Kip Boyle: Welcome to the Cyber Risk Management podcast. Our mission is to help executives become better cyber risk managers. We are your hosts, I'm Kip Boyle, CEO of Cyber Risk Opportunities.

Jake Bernstein: And I'm Jake Bernstein, cyber security counsel at the law firm of Newman DuWors.

Kip Boyle: And this is the show where we help you become a better cyber risk manager.

Jake Bernstein: The show is sponsored by Cyber Risk Opportunities and Newman DuWors LLP. If you have questions about your cyber security related legal responsibilities.

Kip Boyle: And if you want to manage your cyber risks, just as thoughtfully as you manage risks in other areas of your business, such as sales, accounts receivable and order fulfillment, then you should become a member of our cyber risk managed program, which you can do for a fraction of the cost of hiring a single cybersecurity expert. You can find out more by visiting us at cyberriskopportunities.com and newmanlaw.com.

So Jake, what are we going to talk about today?

Jake Bernstein: Today, we're going to talk about the reality and the internet, Kip, because as cyber risks are everywhere and many businesses are at risk, even if you completely set aside hacking.

Kip Boyle: Okay. So we've talked a lot about cyber attacks, hacking, and so we're going to deal with something else. So there's another cyber risk then?

Jake Bernstein: There is, we're going to be discussing an article that was published on newyorkmag.com in late December, 2018, called "How much of the internet is fake?" Turns out a lot of it actually, by a guy named Max Read.

Kip Boyle: I love that. What a great name for an author, right? Maximum reading.

Jake Bernstein: Yeah, totally. I wonder if it's a real name.

Kip Boyle: Yeah, really. Okay, so that was a good article. How much of the internet is fake and what does that actually mean?

Jake Bernstein: So the article is talking about bot traffic versus legitimate human traffic. And so the first question is, is bot traffic really fake? Well, no, it is real insofar as the ones and zeros are concerned, but it's fake insofar as this traffic is meant to simulate real humans.

Kip Boyle: Okay, so in a way the traffic isn't technically fake, but it's a form of fraud. Would you say as the co-host lawyer?

Jake Bernstein: Exactly. We are talking about the cyber risk posed to every company that advertises, both the companies that want to get the word out about their goods and services and the publishers that actually really helps spread that word, which if you think about it is basically everyone. Very few companies have zero need of advertising. And the simple truth is that the internet much like radio and broadcast TV was built with advertising dollars.

Kip Boyle: Okay. So then this is yet another assault on internet ads. Of course, we've got ad blockers and there was a big outcry recently about the incredible amount of resource consumption that ads were engaged in. Just to show an ad caused webpages to load slower and became CPU intensive and so forth. And so people started blocking them just on the basis of performance. Okay, so here's another issue with advertising that is troubling to advertisers and to everybody, I guess.

Jake Bernstein: It is. And what we're really talking about here is a core concept in security. IAAA, which stands for identification authentication, authorization, and accountability.

Kip Boyle: Okay. So IAAA, this is one of the times where I'm glad that we've got acronyms because that's a mouthful and it's a little jargony, isn't it?

Jake Bernstein: It is. But when you break it down, it's actually pretty straight forward compared to a lot of other concepts.

Kip Boyle: Okay.

Jake Bernstein: And what I was going to say it's a core concept for cyber risk managers and it's a constant challenge, not only online, but in the real world as well.

Kip Boyle: Yeah. Okay. Well, let's break it down and look at each one of these in turn. Let's just give a quick definition for each one of these words in IAAA.
So let's start with the I, identification. So this is the first step in this process. And really, it's just asking some computers saying, who are you?

Jake Bernstein: Exactly. Well, I'm me obviously, and you're you, but how do I prove that to you? Whether you're in the real world or online, and that is authentication.

Kip Boyle: Yeah. And authentication is really interesting because there's this great, I think it was a New Yorker cartoon a long time ago, where there was a talking dog sitting at a computer and the dog was looking to his other dog friend. And he was saying, on the internet nobody knows you're a dog. So I mean, it was a clever little cartoon, but it made the point that if I possess the authenticators along with an identity, then all I really know is that there's something out there, a person or a bot that has authenticators and they've used them. I mean, really right now the state of the art is I don't think we can prove any more than that. Can we?

