Fighting Phishing with John Gunn, Chief Executive Officer & Evangelist of Token

Steve interviews John Gunn of Token
Transcript

No transcript...

In this episode, I speak with John Gunn, Chief Executive Officer & Evangelist of Token.

John shares the history of Token's next-generation biometric wearable authentication device, Token Ring. We discuss the challenges enterprises are facing including ransomware attacks, sophisticated phishing, and account takeover attacks. You'll learn how Token is propelling FIDO2 authentication across a variety of use cases.

RESOURCES:

Connecting with John Gunn

John’s LinkedIn: https://www.linkedin.com/in/johnnybgood/

Token website: https://www.tokenring.com/

Companies & Resources Discussed

Token is a provider of secure, wearable authentication solutions. It is delivering the next generation of multifactor authentication that is invulnerable to social engineering, malware, and tampering for organizations where breaches, data loss, and ransomware must be prevented.

FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments.

The FIDO2 specifications are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP).

OneSpan is a publicly traded cybersecurity technology company. The company offers a cloud-based anti-fraud platform and is historically known for its multi-factor authentication and electronic signature software.

Companies referenced that have experienced highprofile data breaches:

JM Search is a retained executive search firm for private equity firms, venture capital firms, portfolio companies, and the Fortune 1000.

RIT (Rochester Insitute of Technology) RIT is one of the top universities in the nation working at the intersection of technology, the arts and design

Kevin Surace, according to his LinkedIn bio, is the “Father” of the Virtual Assistant & Voice User Interface, Futurist, Keynote Speaker, TED and TEDx speaker, AI/Generative AI & Agents, Multi-field Inventor 94 ww patents, CEO, CTO, Film & Broadway

Grand Oaks Capital provides seed and early-stage financing across a wide range of sectors. The investment firm was founded by Tom Golisano, founder of Paychex.

OTP (One-time Passcode), also known as a one-time PIN, is a one-time authorization code or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTP codes are usually time limited, often no more than 10 minutes.

MFA is an authentication system that requires more than one distinct authentication factor for successful authentication. Multifactor authentication can be performed using a multifactor authenticator or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.

BYOD is the concept of employees using their personally owned device(s) for work purposes.

AAGUID (Authenticator Attestation Global Unique Identifier) is a 128-bit identifier indicating the model of the authenticator. This unique ID is used to ascertain the origin and security characteristics of the authenticator during the registration phase, ensuring a robust and secure user authentication.

Yubikey is a security token that enables users to add a second authentication factor to online services from tier 1 vendor partners, including Google, Amazon, Microsoft and Salesforce.

IAM solution providers referenced:

Sim Swapping, sometimes called a SIM hijacking attack, occurs when the device tied to a customer’s phone number is fraudulently manipulated. Fraudsters usually employ SIM swapping as a way to receive one-time security codes from banks, cryptocurrency exchanges, and other financial institutions.

PKI (Public Key Infrastructure) encompasses everything used to establish and manage public key encryption. This includes software, hardware, policies, and procedures that are used to create, distribute, manage, store, and revoke digital certificates. 

Conti Ransomware is considered a ransomware-as-a-service (RaaS) model ransomware variant; however, there is variation in its structure that differentiates it from a typical affiliate model. It is likely that Conti developers pay the deployers of the ransomware a wage rather than a percentage of the proceeds used by affiliate cyber actors and receives a share of the proceeds from a successful attack.

3DFX was an American computer hardware company headquartered in San Jose, California, founded in 1994, that specialized in the manufacturing of 3D graphics processing units, and later, video cards. It was a pioneer in the field from the late 1990s to 2000.

NVIDIA, founded by Jensen “Jen” Huang is has been a pioneer in accelerated computing. The company’s invention of the GPU in 1999 sparked the growth of the PC gaming market, redefined computer graphics, ignited the era of modern AI and is fueling industrial digitalization across markets. NVIDIA is now a full-stack computing infrastructure company with data-center-scale offerings that are reshaping industry.

GPU stands for "graphics processing unit." This computer chip is the brain behind every visual element that your computer displays. From the colorful graphs in your stock analysis software to the latest blockbuster movie streaming on your 4k screen, the GPU is hard at work turning digital data into visible pixels

HelpNet Security is an independent website focused on cybersecurity since 1998. The article referenced in the podcast is titled “Attackers are logging in instead of breaking in” and was published in April, 2023.

RDP (Remote Desktop Protocol) is Microsoft’s proprietary communications protocol that allows devices running any operating system (OS) to connect remotely. IT administrators can use RDP to remotely diagnose employees’ issues while giving them access to corporate resources. Although proprietary, some RDP specifications are open, and anyone can use them to extend the protocol’s functionality and meet organizational requirements if needed.

