MGM Grand breach: How attackers got in and what it means for security

Chris Sienko: 0:00

Wow. Today on CyberWork, we're talking about last September's breach of the MGM Grand Casino chain. It's an attack that led to a week of tech failure, downtime and over $100 million in lost revenue. The attackers were able to get in via a point that my guest, aaron Painter of NameTag Inc, said is a common point of failure the request for a password and credential reset from the help desk and the ever-frustrating security questions approach to making sure that they know who you really are. Nametag Inc is built to create an alternative to security questions and go beyond even MFA multi-factor authentication to create a method of verification that is even resistant to AI deepfake attempts. So this conversation goes into a lot of interesting spaces, including career mapping, the importance of diverse design teams and the benefits of security awareness training. Plus, you're going to learn about an amazing piece of emergent tech that is going to absolutely change the way we do verification and that's coming up in just a moment today on CyberWork.

Chris Sienko: 1:01

Hello and welcome to this week's episode of the Cyber Work podcast. My guests are a cross-section of cybersecurity industry thought leaders, and our goal is to help you learn about cybersecurity trends, the way those trends affect the work of infosec professionals, and leave you with some tips and advice for breaking in or moving up the ladder in the cybersecurity industry. My guest today, aaron Painter, is the CEO of NameTag Inc. The company who invented sign-on with ID as a more secure alternative to passwords. After watching too many friends and family fall victim to identity theft and online fraud, aaron assembled a team of security experts to build the next generation of online account protection. Nametag has a mission to bring authenticity to the Internet and enable people to build more trusted relationships. They believe security should be centered around you, the user, and that your identity, like your privacy, is a valuable asset worth protecting.

Chris Sienko: 1:50

Previously, aaron was CEO of London-based CloudReach, a Blackstone portfolio company and the world's leading independent multi-cloud solutions provider. He also spent nearly 14 years at Microsoft in a variety of product sales, marketing and executive leadership roles, including BP and General Manager of Business Solutions in Beijing, china. General Manager of Corporate Assets, accounts and Partner Groups in Hong Kong. Chief of Staff to the President of Microsoft International based in Paris, france. And General Manager of the Windows Business Group while stationed in Sao Paulo, brazil. Wow Erin is a Fellow at the Royal Society of Arts, founder fellow at OnDeck. A Braintrust Advisory Board member at Silicon Valley Bank, a member of Forbes Business Council and a senior external advisor to Bain Company, as well as was named the AWS 2019 Consulting Partner of the Year for his work at CloudReach.

Chris Sienko: 2:39

A frequent media commentator, aaron has appeared on Bloomberg and Cheddar News and is also an active speaker, advisor and investor to companies that are pursuing business transformation. So today's episode, as you've probably seen in the description, we're going to be talking about an event that happened last September. This was the MGM Grand Casino breach, and Aaron has been digging into this and he has some thoughts on some of the things that went down. So hello today, welcome. Welcome. Thanks for joining me, aaron, and welcome to CyberWork.

Aaron Painter: 3:08

Thanks for having me, chris. It's humbling to hear your biography read, so I'm grateful for all the background. I feel like people already know me so well.

Chris Sienko: 3:15

Yeah, happy to do it. So, yeah, it gets me in the mood, it gets me ramped up as far as information goes as well. So, aaron, looking through your accomplishments and your career, it's clear that you've been very tech-focused for a long time. This is not something that came to you by accident. So when did you first get excited about computers or tech or security? And do you remember if there was like an initial spark? Was there someone who was a friend who showed you a computer? Did you have computers at home when you were a kid? You have them at school. Like, where did this all start you?

Aaron Painter: 3:45

know I did early on. I still remember my father bringing home a big, heavy computer and it was a compact I think, and the keyboard flipped out and the monitor sort of went up, and for that I might have even had a compact computer, a commodore 64 I think. Anyway, they go way back, but I love the intersection always of technology and, frankly, business. You know how can technology be used in new ways to really change our lives? And I feel grateful in many ways fortunate, that we've sort of been around or to have my career, to kind of been born in this era of just technology and software changed. This new period of AI even more so because it creates so many new opportunities to take technology and apply it to parts of lives, hopefully to make it better.

Chris Sienko: 4:31

Yeah, now speak more about that. I mean, well, you know, when you said you were excited about the sort of confluence of technology and business, like where did that come from? I guess I'm sure you know, because I'm imagining, uh, you know, young aaron, counter 64 playing, jump man playing, uh, you know, whatever, um like where, where does where does the business come in? What was the first sort of draw of the sort of technology end of business? Is this like the start of the dot-com boom or like what are we talking here?

Aaron Painter: 4:58

you know I wasn't into sports as much as a kid. I kind of loved understanding just different companies and what they do what, what did this company do?

Aaron Painter: 5:05

And there were the people who worked there and you know what do they sell, and whether that was a you know blockbuster, video rental or you know a bank, I was always really curious like, oh, how did that work? How did that company make money? Why, what do they sell? And so the concept of being able to take technology and say, oh, maybe somebody can buy something in a different way or experience that product in a new way, it just got me really excited. And so, you know, at the point I got to high school I even said, gosh, technology, the internet is this huge tool.

Aaron Painter: 5:33

And I literally went department by department at school saying, hey, can I help you put the department and the class descriptions, the syllabus, online. And you know, the faculty heads and the departments then were like, wow, okay, this seems like a new thing. The internet let's, you know, sure you can help us do that. And no one else was. And to me that was just really fun. It was how can you use technology to transform, you know, early call it education experiences? Now, did someone fundamentally learn different because we put the class syllabus online? No, but it was a start. And then more and more people were able to put more things online and subscriptions and eventually people were collaborating online and doing things in different ways. But that concept that technology can sort of touch or change any industry has been with me really my whole life and career.