Jake Bernstein: Not really? I mean, you think about what it means to identify, and if you have text inputs, then anything that's capable of putting text into the computer that could be whatever the actual person or thing is.

Kip Boyle: Yeah. Yeah. So really all you've proven is that credentials were entered, and it all starts there of course.

So we've got identification, we've got authentication. And so now the next concept is authorization, and authorization is really about what can you do and what can you not do?

What are you allowed to do? What are you not allowed to do? And then of course, a lot of cyber attacks are about trying exceed your authorizations.

Jake Bernstein: Exactly. Authorization is the simple question of what can you do. And then that links to the last concept, which is accountability and accountability is holding someone or something responsible for the actions that he, she, or it takes.

It's really about an audit trail, being able to recreate what happened and ultimately being able to prove the identification authentication and authorization pieces. And it's a major, major challenge. There's a lot of identity management products out there that all try to help solve this problem.

Kip Boyle: Yeah. Yeah, it's really hard to do actually. In the work that I've done in my career leading up to being a chief information security officer, it was a struggle to get this right, because even if we had all the right products and pieces and parts in our tech stack to do it, the number of systems that people access and the way they're architected can work against the ability to who achieve this. I'll just give you one example.

So you might have this database of transactions and then you have some business logic that you're using to govern how those transactions can be formed, and that business logic can be sitting on a server somewhere separate from the database, could even be on the same server.

But the idea here is that you've got people interacting with business logic, and then that business logic is talking to the database. And often what happens is the way these applications are architected is that you can get IAAA through the end user and at the business logic layer. But beyond that into the database, you typically don't get what's called end to end accountability because the business logic talks to the database and proxies all the traffic because that's more scalable and less administrative responsibility than trying to account for every individual's actions in the data store. So anyway, just wanted to shine a little bit of light on one reason why it's really hard to get end to end IAAA.

Jake Bernstein: Yeah. So if you had to use a single word to kind of summarize this IAAA concept, what would you use?

Kip Boyle: Oh, that's easy. Trust. It's all about trust, right? It's all about did everything that happened, was it an authenticated user who was authorized to do it? Did they exceed their authorizations? And all of that really just boils out to I trust what's going on here.

Jake Bernstein: Yeah, and trust obviously is a huge component of online commerce online advertising, I mean, why do we put our credit card information into a web form? Well, presumably we trust that not only will we get what we order, but also that we won't be charged for things we haven't ordered. And I think that when you get down to it, that is the core of this how much of the internet is fake issue.

Kip Boyle: Yeah. Okay, so that brings us back to the article now that we know what IAA is, and we know that really it's all about trust. So that takes us back to the article. And so what stuck out for you?

Jake Bernstein: Well, first, there's this estimate, and I've heard various versions of it, but up to 40% of all internet traffic is nonhuman. Which to me certainly sounds like a recipe for automating cyber crime.

Kip Boyle: Oh yeah.
Yeah.

Well, so crime these days is already automated, if you think about it, if I can download a free tool that packages up a sequence of steps that lets me commit a cyber crime without having to laboriously conduct those steps myself by typing a lot on a keyboard, if I can just buy a piece of software that automates that I've already started to automate cyber crime. But yeah, this takes it to a whole new level because now I don't even have to sit at the keyboard. And in terms of this advertising here, and by the way there's other implications that we're going to get to beyond advertising. So for those listeners who don't think that they have an advertising angle to your life, keep listening, because we're going to tell you how this all is going to play out, but you got to automate in terms of advertising, because advertising depends on clicks and the amount of money we're talking about per click is pretty small.

So it really, isn't economical to sit a bunch of live human beings at keyboards and click on ads for the purposes of defrauding, right? So you've got to automate the actual clicks. So that's what's interesting.