Phishing-resistant Multi-Factor Authentication (MFA) is a highly secure authentication method designed to fortify user accounts against phishing attacks. Unlike traditional MFA, which can still be vulnerable to phishing attempts, this approach incorporates multiple layers of protection to ensure enhanced security.

HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

Prompt bombing or MFA prompt bombing is an attack method used to bypass multi-factor authentication (MFA) security. This technique works by flooding users with MFA prompts to access a system, with the goal of finding a prompt that the user accepts.

DW is a German news media outlet and covered Asia’s cyber slavery trade here.

Tor (The Onion Router) The Tor Project, Inc, became a 501(c)(3) nonprofit in 2006, but the idea of "onion routing" began in the mid 1990s. The goal of onion routing was to have a way to use the internet with as much privacy as possible, and the idea was to route traffic through multiple servers and encrypt it each step of the way. This is still a simple explanation for how Tor works today.

IBM X-Force Red uses the same tactics, tools, techniques and mindsets as attackers to uncover and help organizations fix those vulnerabilities. We can help you stay ahead of attackers and protect your most valuable data. Mr. Gunn made reference to ‘Jennifer’ Carruthers; however, Stephanie Carruthers, is the Global Head of Innovation & Delivery at IBM X-Force.

Industry events mentioned:

FULL EPISODE TRANSCRIPT

Steve Craig: Welcome to the PEAK IDV EXECUTIVE SERIES video podcast, where I speak with executives, leaders, founders, and change makers in the digital identity space. I'm your host, Steve Craig, Founder and Chief Enablement officer for PEAK IDV. For our audience, this is a video first series. So if you're enjoying the audio version, please check out the video recording on executiveseries.peakidv.com. You can watch the full episode, read the transcript, and any of the links or resources we discuss, I'll put those in there. In this week's episode, I'm speaking with John Gunn, CEO and Evangelist for Token. Token is next generation multifactor authentication powered by Token Smart Ring, their FIDO2 compliant wearable authentication device.

John has deep experience with startups and turnarounds and has led five companies ranging anywhere from zero to $10 million in revenue up to $300 million plus. Most recently, prior to Token, John was Chief Revenue Officer. He also served as Chief Marketing Officer at OneSpan where he provided solutions to 70 of the top 100 global banks to stop attacks within online banking transactions.

John's 30-plus year career spans FinTech, digital identity, fraud prevention, consumer products, and the commercialization of state of the art technologies. Welcome, John. Thank you so much for taking the time to be on the podcast. 

John Gunn: Steve, thank you for having me on. Thank you for inviting me and thank you for the introduction. I hope I can live up to it.

Steve: Yeah, well, let's- let's-get right into it. Can you tell us more about Token? What is Token? What's your elevator pitch? 

John: We stop ransomware and phishing. Most ransomware comes from phishing and that's what we stop. And yeah, it makes the headlines every day, not just industry headlines, but major news headlines, all news headlines. People have read about MGM, Caesars, Johnson Controls, Haines, Dole, local communities, hospitals. There's a children's hospital in Chicago right now; it's been shut down for a week because of it. It's an impact on every business. SEC just passed regulations. People have to disclose it, and 90% of those attacks, 90% of the ransomware attacks, have a single source - it's phishing. Why do attackers phish so much? It's because it works. So we looked at that and said, “How are they getting in?” And we said, “How can we fix that?” So nobody can stop all ransomware, but we can stop - it's about 80 to 90% of those attacks start the same way. And we stopped that because they're attacking humans and we take human vulnerabilities out of the equation.

Steve: That's great. That's great. Now, looking into the company, I see it was founded in 2016 and you became CEO in 2022. When did you first hear about the company and what was the origin story of getting involved with Token?  

John: I was introduced to it by one of the nation's leading search firms, if I can mention them, JM Search. They're outstanding and they focus very much on - well, they focus on a lot of things, but I know them from their technology practice. And the company was founded, you know, six- seven-years ago by a group of very talented engineers out of RIT, and they developed the ring initially as a consumer product, something to get used to make payments buy coffee, open your house door, open a hotel door, open and start your car, all these different applications, but it- it-was- it was-too ambitious.

So the company was heading towards towards failure. And then a gentleman named Kevin Surace. Who's, many people probably heard of him. He's a former Inc Magazine entrepreneur of the year holds a bunch of patents across all kinds of industries. He came in and said this company has got this incredible technology, but the applications in the enterprise, not the consumer, And that's when our lead investor came in for Series B, Grand Oaks very strong VC, understands technology, billion dollar portfolio.

They came in, we had Series B funding about two years ago. And that's when the company was really, you could say, relaunched. And that's when they started their search for a CEO, and that's when they found me. And my background was a perfect fit, because here's- here's-an authentication solution and I've spent 20 years in cybersecurity and more than a decade in authentication. And as soon as I saw it. Like this is-  this is-the perfect product at the perfect time. And since then, the problem we solve has only gotten worse.  