Chris Sienko: 6:14

Yeah, that sounds like it. That was. That was further back than I realized. I thought it might start with like a international business degree or something in college. But you were really and that's interesting too, because it seems like you know, from an early on you were kind of looking at any function around and you're like, how can we automate this, how can we, how can we sort of augment this, how can we do you know? And yeah, and I think I'll use that, even if it didn't change fundamentally how people learned it also like lowered your initial discomfort, like you were. I mean, you, you know, I know the 10 000 hours thing has been kind of discounted now, but you've, you know, you were doing things before you had a chance to realize that you know, uh, you know people your age don't do these sorts of things, you know. So that's that's really interesting to me, um, in terms of like the excitement and and how the learning curve speeds up, like that yeah yeah, so, um, yeah, I want to talk to you.

Chris Sienko: 7:03

obviously, we had a long intro. We learned some of your previous roles and I would love to hear about some of the key moments in some of these, or some experiences that maybe got you where you are now as CEO of NameTag. Like you said, you had a number of interesting roles with Microsoft, for example.

Aaron Painter: 7:20

Yeah, microsoft was an incredible platform because we had really cool products that touched a lot of different things, from Xbox and consumer all the way to enterprise servers, security tools, productivity and Windows kind of in the middle and we had all these really big companies. I mean, most companies in the world were somehow using Microsoft products, particularly during that period, and the question was, you know, were they paying for it some cases pre-cloud or were they getting the most value out of what they were paying for? But it was just this neat platform where you had all these companies that were using technology or wanted to use more technology, and then this incredible powerhouse of engineers building stuff and building amazing tech. And so I found myself. I started in product. I was the first product manager for Office Back in this period when we had the individual apps Word, powerpoint, excel and we said what happens when you bring them together into something collective? We called it the Office System, which meant end-user client-facing things as well as kind of backend and server technologies. You now think of that kind of as Office 365. But it was incredible and I loved it and I got to work with a lot of different people across team and the Windows team and server and tools, as we called it.

Aaron Painter: 8:24

But I was based in Seattle at that point and I had gone to college in the UK and I said, you know, I really I feel like there's so much more happening in other countries at this period. There's just so much growth and so much to learn and so much I'm curious about. And so I took this really neat job, based in France, when my manager was sort of the head of everyone at Microsoft who worked outside of the US, and so it was this really neat opportunity to go visit different countries. You know we visit 31 countries a year. We, you know, fly in, fly out, meet governments and customers and employees. And it really got to learn how is technology being used in this particular country, in this market? We'd sit down with enterprise customers or, you know, governments, even, even, and say where can technology help? You understand, obviously, what it's like to run a government. We understand tech really well. Can we find intersection points to make the government more efficient, or your citizen-facing experiences better, or whatever product you were selling and manufacturing, or financial services? So for me it was really kind of this playground of the stuff I loved of finding that intersection of those two points.

Aaron Painter: 9:26

So I did that for a long time several years, eventually, then spent several years in Brazil and then ultimately five and a half years in China two in Hong Kong and then three and a half in Beijing and running kind of Microsoft's enterprise business there, which was this really fun entrepreneurial opportunity to kind of build the next generation of Microsoft. A lot of that meant cloud computing at the time and Azure and CRM and ERP solutions and how do you help companies use that in new ways to build kind of new business models. And it was super for me, really fun, great education and learning, but also a great chance for impact.

Aaron Painter: 10:03

You know, in the early days I felt like I didn't quite fit in because I didn't speak chinese. I wasn't fluent. I've got better and can understand some, but you know, I go to these conversations. I'm like who wants to talk to me, the guy who doesn't speak chinese and you don't speak much english. Right, and ultimately what I learned pretty quickly was people were intrigued to the fact that I had experiences in other parts of the world and working with other kinds of companies, and so even if we needed a bit of translation help, we were kind of getting our words garbled, we were learning from each other and that became yet another just huge accelerator opportunity to kind of apply technology into new use cases.

Chris Sienko: 10:37

Yeah, that's boy. That's a really interesting story, especially, you know, when I think of people at that age in their career, usually it's you know, you're at one place and you're like drilling down into like one thing you're learning, you're making a product or you're learning a product, and it's so interesting that you were literally globetrotting and and seeing, you know we have, you know it was, you know, it's like I'm sure you went deep as well, but it's like the sort of like mile wide, inch deep, where you were like putting pinholes in all these different places and it's like what's going on here? What's going on here, what's going on here? And so I imagine that has to have affected how you thought when you did you co-found NameTag.

Aaron Painter: 11:16

I know you're the CEO of it, but yeah, I have some really early team members that I consider like co-founders, but when we started in tech, it was kind of started as me, and we quickly said you know where do we bring really smart talent, and particularly in the cybersecurity domain, to the table to ultimately build what we created.

Chris Sienko: 11:32

Yeah, yeah. I mean, what was the initial spark for creating that and what was the process like? Were there any like setbacks or challenges along the way?

Aaron Painter: 11:39

Yeah, I think any building something new is never easy at any point in life or career, but there's also a great opportunity often to learn and have an impact, and for me, it started very personally, I had several friends at the start of the pandemic and March of 2020. I just left my previous job and I was kind of thinking about what to do next. And, you know, everything was moving digital and the branches were closed and offices were closed, and I had several friends and family members who had their identity stolen and I said, all right, I'm going to be a good friend and be good son, like, we're going to figure this out, let's jump on the phone together. And every company we called said, oh, before I can help you, I have to ask you a few security questions. You know, I had one a couple of days ago that, literally, it was what is your middle initial? And I said, really, Come on. Like I don't feel safe because someone answered their middle initial.

Aaron Painter: 12:26

And it turns out, in that case, we weren't safe and someone had called before us, they had answered those questions and they'd taken over our accounts. Wow, and so it's not that surprising, frankly. And so I said, all right, there has to be a better way. There has to be a way to know who is the actual human behind a screen, whether they're on the phone or they're logging into a website. And so I said can we make KYC? You know this, know your customer process, which is kind of common in financial services. When you open a bank account where they might ask you for some form of government ID If it's done digitally, maybe government ID and a selfie it's a familiar flow. Can we take that and make it somehow reusable? Because it's interesting when you know the bank asks you to verify your identity when you open the account, but when you call the transact they're back to these security questions.