Jake Bernstein: It is. And there's a lot of different types of advertising models. So CPC is cost per click, and that's what you were just talking about. There's also cost per lead, cost per view, cost per mill, which looks at how many thousands of impressions you get per cost. And all of those are susceptible in various degrees to this click fraud and advertising fraud.
So I think focusing on one of those would be helpful for our audience.

Kip Boyle: Yeah. So we can just talk about cost per click, for example, because I think that has the most interesting ramifications. And another aspect of this too, is that typically you're showing advertisements to unauthenticated unidentified people, right? It's really the same as driving down a freeway and seeing a billboard, the people who put up the billboard really don't have any idea who's actually seeing it. They're just counting on people seeing it, and they can count cars driving by as a way of having some idea of who's seeing it.

What's great about cost per click or what seemed great about it is that it's not just somebody looking at a screen, it's that they've actually clicked on it. And so that's a kind of interaction that can lead to measurements. And I think that's one of the reasons why it was so attractive.

Jake Bernstein: Yeah. Well, and it's not quite as I would say that it's actually pretty easy to get much more information about your audience online than a billboard. Certainly that's what all of the big publishers would want you to believe. For example, all of the tracking online, all of the cookies, all of that goes to determining who my audience is.

So it's not necessarily authenticated traffic, but it is identifiable quite often.

Kip Boyle: Yeah. And if you're Facebook, you're Google, you're Microsoft, anybody who's selling online advertisements these days are in part justifying your spending money with them, by saying, look at all the great data you're going to get. You're going to know if your ads are being seen by your target audience, right? So that was sort of the basis for a lot of the money being funneled into this online advertising.

Jake Bernstein: It is. And so there's a lot of money to be made. It is automated, which means that the money is passed based on an internet action in this case, as we're talking about it clicks on links. And every link has a series of code in it that can be used by the publisher and the advertiser to figure out how much are you going to get paid every month?

And the problem is that there have been these recent bot nets, which are massive conglomerations of computers usually infected by malware, that really they fake not only the clicks, but all the behavior that goes on before the click, which is really fascinating if you think about it, because what it means is that the fraudsters have determined how to fake a person who is going through the motions of visiting different websites, conducting searches, browsing the web, and all of that allows them to generate much more money than if they just had an automatic clicker that click links randomly.

Kip Boyle: Yeah, well, because here's the thing is that if I'm looking at the traffic and if I'm an advertiser and I'm looking at this traffic, there are tell tale signs of click fraud as it's been known to this point. I mean, you can see it. Old fashioned click fraud was automated and just the behavior that was being recorded was just not human.

And it was missing a lot of context around it. Like what site did they come to before they landed on your page? And what was the actual sequence of events? Did they click on anything else before they clicked on the ad? What did they click on after they clicked on the ad? And so by analyzing the logs, to this point, you could pretty easily distinguish basic click fraud in the past from a typical user behavior that was logged.

And so that's what the criminals needed to do, is they needed to up their game and they needed to be able to produce logged or accountability, that mimicked human behavior. And this is where it really starts to get interesting beyond advertisement fraud. This is where you start, at least for me, it started pinging for me like, oh my God, gosh, if we can start automating human interactivity to the point where I can't tell what's a real click and what's not a real click by examining all of this log data then okay. So then that means anything that I want to do in terms of IAAA where I want to say that I'm going to measure you, that I'm going to know it's you Jake, because of the way you type on your keyboard, or I know it's Kip because it's the way he moves his mouse.

And those are forms of authentication that have been proposed, systems have been built that as proposed would do away with passwords, because we can tell that Kip types a certain way, and Jake clicks a certain way. Well, if we're going to authenticate people based on that, given the state of the art for ad fraud, to me, I don't think it's that big of a leap for criminals to get a piece of malicious code on my computer and then record me typing on my keyboard and clicking my mouse and then turning around and taking those biometric signatures and going to Kips bank and Jake's bank and defeating those forms of authentication.

So it's really annoying because those forms of authentication really haven't even had a chance to make it very far out of the laboratory and they're already going to be defeated.