Steve: Yeah, that's a great backstory, John. Thanks for sharing. Can you share more about how the product works and what the implementation experience is like for enterprise?

John: You bet. Everybody's familiar with OTP - I'm sorry, with MFA. You know, second factor. Everybody does banking, your bank says, we're going to send you to OTP, you've got a new device. Or it's good to just set that up whenever you log into anything. Different with that, but on an enterprise, when you move consumer to enterprise level, yeah, you need a higher level of security because MFA is getting hacked. There's all kinds of ways to hack it. So it works to the user a lot like the MFA they're used to, except it takes their interaction out of it. So you may be used to having to enter OTP or username credentials. You don't have to do that anymore. This happens completely transparently, and we've taken it off of these devices that are getting hacked. When you get sent an OTP you know, one time password, or if you use an authentication app on your on your mobile phone, this is a phenomenally insecure device. And businesses struggle with you know, BYOD. Because these devices are owned by their employees. They don't want them to lock them down. They can't restrict them. The can’t stop their employees to load malware onto it. And you still have this process where phishing works is they get a user to enter their credentials, a one time password, or they click approve when it's really cyber criminals that are logging in and the user is not smart enough to tell the difference. So we said, “Let's take that all off the table.” “Let's make it transparent to the user.” They still wear the device, they wear the ring, but they can interact with the device they're logging into without entering anything. So, there's two things: One, they can't get it wrong; number two, nobody can jump in the middle of that. Because when you look at these, most of these attacks, they get a user to enter their credentials or their authorization into a malicious website. Or, there's a man-in-the-middle attack. When you eliminate that possibility, you eliminate 90% of the risk that's involved and so that's- that's-what we do. 

On the enterprise side, implementation is very easy and a lot of organizations ask us, “Wow, is this going to be tough?” You know, “What do I have to rip and replace?” Nothing, because they're already using some form of authentication. We're just another authenticator. We have what's called an AAGUID an authentication attestation global universal identifier.

And we're just another authenticator that exists in their IAM solution. So they may have Yubikeys, which are great. They may have OTPs in another way. So within that IAM solution. You know, all of them, whether it's Okta or Ping or Oracle or Microsoft, IBM, I mean Cisco, you know, fantastic solutions. Cisco DUO. We work with all of them.

And the integration is just saying these users have this device and then you're done. So instead of being a multi-month, multi-week or multi-day, it's more like; you know, a couple hours. So it's super, super easy. 

Steve: Yeah. Well, I think about my career in the arc of MFA, it was a long time ago. Those business card size devices that were like calculators that would give you the code. And then many of the companies started to shift to SMS based. Because it was easier, but we know the problems with SIM swapping and spoofing and those attacks. A wearable devices is very intriguing. I imagine there's some biometric pieces to that. Can you talk about how it actually detects who the user is and what are the attributes that it's analyzing?

John: Yeah, absolutely. It's got a fingerprint sensor built into it. I'll try and hold up the camera here. Maybe you could see it, but you can see there's a fingerprint reader in there. And so you place your finger on it, like that, and it reads your finger, which it's doing right now. And then once it matches, the person wears it.

And so when I'm logging in, I activate the device with a knock, and it can communicate by NFC or Bluetooth. It's the, you know, sysadmin's [system dministrator’s] choice. And it's sharing my credentials. So I can go passwordless, there's no password to steal. And then through that secure encrypted channel it can do a PKI exchange because my private key is on this device and so are my biometrics.

So only I can use this and as soon as I take it off, it deactivates. Now nobody else can use it. So unlike a token, which is very secure, if I take my token out, leave it on the desk or in my desk, someone could steal it. A lot of people leave them in their computer. It's like leaving the keys in your car - anybody can drive away. This is always with me. It can only be used by me. And there's nothing I can give up. I can't- I can't-tell somebody, you know, my credentials. I don't know. They're in here somewhere, I can't tell you what they are. So what I'll tell people is you can take your absolute most gullible user who cares nothing about security of the company. Most careless person who’s most gullible and on their worst day, they could still not present any risk to the organization, unless they logged in and handed their keyboard to somebody. But this attacker's in China or North Korea, so that ain't happening. So we really take the human element out of it. And when you look at it, you know, MFA up till about a year ago when we were was saying, “Oh, you got to implement MFA.” You got to go from passwordless. Passwords are 60 year old technology. Most legacy MFA is 20 year old technology. And if you were talking to a business consultant and said, “Hey, this industry is, you know, just getting slammed by these attacks.” Oh, how are they defining themselves? “Oh, they're using this 20 year old technology.” Twenty year old technology? Yeah, you know, so I think, you know, when's the last time you sent a fax? Used a floppy disk or dial up internet, you know, some people I talked to they're too too young to even know what those are but- but-that is what the majority of organizations are relying on as their primary defense and all those examples I gave you at the start that long list making the news. That's what they're all relying on, 20 year old technology.