Aaron Painter: 13:09

And so we said, all right, that's the goal, let's figure out how to solve that. And we thought we could use one of the many providers out there who did that kind of flow and then find a way to make it reusable. And it turned out they weren't built for that. They weren't built for security, they weren't built for anti-fraud scenarios. They're built kind of for regulatory compliance, like has the bank done a plausible job of verifying who this person is? Great Must be good enough. Let's move on. And so we realized we had to reinvent how someone did this remote identity verification using a government ID and a selfie. And we did.

Aaron Painter: 13:40

Our big pivot is to mobile. And so, instead of every other sort of know your customer flow where you scan an ID and a selfie, we don't do it in a web browser, because when you do it in a web browser they're susceptible to a lot of risks and a lot of fraud. You can imagine it's not quite this easy. But going to chat GPT and saying here's a photo of me, make me an Illinois driver's license and it spits out a PDF. And literally these tools are upload pdf and you upload the pdf that you just created and it's kind of garbage. And so by switching to mobile, we're able to do a lot of more advanced things and turns out what is a very fast and user experience that feels kind of slick and native. But we have the 3d depth map camera, for example, that you might use for face id. We have the secure enc the cryptography on the mobile device, meaning we know that the camera on the device is used to take a picture of your ID or of your selfie. We know that someone isn't injecting or manipulating it with maybe deep fakes that we can talk more about. So just by using mobile phones, you're able to get a much better experience that turns out is much more secure, and then you're able to use it in a variety of different use cases.

Aaron Painter: 14:45

Right, so you ask challenges, and so one of the big ones for us was going down. We built this really cool thing when is it useful? And we had a lot of great ideas, and then we got pushed really early by an advisor who said hey, you know, I have a company where we've rolled out MFA, multi-factor authentication for a lot of our customers and it's going great. I feel you know their accounts are more secure. However, a lot of people are getting locked out, they're losing their phone, they're upgrading, something went wrong, and every time someone gets locked out they have to call support, they have to call the help desk and every time they call the help desk.

Aaron Painter: 15:18

One, it's really expensive to create a support ticket and solve it. Two, it's really risky because if we get it wrong, if we let the wrong person into this account, it's just sort of a side vector for someone to take over an account, a lot like what happened to me with my friends and family members. And so they said can we use name tag before we sort of do a password or MFA reset in a secure way? That's an awesome application. And so we built some tools for help desk agents, initially to be able to do those verification flows in a much more efficient way. And then eventually that company and others started to integrate us not only into their help desk but into their product, where you know you can go and say, hey, I am locked out, okay, do you want to contact support or do you want to use name tag to get back in right away? And it became sort of an automated self-service way to reset someone's MFA. And all of this was pre sort of MGM, which I'm sure we'll come to but it turned out.

Aaron Painter: 16:08

then, in August of last year, this became the sort of cyber attack of the moment where people were calling the help desk, pretending to be the account owner and taking over an account, and that was a time at which we had built a solution that was kind of purpose built for that scenario.

Chris Sienko: 16:25

Wow, yeah, okay. So yeah, we're going to. We're going to get to that in just a moment here. I want to stay on name tag for just one more minute here because, again, the purpose of the show is to help our listeners imagine and visualize and work towards their, their future careers. And you know, I know, once you, once you get to the C-suite and you know the all the acronyms that go with that, it gets harder to sort of standardize the roles and responsibilities, like a CISO at one place might have a completely different role and responsibility than a CISO at another place. So, that being said, what is an average work week like for you as a CEO of NameTag? Are there certain things that you do every week? Do you have certain standard challenges? Does it change constantly? Are you just kind of like hanging on? Do you have certain standard challenges? Does it change constantly? Does it you know? Can you? Are you just kind of like hanging on for dear life the whole time, or what?

Aaron Painter: 17:10

No, I think that the normal set of responsibilities that you think about across a company, you know, ultimately, in a CEO role, all of those things sort of fall on you. I don't expect to be the best at any of them, or the certainly not. I hope I'm never the smartest person in the room on any of those solutions, but oftentimes you have to know enough to be able to cover, um, any of those functions. And so, whether that's product, whether that's engineering, whether that's, uh, marketing, whether that's finance, whether that's, you know, hr issues, whether it's hiring and finding great people, uh, or you know, solving logistical issues with state tax, registrations and so forth, down to kind of most important, which I think is kind of most important, which I think is kind of managing and creating a culture in an organization where people can kind of solve their own problems and and help build the great company. Um, so the ceo role is kind of unique.

Aaron Painter: 17:55

But you know, more importantly I think to your question, the, the type of roles in any company are really different based on the size and the stage of that company. And you know, microsoft was this really neat place to go have impact at really big scale, but oftentimes the roles were much more narrow. I was kind of fortunate I found some roles that let me be quite broad. But for the most part you know, you, you, the system is designed at a big company that you nothing can break it Like. You have enough redundancy in the system that one person can make a difference but at the same time one person can't really. You know there are exceptions but can't like break the company or bring down the company.

Aaron Painter: 18:29

Yes, and you kind of need that right For their investors, for all the customers that rely on that company. You need resiliency, you need redundancy in the system. You know earlier stage company though you know one person really can make a difference and you know when one person's on vacation, like they're really missed, can we survive, can we get on, of course, but it makes a difference.

Chris Sienko: 19:10

No-transcript amazing point. I'm definitely uh gonna time mark that for uh for a clip here, because I think that that's uh, that's worth saying twice. But um, uh, also, I'm wondering if you have any thoughts on whether it's more worthwhile to go from one to the other, like you said, you know, I mean for someone just getting started, you know, if they feel like they have the personality to just go in and just be a serial startup person, versus like getting your sea legs by going to like a Microsoft in China or something like that and sort of learning the rules and then learn how to break the rules. Do you have any thoughts on if there's any benefit to sort of progressing one to the other or if it doesn't really matter?

