I am, gives me the challenge.

Right. Yeah. Yeah, that's exactly it. So they can use the website. They can use their mobile, their mobile phone. We've got Android, iOS apps, and it's all single sign on. It is literally the click of a button to log in and you have proven you are who you are as far as challenge word is concerned. And now

So, no, didn't mean to cut you off, go ahead.

No, no, no. Yeah, yeah. And now I'm able to prove who I am, like through non-digital means, through human conversations.

Speaker 2 (35:33.614)
So if Bob wasn't Bob and Bob and I say, Hey, what's your challenge word? And Bob goes to log in and goes challenge word. What the hell are they asking? And they go in and they look up challenge word and they try and create something that's not going to work. Right. It's okay.

Yeah, if I'm a scammer and I'm calling you, right, and you say, hey, know, Mr. Scammer, sir, what's your challenge word? And I say, what's a challenge word? You're pretty sure that I'm not actually Bob, right?

Right. Or they go, yeah, hang on, let me check this out just a second. And then they're like Googling challenge word and like trying to log in and set up an account and do that. They're not going to be able to access the challenge word needed for that organization.

That's correct. Yeah. So I am able to create my own account and it's still going to show that I am that other person. I'm not going to be able to ever represent myself as Bob from accounting in your company, right? Because Bob from accounting in your company doesn't currently have a challenge or to sign to him, right? 99, 999 % of the time, Bob just doesn't have a challenge word. And so I'm never going to be able to impersonate that particular person.

That's excellent. That's fantastic. That's great. And if they did, let's say that they, this becomes so commonplace like MFA and they realized, I better have a challenge work ready. And the scammer goes and creates an account challenge work. Their, their challenge word isn't going to be tied to this organization. Right? So they're not going to be able to really use, they won't have the same challenge word that would be needed to conduct that, that transaction.

Speaker 1 (37:18.95)
That's correct. Yeah. So you still have to be, you are still in control of who you're connected to at the corporation level, right? So you either have a connection with that vendor or you don't, or you have a connection with that sister company or you don't, right? And so you've got to have that set up in the beginning. But if I'm just going and creating my own challenge word account, because like I said, it is free, then I'm never going to be plugged into your network.

right, your network of your challenge word ecosystem. So I'm never going to show up on your list, right? Because when I give you my challenge word, it's going to show you a list of five names. And those five names are going to be completely random from everybody in your ecosystem, everybody in your world of challenge word. And this hacker that just went and signed up for a free account, he's never going to show up there.

Exactly. that's fantastic. That's really good. What a nice, what a technical, but not fully technical solution that is another layer of protection and social engineering. It's a really good idea. Glad you lost sleep. I'm glad you lost sleep at two o'clock.

in

Speaker 1 (38:33.226)
And it wasn't just that one night. was all the iterations that we went through when we found another hole in what we were building. Right. That original one with the word per day. That one got found pretty quickly as we were gaming this out and hacking each other.

Yeah, exactly. You've got to test it. You've got to test it. And like with the mind of a hacker, you got to break it and figure out how do we, how do we, you know, reverse engineer this. And, know, if I were thinking, if my evil Spidey senses were working, how would I exploit this? And then you've got to like shore that up, right? You got to just be like, well, that can't happen because of this. That can't happen because of

Yeah, and in those moments where you actually do get a call from somebody who's claiming to be Bob and he's not Bob, we've got a whole reporting module built into it. So right inside the app, you just say, no, I'm going to report this incident. And I'm going to say, this is the number that they called me from, right? This is the person that they represented themselves to be. This is some of the details about it just right inside the app.

great, and it can go right to your security or your IT team.

That's right. That's right. That's fantastic.

Speaker 2 (39:39.246)
That's like the yeah, I mean Adam that's like the fishy are a button in know before right like you can just have it right in a workflow like this this looks like a fish boom and the security team can immediately know about it and research it and make sure and they'll let you know right it's really good it's just simple it's just nice you know not a lot of friction at all and you're really solving a problem this is really good

Like I really see the logic here. I mean, because this is one of those where we always just advise, especially the smaller mid-size organizations that are struggling, right? Just to kind of like create a policy, like have them verify independently. But the point is, is if they're being told something that's very persuasive by a vendor that they trust from the outside that they've dealt with in the past and it sounds like them or

Coming from an email that looks just like them talking just like them. It's hard to be like, oh am I supposed to verify now? Like this looks legit. It's like well, yeah, that's the whole point. Before you do something that releases sensitive information or changes wiring instructions or whatever the scenario is, before you do that just verify that they are who they are through the challenge.

Yeah, and there's a lot of solutions that I think are coming where you've got AI that's trying to detect other AI, right?

Yeah, then a bit effective like the AI deep fake detection so far, I've demoed probably five or six of them. And like sometimes they're, yeah, look, it detects it. And it's good, right. But it's close. And sometimes I've uploaded things that I generated with AI that I know are fake. And it's like, Yep, it's real. And I'm like, well, that's not good. So that like, they're not there yet.