Jake Bernstein: Well, and that's why multifactor authentication is such an important tool in your toolbox here. It's true I can record my mouse movements and my keyboard style, but if you have to start recording my fingerprint, my retinal scan, my passwords and use all of it together, then obviously we've made it much more difficult for the bad guys to fake authentication.

Kip Boyle: Yeah, and we're also making it harder for legit people to get their stuff done. I mean, this happens all the time in the real world even, where you are trying to combat some kind of crime. And so you make it harder and harder and harder for people to do stuff. And the people who end up bearing the burden of that difficulty are your legitimate customers, because they're the ones that are willing to sit there and go through these hoops in order to do business with you. And God, it's so frustrating.

Jake Bernstein: Well, and that-

Kip Boyle: Go ahead.

Jake Bernstein: That's the best example is recapture. I hate those things.

Kip Boyle: Yeah, it's annoying. But you can see what it is, right. It's an attempt to add another hoop to jump through that makes it difficult for a bot to jump through, but easy for a human, although it's annoying that we have to actually click into that, but with this click fraud going on now with the advertising, based on the article that we're talking about here, recapture's dead, because if I can program a bot to click on an ad, I can certainly program a bot to click on a recapture. Right?

Jake Bernstein: So computer vision is what is necessary to get past recapture on an automated basis. And that technology is basically here. For a while, there were these horrible sweat shop click farms where people usually in places like China, Indonesia, the Philippines would be paid very little to sit there and solve captions. Talk about a horrible job.

Kip Boyle: Right. Yeah to look at a picture and then say, please type the numbers in this picture. But you know what, if I lived in a country where it was that job, or being out digging ditches or performing other types of manual labor that was dangerous. I'd say that the computer please.

Jake Bernstein: Oh yeah.
Well, and of course, like I said, computer vision is rapidly rendering those types of authentication challenges completely obsolete.

Kip Boyle: Yeah. Well we've got to be careful about what we use for authenticators, by the way. I do not want my retina to be used as an authenticator simply because I can't change my retina. Unlike a password, which I can change if it gets compromised, I cannot change my retina. So I don't like that idea. I don't like fingerprints either because I can't change those it's possible that we could have different algorithms that reduce my fingerprint or my retina to a different mathematical value based on the algorithm chosen. But let's just stay away from those.

Jake Bernstein: Well, you obviously haven't seen "Minority Report". You can go get new eyes and new fingers.

Kip Boyle: No, I haven't seen that yet. And I don't think I want to go through it, but-

Jake Bernstein: It's a good movie. You should watch that.

Kip Boyle: Yeah. I absolutely have, and there's been other really good science fiction movies that I think have done a really nice job of exploring just what does it mean to use biometrics as an authenticator. Gattaca was another great example of that, but I'm testing something right now that I want to mention. It's called the security key, which I think is kind of a silly name because what keys aren't meant to facilitate security. But anyway, the one I'm using right now is a YubiKey and it's made by a company called Yubico. It's spelled Y, oh my gosh. If I misspell this thing, everybody's going to be really, really upset with me. So I'm going to actually look it up here.

Okay. So Yubico is Y-U-B-I-C-O.

And YubiKey is Y-U-B-I-K-E-Y. Much harder to spell than it is to say, but anyway what I like about these security keys is that they actually have a couple really neat features. One feature is it's like Google authenticator or Microsoft authenticator or SecureID tokens, where it generates one time passwords, which is really great, but what's even better about a key and anything like it, because there are competitors, you can get other brands of these security keys, is that they don't transmit the authenticators over the internet. So that means a man in the middle attack isn't going to work on these things.

The other thing that I like about them is that they have a sensor, a touch sensor on them. So when you are asked to authenticate, you have to touch the sensor. Now it's not reading your fingerprint. But what it's doing is it's making sure that a living human being is touching this thing.

So it's got the ability to detect a human touch to it. And so when we think about the kinds of fraud here that we're talking about and how can we skirt around the use of these bots to commit more fraud than just ad fraud, I think these security keys are worth a look.

Jake Bernstein: Interesting. Yeah. I mean, what happens if you lose it?