Aaron Painter: 19:53

I think there are really good pros and cons both ways and I can make a strong case in both directions. What I do think other things really matter. I think there's stuff beyond what you do in your actual role and the types of experiences you have in life. Maybe that's what you studied or where you lived or what you know, kinds of things you did in activities as a kid or you do outside of work. All those things can be interests and they can be um ways for you to sort of experiment in an area that might help shape where you want to balance.

Aaron Painter: 20:21

You know, let's say you, you know, went to a big name college of some, so you might feel like you have brand validation of sorts on who you are and maybe you're ready to jump into something where the brand isn't really known. You know, maybe you went to a lesser known college and you're like gosh, this, this employer, gives me some sort of brand credibility to the outside world. Those are not the most critical factors, but those are the kinds of things to I always think about how do you balance and where are you going to learn? For me, what drove a lot of my career was what am I going to learn in this role and can I have impact Like? I don't believe in showing up for a role simply with you know, I don't. I don't interview with oh, I would love to work in this job because I'm going to learn A, B and C. That's wonderful for me. That is not what you, what an employer, wants to hear.

Chris Sienko: 21:00

No, right employer wants to hear.

Aaron Painter: 21:01

Here's why I'm going to have impact in these sort of areas. Yes, by the way, you want to have impact, you know and you will learn through doing that, but you take jobs to go do and to get stuff done. Uh, and learning can help shape which roles might be the right ones, though yeah, no, that's, that's great advice.

Chris Sienko: 21:15

thank you, uh, so yeah, so we'll get to the main story here. As we said at the top of the show, obviously, today's topic is uh, from last, the MGM Grand Casino chain was hit by a cybercrime group. Over the course of six days, this group burrowed deep enough into the MGM network infrastructure to implant ransomware, get at least some personal data from casino customers and effectively just shut down connection and operations for several days in a row. I know they said that they were writing people's totals on pieces of paper and stuff like that, and it led to a loss of an estimated a hundred million dollars at least. So, to get our listeners caught up, can you walk us through like a brief version of the events in this week in 2023, and what made this attack unusual?

Aaron Painter: 21:54

Sure, yeah, because this is a cyber crew. I'll give a little bit of context around that specific event, because it's important to think about the industry and how the industry was prepared or responding. It turned out, you know, earlier in the summer, shall we say Okta issued a post on their blog and said hey, we're starting to see certain types of activity that might lead us to think that this is a risk, and so this is sort of interesting. A lot must have happened for Okta to feel like that statement needed to be made. And then there was a new. There's an SEC the Securities and Exchange Commission has a cyber disclosure rule that was set to go into effect at the end of the year. It's in effect now. It wasn't yet, but MGM, like other organizations, said you know, we're going to be proactive and we're going to follow what we know is an upcoming reporting requirement, which means once they become materially aware of a situation, they need to share publicly that that situation's happened. They don't necessarily have to do in the middle of understanding what's going on or the crisis, but there's some time limits and guidance around that. So MGM disclosed that and said oh my gosh, what's going on? It turned out at the same time, mgm couldn't ignore what was going on because their customers at casinos in Vegas and elsewhere were experiencing it firsthand, yeah, and so we later kind of understand what has happened to be.

Aaron Painter: 23:11

There's a particular group that goes by different names, but one of them is sort of scattered spider and they claimed accountability for this particular action.

Aaron Painter: 23:20

And they got really good at taking advantage of the weakness we have in this world of calling the help desk and asking to have your account reset. So they went and researched an employee at you know, at MGM you know, conceptually, their LinkedIn page, found out what they did, found out what the type of work they did, got data that was sort of answers to the security questions. They might have taken over the person's phone number, which basically means you call your mobile carrier and you do the same thing, which the telcos also struggle with. Oh hi, it's me, I got a new phone, can you please transfer my phone number to the new one? Yeah, how do they verify it's you, except for the same security questions? So they took over the phone number, then called the help desk at MGM, pretending to be an employee happy to be an employee, who had good access credentials. They were able to answer the security questions. In fact, it turns out they even got some of them wrong. But that's what we consider to be social engineering.

Aaron Painter: 24:10

Close enough yeah To convince right Convince that help desk engineer that they were the rightful account owner and they had to get back to work and they needed their account reset. Rightful account owner and they had to get back to work and they needed their account reset. Help desk person did it. The bad actor then went in and caused sort of all of this damage across the organization, eventually ransomware and you know a whole bunch of other things. You know almost system by system. Once they were inside.

Chris Sienko: 24:30

They moved really fast. It seems like, didn't they? They were, like they it was. It was very, it was very well organized. At that point it sounds like you know was it it's.

Aaron Painter: 24:37

You know we've learned more and more from from a lot of people involved in the incident, but most recently the Wall Street Journal actually just did a big investigative report on this. You know kind of a month of reporting, some really thoughtful work there, and so it goes into a little bit more detail. But yes, I mean it was a huge, huge issue for MGM and the impact was massive. People couldn't check in, the reservation systems were offline. You know we had government officials showing up for conferences in Vegas writing their credit card numbers on post-its at check-in like just unacceptable things, oh yeah. But you know, what was so odd was this was only one of many, and so what continued then? We later learned that some reports have, you know, up to 230 organizations were also impacted alone in the last couple of months of last year and those numbers have just skyrocketed. Basically, this bad actor group and others are now targeting other companies just doing the exact same thing.

Aaron Painter: 25:31

And so back to our Okta story. To complete it, okta came back and said after the MGM attack happened, they were aware of this sort of vulnerability and their advice was to do something called visual verification, which means a little bit like our calls jump on a video conferencing platform and you know, see who you're talking to, maybe ask them to hold up their ID. But see who they are, see if they match, maybe a photo you have of them or what they look like, and then you can proceed and reset their account Right. Trouble with that, obviously, is it's very time consuming, it's expensive, it's frustrating, and then it turns out in the world of deep fakes. More to discuss, it's not always accurate.

Chris Sienko: 26:07

Oh, my stomach hurts already. Ok, so yeah, I mean, you mentioned well I guess I think you're already sort of explaining this here, but you said that there were a couple of key things that could have shut down this attack before it got out of hand. Can you talk about some of those fail-safe points that the bad actors blew through?