Speaker 2 (41:35.15)
You know what I mean? Like they will be, I'm convinced like it's just a matter of time and maybe the same platforms will be able to be better or a new platform will come on and say, we have version 3.1 and ours is better, right? It could be a competitor. It could be one of the main ones, but that would be really helpful, right? Because we get a phishing email. Okay, we've done our training. We spot a red flag or we recognize in the context and we don't act on it. Good.

check, right? But then it's followed up by a team's call invite and you get on and they're on by audio or they're on by audio and video and they look and sound real. It's undetected by the human eye and all we have now is well turn your head or put your hand in front of your face to see if you're real and the modern AI deepfakes that are being created still work like that's not going to trigger.

So we really in that scenario need to be able to say, okay, great. I'll be glad to do that. What's the challenge word?

That's right. And boom.

they're stopped in their tracks.

Speaker 1 (42:43.852)
becomes an AI arms race. Yeah. And

I love that phrase because that is really what it is.

Yeah. Yeah. And that's, that's terrifying. Am I ever going to be a hundred percent sure that my AI is better than your AI? Right. My AI could be better than your AI this week, but then next week you get an update to version two dot six. Your AI is better than my AI. It just seems like an unwinnable situation.

Now the way I've always view it and I had somebody do this analogy for me and it was good. It was like a shark in the water. The attackers are the sharks, right? And we're always trying to have the systems in place, the policies in place, the compliance, all of that so that we can beat the shark. And it's like, you're never gonna, we're not going to, we don't have to. We just have to swim towards shore faster than the people next to us. Just beat.

that guy like just beat the guy closer to the shark, a little bit out of shape who's not swimming as fast. And that's what this is all about. It's just about little nuances, doing a little bit more. And that's where you have to know and be able to measure what what other organizations like you are doing. Right. So that way you can do just a little bit more within budget, within reason, without a lot of inconvenience or friction and

Speaker 2 (44:12.95)
just keep yourself away right and closer to shore. It's really the most realistic analogy I've heard so far.

We've found an interesting side effect of using challenge word. And that's, that's a great analogy about the sharks and swimming faster than the guy next to you. Because from again, an attacker's point of view, if I pick a target and I call somebody at your company and they say, Hey, what's your challenge word? And I know what challenge word is. I'm just going to move on to the next target. Right. It's not worth going up again.

Because you're not going to be able to respond and create challenge word and get in. It's not like you can come up with a challenge word and have their challenge word and be like, here's the challenge word. No, you're not approved. Right? So the system isn't going to give you the challenge word that you need. So as soon as they see challenge word, they're just going to move on. Which gets into the entire actual modus operandi of attackers, right? They're more like criminals that are walking through the target.

See ya.

Speaker 2 (45:15.854)
parking lot, like just opening up door handles on the cars. Like they're just trying to find ones. Yes, they can only like, yes, they could break the window of every car and steal the thing, but that would draw attention. It takes a lot of time. You might get hurt. You might get caught. Really, they're just looking for car after car after car because there are a lot that are left unlocked. And so.

That's what they're looking for. so just by having it in place and it's like locking your doors, like it literally is a deterrent so that they can still go after the people still using password as their password, still using admin or one, two, three, four, five, and not having a lot of defenses, not having multifactor, not having challenge word. Like there's still a lot of organizations like that. So they're going to go by them. They're going to be the slow swimmer right by the shore.

And I think that that's why social engineering is so prevalent to begin with, because am I going to go up against your firewall that's hardened and attacked by bots every day? You know, I'm not going to go after the exterior of your network that is already the super hard, you know, outer shell, or am I just going to pick up the phone and call somebody? Right. I've got a list of everybody that works at your company off of LinkedIn. Right. I know everybody that works there. Yeah, I can go pick my targets.

And those are the places that we're trying to harden up.

Yeah. Well, that's fantastic. We will have links to Challenge Word and to follow you on LinkedIn and everything in the show notes. Adam, think I wish you guys nothing but the best. I'm going to mention Challenge Word quite a bit. And I love how it's no cost to organizations under under 10 employees, which is really good because it can get people to start to use it. Right. And even

Speaker 2 (47:10.092)
Let's say it's a larger organization. Are they able to start it with say 10 or nine employees start using it? And then they're like, this is really helpful. This has stopped things. Now we're going to pay. We're going to roll it out to the rest of the company.

Yeah, that's absolutely right. You can onboard yourself at any time. And we also do work with FUNC3 charities at no cost. That's So we're really just trying to help protect people and solve this problem of social engineering.

That's great.

Speaker 2 (47:41.784)
Well, I love it and I love what you guys are doing. That is just such a refreshing approach to it. That is I wish you guys nothing but the best. So we will have links to everything and we encourage everybody just try it out. Like just try it out. Cost you nothing. And I'm telling you, it's really going to make a difference.

Yeah, thank you,

Adam, thank you so much, sir. We really appreciate it.


People on this episode

Podcasts we love

Check out these other fine podcasts recommended by us, not an algorithm.

Breaching the Boardroom Artwork

Breaching the Boardroom

NetGain Technologies, LLC