Kip Boyle: Yeah. So that's a great question. They already have an answer for that. You have to buy two of these things is the way that it works. So you carry one around and by the way, they don't use a battery. They are very, very simple. You can step on them, you can drop them in water and they will not break. And so they're very durable.

But yeah, you really have to have two, so you carry one around and then you sort of have one in reserve, and at first I was kind of like, that's kind of annoying, but then I thought, well actually my house key, I have two. I've got one that I use every day and then I have another one in a safe spot in case I lose my main key. So I thought, well, really, that's not too much to ask, I'm already used to doing that.

Jake Bernstein: Yeah, interesting.

Okay, so there's a lot of faking that's going on. And I think that what's at risk on the internet from the faking isn't really truth. But as you said earlier, trust and the sense that the people and things we encounter are or are not what they represent themselves to be. And the cyber risk here is clear. This lack of trust is going to harm legitimate transactions that all of our listeners are trying to engage in over the internet, either as individuals or as companies.

Kip Boyle: Yeah, a buyer or a seller, doesn't matter. You want both sides of that transaction to be trusted. What's great about credit cards. What made credit cards really great was that if I bought something from you, Jake, using a credit card, I didn't have to worry about whether I could trust Jake or whether I had to trust Jake. I could trust the credit card because I knew that if Jake was a scammer, that the credit card company would give me my money back. And that was the basis for the transaction fees.

One of the basis for the transaction fees was to compensate people for fraud loss when they did business with another party that they didn't know.

Jake Bernstein: Yeah, exactly.
So do you have any other closing thoughts on this very complex and nearly impossible to solve issue?

Kip Boyle: Yeah. So just a couple closing thoughts. So one of them is that we talked about how cyber risk is something that changes all the time. It's not like fire, which is a static risk. The nature of fire never changes. It's always a combination of oxygen, fuel and heat. And so because we know that we can develop defenses against it that are pretty well long lasting. And we come up with a set it and forget it kind of a way of dealing with fire. And we layer it with insurance just in case we've got something wrong. But I think what this episode is really doing aside from the specifics is just reinforcing the fact that cyber is an innovative threat, that the people behind it are always trying to find new ways to defeat us.

That means we're in a perpetual cat and mouse game. And so two years from now, three years from now, somebody listening to this episode might actually say, oh, that's so cute and quaint because that's what it was like three years ago, but things have shifted so much so fast that this stuff is water under the bridge. There's so many other new things coming on now that that stuff doesn't even matter anymore.

And so we just have to keep staying up with this stuff. I mean, this YubiKey that I told you about, five years ago there were YubiKeys available for sale, but I didn't pick one up. And the reason why I didn't is because the pervasiveness of man in the middle attacks wasn't that great, and so I could count on all these other authenticators. And then before that, I didn't even use an authenticator, I just used a password.
So things change all the time. And I think that's an important takeaway.

Another thing I want to mention is I just want to give a little disclaimer, we evaluated a newspaper article here, but we're not saying that this is your top cyber risk by any means. So just because we talked about it doesn't automatically mean it's a top cyber risk for you.

It may or may not be, so just be careful that you are setting your own priorities based on your own unique needs.

Jake Bernstein: Absolutely. Without question.

Kip Boyle: Okay, well that wraps up this episode of the Cyber Risk Management podcast. And today we talked about how ad fraud is not only causing a problem with advertisers and their money, but also we think is going to bleed into other areas involving IAAA and the way we authenticate ourselves on the internet and the basic trust. So thanks for tuning in. We'll see you next time.

Jake Bernstein: See you next time.

Kip Boyle: Thanks everybody for joining us today on the Cyber Risk Management podcast.

Jake Bernstein: Remember that cyber risk management is a team sport and needs to incorporate management, your legal department, HR, and IT for full effectiveness.

Kip Boyle: And management's goals should be to create an environment where practicing good cyber hygiene is supported and encouraged by every employee.
So if you want to manage your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider becoming a member of our cyber risk managed program.

Jake Bernstein: You can find out more by visiting us at cyberriskopportunities.com and newmanlaw.com.
Thanks for tuning in. See you next time.