Aaron Painter: 26:26

Well, a lot of the detection we sort of wanted to detect when these things happened from vulnerabilities. Have credentials been used? Is someone who has not normally accessed certain systems begin to access certain systems? And so certain companies have detection and response measures in place to identify some of those points. But I would argue that the perimeter, you know, getting inside is really all about identity.

Aaron Painter: 26:49

And if you do things like put MFA and you put a big deadbolt on your front door but then around back you have, you know, a post-it with the code to your garage and you can kind of open the garage by typing that in like, in like, it doesn't matter how big the deadbolt was on the front door, and for mgm and for a lot of companies right now they've gone that effort. Mfa was the best practice, you know, ideally not sms or two-factor, but ideally setting up some kind of authenticator app or token was the right way to do it. And unfortunately, mfa has this huge vulnerability and weak point when it comes to recovery and that's what we saw firsthand with the MGM attack.

Chris Sienko: 27:25

Okay, well, speak more on that then. Because, yeah, I think we do have that that kind of feeling, or certain security departments have that feeling of like, well, we got, we got MFA in place. We can sort of put our feet up, or that that's. You know that that's been sufficiently padlocked or whatever. But you know that's been sufficiently padlocked or whatever. But you know, because you have, you know the item you own, the item you know, or the item you are, you know, like what are the sort of soft spots?

Aaron Painter: 27:53

Especially, you said specifically around like an account reset. The soft spots really are the humans. You know Humans are our greatest strength and you know the worker, that knowledge worker who has access to their email. They're really important because they can contribute as a human. The help desk person comes to work probably to try and be helpful. I think that's kind of the nature of that work.

Aaron Painter: 28:10

But if every help desk conversation doesn't begin with how can I help, but more I need to identify you or who are you, then you've made help those people sort of identity investigators or interrogators, and that's not a role anyone wants to be in. It's bad for them, it's bad for the end user or the employee, in this case who's calling, and so it probably it's also not secure. It turns out because the nature of us being human makes us open to who's your manager. Oh, you know, I was just on vacation and I had a reorg and I'm not sure, and that's why, gosh, I got to get back into the email to see, yeah, it makes us want to connect with that person, it makes us empathize, and then it leaves a subjective question as to whether or not to reset that person's access.

Chris Sienko: 28:51

Yeah.

Chris Sienko: 28:58

And so the very nature that we have not provided those help desk reps better tools, is the nature of the vulnerability today. Yeah, and yeah, I think that's really interesting because you are, you're, you're hearing from so many people who are really frustrated. They lost account access. You're, you know, you're, you're doing this so many times a day. If someone just like blurts out, like I got to get this taken care of, like you, you that maybe that's the thing that you, that that sort of pushes you over to say, okay, you failed a couple of these authentication checks, but all right, fine, I'm sure you're good for it, you know, or whatever I mean you know.

Chris Sienko: 29:26

I guess I wanted to sort of ask you in that, in that regards, regarding just sort of like security awareness training and sort of like those protocols and whether, like you know, some people it's, it's such a wide range across people that I've talked to that say like it's completely worthless, you just got to build your perimeter. Other people are like, well, it never works, or you don't do it right, or it only happens once a year, and then everything falls out of their heads like what? What are your thoughts on? On the, the idea of sort of bringing you know the quote, unquote weak point of the, the chain, you know, into a greater sort of knowledge focus yeah, I think training is important and it's all of us get better with training and learning and formal education.

Aaron Painter: 30:04

But unfortunately, the nature of fraudsters today and bad actors or hackers is that they're wildly crafty and they're some of the most entrepreneurial and crafty people out there, so they're probably going to be at least a couple steps ahead of whatever the most recent training is.

Aaron Painter: 30:19

And so, yeah, I think another really interesting example and it touches on deep fakes is, um, you know this issue out of hong kong, uh, a few weeks ago, where there was a you know, allegedly a finance control multinational company. The finance controller was in hong kong and the quote, cfo, was based in london. The cfo emailed the finance controller and said, hey, I need to do a bunch of wire transfers. The controller was trained, actually was a bit suspicious and, like I don't normally get emails from the cfo, this is a lot of money, and so he was suspicious and the cfo proactively said, oh well, you know, hey, a bunch of us from the leadership team, we're all on a you know video call right now. Why don't you come join us? Here's the invite link and then you can get the necessary approvals. The controller joined the call and it turned out, the controller recognized many of the people in the call Familiar faces, voices, people that he knew worked at the company.

Aaron Painter: 31:04

And unfortunately they were all deepfakes. Wow, they were not the actual people, they were deepfake emulators on that video call. So the controller kind of did the training, so to speak. That was what they were supposed to do.

Chris Sienko: 31:15

Be skeptical, maybe do a visual verification Did everything right, yeah.

Aaron Painter: 31:26

Right, did skeptical, maybe do a visual verification. Did everything right? Yeah, right, did everything right, and yet we were fooled. And so the pace of bad actors being able to be creative, let alone the fact that they are now super powered with Gen AI and other tools, makes it really hard to rely on training alone, and, frankly, it's just not sufficient.

Chris Sienko: 31:35

Yeah, yeah, okay. Well, I want to. We'll get to name tag in just a sec here. I have one more question around this sort of cycle of this boom and bust cycle of of breaches and apologies and remediation and press releases. But, like you know, I just I'm wondering if you see any way out of this cycle of notifications, admissions of guilt, perfunctory, enjoy a year of credit monitoring on the house. You know, like when a company contacts me and says someone got my password, so change my password ASAP, I'm like all right, fine, click, click, click, click, last pass. You know we're good to go. But like when it's those kind of like horses out of the barn version where it's like well, they grabbed addresses, social security numbers, you're going to need to sort of like, you know, credit freeze, you know, and stuff like that, like it's, this is a whole new era and it's really irritating. I mean, is there any solution for that or am I just sort of venting about something that's just kind of the new normal?

Aaron Painter: 32:26

and you're right to vent. I mean, we're all frustrated, we all hate it, right, and we feel vulnerable and we feel like our things were stolen. Our data was out there, unfortunately. At this point we kind of have to accept that our data is out there, maybe not as widespread, know worse for some than others, but it's not secure enough to rely on. And so this concept of security questions, like the answers to that data are there, they are, somebody can find them.

Aaron Painter: 32:49

For the most part, security questions need to go away Like that. We need to move past the era of trusting answers to questions like those that we get today. But beyond that, the other hot topic right now are things like 23andMe. So 23andMe, right, had an issue this way and their reaction was a bit unorthodox because they said to their customers hey, we gave you the option of adding MFA to your account. Some people didn't. Therefore, this is kind of your fault. Yeah, yeah, yeah, that was a whole new level, right? Because first of all, they yeah, if you have not secured your help desk or the MFA reset process, then frankly, it's theatrics basically to add MFA to the account alone, because all someone has to do is call and pretend they're locked out. So companies are taking increased steps to add MFA, but those are not sufficient to actually protect our accounts, and I would argue that we should all be partnering with companies and choosing to buy from and work with companies that take security seriously and that take more aggressive steps to try and keep our accounts protected.

Chris Sienko: 34:05

Yeah, I feel like every day we're scrolling through terms and conditions and reading them very closely. And you know another thing that's probably never going to change but that, you know, probably would allow you to be a little bit more of a discerning customer in some cases. Yeah, so, yeah. So, coming over to your own company's product, listeners know by now that Aaron's company, nametag, is quote the world's first security verification platform designed to safeguard accounts against impersonators and AI-generated deepfakes. Nametag has become the trusted choice for leading companies seeking to prevent fraud, reduce support costs and eliminate the frustrations associated with account lockouts and high-value transaction authorizations. So we've sort of seen in my mind the visual version of what's going on here, but can you talk about the sort of tech behind this platform and walk us through the points in this or similar breaches where something like this would have blocked out these sort of light-speed account takeovers?

Aaron Painter: 35:00

Sure, yeah, it's sort of straightforward when you use your experience. You know you call or you chat or email with the help desk and, instead of asking you security questions, they send you a link and say great, I'm happy to help you. First they need to verify your identity and you, as an end user, get that link. You tap it. There's a security property in how that link is delivered. You can scan a QR code, you can tap a button. It's not about that, about that. The user locks the button and something that comes next is really kind of quite cool and it almost feels magical. But we're delivering to your mobile phone what's called an app clip or an Android. It's an instant app and it's basically a full native app that is delivered over the air without you needing to go to the app store. Super cool technology, fully works with Apple, fully registered with Apple, fully legit's nothing you know. Uh, it's unclear about that. It's just that it's incredibly. Uh, it's easy. It feels like magic because this thing pops up on your phone. It feels like it was always there, like it's a part of the operating system of the phone and it's the same.

Aaron Painter: 35:57

In order to proceed, we're going to need to do a few things. We need to scan your id and we're going to take a selfie again a familiar end user flow. You go through that, uh, you say great, and you consent. A selfie Again, a familiar end user flow. You go through that, you say great, and do you consent to share this back with the company who asked, or certain bits of information from this document to the company who asked yes, you consent, great, it minimizes and goes away and the company gets a sense of assurance in knowing who you are, that the ID document you presented was legitimate, that your face matches the document itself, and so they have a sense of who they're dealing with in order to proceed with helping you with your account. The whole process takes, on average, 23 seconds for users their first time, no pre-enrollment required and it's sort of a highly automated and sophisticated way to do what you'd almost do in person at the TSA or at a convenience store if you're buying a native product.

Chris Sienko: 36:46

So you're scanning the ID in your face each time you need to do this, or is it like you have one on record and it's just like sending it through to them?

Aaron Painter: 36:55

That's a great question. We do it the first time and we do both, and then the second time. There's some settings that the company can adjust and there's a lot of privacy controls for you as an end user. But there's a lot of privacy controls for you as an end user. But there's an option for the end user the second time to be able to only scan, for example, their face. And so we say, hey, we've recognized you before, You've used this device. Perhaps we only need a selfie.

Aaron Painter: 37:15

And then one of our technologies sort of we patented, is this concept of linking that selfie to the earlier selfie and back to the government issued ID, so we can offer sort of a re-verification. Okay, and that's really important, because a lot of the concepts of oh, we've checked your ID once, you know think of your favorite Airbnb, but not Airbnb. Or you know this concept of verified profiles, Like we, you've once verified yourself. Therefore, every time you log in, it must still be you. Somebody takes control of that account or uses your password. Or, by the way, if you get locked out of the account, they don't re-verify you, but you don't know that you're still that person. You just know that at one point your ID was checked and you kind of got a verified check. We re-verify each time by making sure it's still you.

Chris Sienko: 37:59

Okay, so speak to the AI deep bankake aspect of it. Obviously, I can see a scenario where someone would call and then walk me through it. I guess they have the person's phone, they have access to the ID, they try to take a selfie. There's an AI-generated deepfake of you. What's the sort of next thing that sets this apart? Yeah, it's challenging because in the sort of next thing that that sort of like sends this sets this apart.

Aaron Painter: 38:27

Yeah, you know it's challenging because in the world of deep fakes it's people often feel like it's AI versus AI and some people still make these deep fake detectors and a bunch of these out there. It's great to detect it, but you want to prevent it, and so deep fake detector, basically, is this arms race of AI versus AI. Can our AI detect that you're using AI? We feel that that's going to be a very difficult race for anyone, including us, to ever win. We use AI a lot, but we also use cryptography and part of the logic is that when you have something that's fake whether it's a fake document type you've made, maybe that PDF you've manipulated perfectly Some cases we've had fraudsters come with perfect digital fakes or try and attempt using them right, or even a whole bunch.

Aaron Painter: 39:08

We see a lot of interesting fakes and we learn from them, but people come and let's say they've made a perfect fake. Well, yeah, but there are a lot of other things about that. How do you then share that with us? Because we don't have an upload to PDF button. There's no malicious way to say well, let me inject my code into the web browser and trick it like.

Aaron Painter: 39:24

I uploaded it Because when you're using the secure enclave on a mobile device cryptographically, you really can't. You cannot inject, and it turns out injection, as it's called an injection attack, is the leading way in which people use deepfakes. The other concept of deepfakes is actually a presentation attack, which is where you present a falsified piece of information, like I'm going to hold up a video of myself that I'd made to the phone camera.

Aaron Painter: 39:49

That's considered a presentation attack. You're presenting something that's not accurate. And, again, because you're using a mobile phone, you get to use all the sophisticated toys in that mobile phone to assess that. Cryptography, motion movement, the three-dimensional depth map camera a whole bunch of fun stuff. Photography, motion movement, the three-dimensional depth map camera a whole bunch of fun stuff. Okay to say is this the human behavior that we would see? And then you can assess is this a deep fake, is it not? Um, and is the person real? And you can basically do it in real time wow, now I mean that sounds incredibly high tech.

Chris Sienko: 40:19

Is there, is there any kind of um lower bound requirements in terms of like, if you're using a very old phone or whatever are it are your, is your phone always going to have the sort of appropriate tech to pull this off? Or is this kind of like for iphone's 13, and what kind of thing?

Aaron Painter: 40:35

no, we go. We go quite far back on app compatibility, several versions back. There are a few limitations in certain many international ones in certain markets around the world, um where get a little bit tricky, but they're very. They're single digit percentages of the population and there are other solutions for some of that. But generally it's actually quite amazing how widespread the technology is in our current versions of phones and many versions past to do really sophisticated things that you know most consumers take pictures of their pets and their family and kind of fun stuff and actually these are really sophisticated security tools and we've been able to put them to use for that.

Chris Sienko: 41:10

Yeah, and now, and did I remember hearing you right? Like once the authentication has happened, then like the app is like re-removed from your system, is that? Did I hear that right?

Aaron Painter: 41:19

That's right. It basically disappears from the phone.

Chris Sienko: 41:21

Interesting Okay, so there's no chance that you're you know it's from the phone. Interesting Okay, so there's no chance that you're you know it's. There's an artifact of your driver's license sitting there on your on your phone afterwards, or whatever right?

Aaron Painter: 41:29

Nope, not an artifact of driver's license. One of the interesting things, though, is you might be able to say, even if someone took that phone that's what we call device trust, which is basically how much so much of the MFA market is today. You have set up a secure connection with the device and you don't know the human behind it. Even in that scenario, even there was some legacy there, and in fact, we have a full mobile app someone can choose to optionally do, and let's say, that leaves on the device. We don't trust that alone. We might trust it for a slightly faster experience in some use cases, but again, we need your living, human face again to unlock that account, right? And so if someone were to take your phone, they would be stuck with the same problem of is this really me in front of the phone at this moment?

Chris Sienko: 42:09

Okay, that's that, that's awesome. Now, uh, all of those sort of, uh sort of micro considerations you were explaining there started to make my head hurt a little bit. So I know that there are people you ask for the detail.

Chris Sienko: 42:20

No, no no In a good way, because, uh, I realized that there are people in this audience who heard that and their eyes bugged out and they're like that's what I want to do and that's what CyberWorks is all about. So you know, we're here to help young and new cybersecurity professionals sharpen their skills needed in the cybersecurity industry. So your area of expertise is based largely around a sort of multidisciplinary set of technologies. I mean, you mentioned you know AI, you mentioned cryptography, you mentioned sort of app security and sort of all these very sort of leading edge aspects as well as, like you know, security awareness and social engineering knowledge. Like, what do you recommend for people who want to work in this particular field of authentication and AI, deep fake defense? In terms of what you're going to school for, what you're certifying for, what you're just reading about on the weekends, what kind of projects you're trying to get into with your friends that make you look interesting to someone who is like a name tag, who wants to talk to you about you know the work that you're doing.

Aaron Painter: 43:19

It's an important question. I strongly believe diversity drives innovation, and that means diversity of thought and diversity of experiences, and so the multidisciplinary approach that you're referencing is, to me, fundamental in creating new things. Yeah, one of the reasons why we've been so successful in inventing new things, I believe, is partly because the people we have on our team one come from different backgrounds and have different experiences and work well together and trust each other and able to feel confident they can propose an idea and come up with new things. But also the people that we've often found some of our most successful are ones that have untraditional paths. They're not people that spent their whole life necessarily in security. Maybe they started and they were interested in something totally different, but then they brought that skillset over as they started to learn more of the security discipline, and I believe fundamentally that intersection of those different experiences is what creates new things, and it certainly would help us to create kind of a fundamentally new thing in this space.

Chris Sienko: 44:14

Yeah, well, I'm glad you said that specifically One of my past guests and one of my favorite guests I've had around three times, susan Morrow. She works in digital identity and and and so forth over in England and she talked specifically about how you know certain verification things needed to have her holding the ID next to her face and the camera and, you know, with her arthritis she's like I literally couldn't make it work, you know, and we taught. I mean, that's one small example, but there's, you know, when you have people thinking well, there's this you know issue that someone would have, or there's this unusual way that a neurodiverse person would think, or this, there's this, who, someone who has a cheaper phone, would, you know, get around or whatever, like cause you're having to like think of so many little sort of places where you know like the water could get through, you know, and so I think that's a really insight there in terms of what we're going to need to do Because, like you said, attackers are thinking in a lot of different, unusual ways as well.

Aaron Painter: 45:12

Yeah, and some of those come back to me too of design choices, and you're right, those are very important considerations. And how do you make sure that your product is inclusive and accessible? And gosh, it's almost unlimited. There's always more and more to do and more scenarios to think about there. It's hard to master but important to always work on, and I feel very strongly there. But I think it even more about just someone's background experiences of what they've done in life, the kinds of things they've been interested in, the type of things they've studied, because it makes them see, if there's a given problem on the table and people have different perspectives when they're looking at it, then you're going to have a different outcome, and so the more they have different layers of thought and different types of experiences, I just think, the more you're going to create something new.

Chris Sienko: 45:54

Yeah, yeah, and you know, I feel like you're already sort of saying the second part quietly, but to just say it out loud, like if you build a diverse team like that, who has all these different experiences and backgrounds, like if you build a diverse team like that who has all these different experiences and backgrounds, then it's also worthwhile to not just say like well, I have them here and they're saying things, but I still choose to do things my way, or whatever. Like you know, as a leader, you have to be like okay with, like oh, someone really like ate my lunch there and came up with a way better idea and let's go with so-and-so. You know what have you?

Aaron Painter: 46:26

I believe that speaks to culture. And you're right, having people from different backgrounds and experiences and then not having a culture where they can feel like they can contribute is sort of just a waste, right, that is inefficient and so and it's all. Culture is beyond me. It's really about, particularly as just starting a new company, you know everyone contributes to culture. I, you know everyone contributes to culture. I've said with almost all of our team members, like everyone is a cultural co-founder and they're a big part of creating the space that we have to work and the virtual space, right, the way that we work and how we listen to each other. It's just. It was an important consideration.

Chris Sienko: 46:59

Yeah, I totally. I couldn't agree more. It's a big part of our show here. So as we start to wind down here, I feel like I could. You could probably give me like 10 different examples here. But what about your favorite part of the work that you do Like? What aspect of your work makes you excited to keep pushing and learning each day?

Aaron Painter: 47:12

Yeah, microsoft.

Aaron Painter: 47:13

A lot of it was about people, and that became very ingrained in me when I lived in different parts of the world, because the one thing I left with was, maybe we had an impact in the market and we sold some stuff and companies are using it All amazing.

Aaron Painter: 47:25

But, and in the market and we sold some stuff and companies are using are all amazing but the people were really the thing that carried with me, and so when I went somewhere new, I had that in mind from the beginning. That in my legacy is going to be people, what I learned from them, what they learned from me, and so it really shaped how I went into scenarios and I'd say that's definitely true at nametag, although it's also really fun to see the impact we can have with customers. Yeah, and I get really excited when all of our customers are so enthused and I get daily emails, you know, hearing new ideas and, oh, can we try this and can we use it here? And oh, my gosh, have you talked to this person? And the more that people use our product, just the more exciting it is to feel like they're using something that we were able to create.

Chris Sienko: 48:01

That's fantastic. I love that. So before we go, aaron, could you tell our listeners the best piece of career advice you ever received, if you got it from a teacher or a former boss or like what was, what was something that you still kind of think about all the time?

Aaron Painter: 48:15

Yeah, I get the most passion I believe in is listening with curiosity, and I'm actually so passionate, but I actually wrote a book about it a few years ago which could be a whole other podcast, but on the importance of listening, and not just listening and different from hearing, but listening with the curiosity to understand. I believe fundamentally, curiosity is what drives this ability to think and explore different planes, and so when you're interested in cybersecurity to your point, a lot of your listeners they want to get into the field. I think this curiosity, like listening to these shows asking why, understanding what a company does, how do they solve a problem, why is this the way it is, that natural sense of curiosity, without assuming that you know the answer, I feel is just a fundamental life skill that we all need and it can drive professional success too.

Chris Sienko: 49:00

So usually at this point in the show we'll ask the guests you know the guests to talk about their company or their product, and we've talked a lot about name tag already, but if there's any other things that we haven't talked about with regards to your product and your platform, please tell our listeners about it now.

Aaron Painter: 49:15

I appreciate it. It's been an awesome chance to discuss a lot of things. I guess what I'm most passionate about today is protecting these accounts. Protecting everyone's account today is protecting these accounts, protecting everyone's account. And so anywhere that you've ever seen MFA deployed, you know, be it your work account, be it an account where you are a customer, I believe MFA needs to be surrounded with secure recovery, and that's what we do at NameTag.

Chris Sienko: 49:35

Nice, all right. One last question If our listeners want to learn more about you, aaron Painter, or NameTag, or the work you do with them, where should they look online?

Aaron Painter: 49:45

Check us out. Linkedin we're most active, I'd say you know. Check me out on my page, getnametagcom. We do a lot of content. We talk a lot about MGM. We talk about other hacks poor MGM, you know others that have been sufferers and kind of victims to this and we also talk about companies that are doing some really smart things and what can be learned from that.

Chris Sienko: 50:06

That really smart things and what can be learned from that. That's always. That's always helpful, because it can get real depressing when all you hear is the, the, the, the sort of worst case scenarios. So, aaron, thank you for joining me today. This was, this was so fascinating and I really enjoyed it. Thanks, chris, it was really great to be here.

Chris Sienko: 50:17

And thank you to everyone who watches, listens and writes into the podcast with feedback. If you have any topics or guests you'd like to see on the show, drop them in the comments below. We read them all and we're doing what we can to get them on the show for you. Before we go, don't forget infosecinstitutecom slash free, where you can get a whole bunch of free and exclusive stuff for CyberWorks listeners. Learn more about our new security awareness training series, workbytes, a smartly scripted and hilariously acted set of videos in which a very strange office staffed by a pirate, a zombie, an alien, a fairy princess, a vampire and others navigate their way through the age-old struggles of yore, whether it's not clicking on the treasure map someone just emailed you making sure your nocturnal vampiric accounting work at the hotel is VPN secured or realizing that even if you have a face as recognizable as the office's terrifying IT guy IT guy, bone slicer you still can't buzz you in without the key card. So go to the site, check out the trailer. I love it. I watch it all the time.

Chris Sienko: 51:10

Infosecinstitutecom slash free is also still the best place to go for your free cybersecurity talent development ebook. You'll find in-depth training plans for strategies for the 12 most common security roles, including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder, ics professional and more. One more time infosecinstitutecom slash free and, yes, the link is in the description. One last time. Thank you so much to Aaron Painter and NameTag, and thank you all for watching and listening Until next week. This is Chris Sanko signing off, saying happy learning.