Steve: It's- it's-interesting in this podcast series, a common theme is legacy technologies that really aren't that great for identity verification. We talk about knowledge based authentication, what we're talking about now on the MFA devices using, all tokens or smart cards, things that can be socially engineered. Yet you have technologies like a fax machine that disappeared almost overnight, it felt like. So what do you think are some of the challenges with the adoption of the state of the art? How has that evolved as you've joined Token?  

John: I think a lot of it has to do with just the nature of cybersecurity. I mean, I can't imagine being a CISO or a senior person responsible for defending an organization. I mean, that is literally mission impossible. You know, there's so many attacks, so many places. In the cybersecurity segment, you know, Gartner tracks 22 major categories, only subcategories, and there's 3,000 vendors, and there's no way they can defend against everything. So it's just scramble. What's the latest attacks? What's the latest technology? And these 3,000 vendors, everyone's saying, oh, we're a little bit better than the other person. We're a little bit faster. We're a little bit better at detecting this. And so much of it, of mentality is, if it isn't broken, don't fix it. Two years ago, they switched from passwords to something more secure. Or they switched from OTPs to dongles. Like, now you're telling me I got to switch again? Like, well, if you don't want to be the next MGM, then yeah, but that's- it's-your choice. The other thing I say is when you look at our segment, I don't know how long you've been in the- in the-cybersecurity segment, Steve, how long have you been in it?

Steve: I would say about 20 years because I worked at a company eight years ago in internet banking when it was in its early days of helping credit unions and banks get online, yeah. 

John: We've both seen, you think back 20 years, we've seen so much change. Even people ten years, five years, people have been listening for one year. It's changed so fast. The one thing that hasn't changed is humans. We haven't gotten any smarter, any better at anything. And so that's what I think there's a great quote from Conti, one of the leading ransomware groups. They say, you know, “How can we possibly attack these companies with billion dollar, you know, cybersecurity budgets?” You know, I think Chase is somewhere around that. They said, “So we don't. We attack people, we attack their users.” So for us, it's like, okay, well, if that's the number one attack vector, let's change the paradigm. Let's protect those people from being attacked. 

Steve: You mentioned a few moments ago, your relationship with Grand Oaks Capital, and you'd raised some additional financing last year. How has that investment helped with go-to-market and getting this message out there and product development? How are you deploying those funds? 

John: Yeah, and Grand Oaks has been the best VC I've ever worked with. They understand the solution. They understand the market. They're huge champions, you know, of what we're doing. And our business is a bit different. You know, for most cybersecurity companies, almost everything out there is a SaaS solution. We're not. We're this hardware. So, if you started, you know, if Peak IDV was selling a SaaS cybersecurity solution and your head of sales said, “Hey, celebration, I got 10,000 more seats.” Okay. The investment you have to make is you're going to, your AWS, you know, cloud bill is going to go up a little bit for us, for those 10,000. I got to go buy components to build 10,000 rings. I got to put the labor in to build 10,000 rings, then 10,000 rings go out there. And then people start, you know, paying a monthly subscription. So it's very capital intense at the start. We have great margins. So Grand Oaks understands this. And so that's what those financing vehicles are for. The fact that it requires a bigger investment. And you know, so they gave us two facilities, you know, this is over the last 12 months when it was very difficult to raise capital, but they you know, they see the opportunity and- and-part of what helps me, like a lot, is the fact that Grand Oaks is Tom Golisano is the gentleman behind that. He's the founder of Paychex. He's written a couple of really fascinating books on his journey to entrepreneurship, you know, and he's- he's-worth billions. And I think he- he-understands, you know, because of his struggles for decades to turn that into this, you know, industry leader. He understands the journey and he's also an incredible philanthropist. If you look at, you know, just everything he's done and I think he really wants to help create the next Paychex and enable that next huge breakthrough, not just, you know, for financial reasons, but it's part about, you know, when you're very successful, you turn back around and you help the next one in line. So I think, I mean, not that there's no pressure not to perform, but Tom is an incredible businessman, incredibly competitive, but he also has a huge heart. 

Steve: That's great. It's so important to have the right investor and make sure they understand your business and things like hardware expenditures. If you're traditionally investing in SaaS companies or software companies where you've got these margins at scale after the R&D. That may be hard to realize with every new customer, you're going to have this big expense up front. And then you have over time, you're recouping that. 

And looking into your background. I see you've got a lot of experience in this space. You were on the management team at 3DFX, the graphics card and to date myself a little bit, I had a Voodoo graphics card. I actually had two over a period of time when it was all about video gaming. It was like Quake and Doom, things like that. Can you share more about that experience? It's kind of a little side- side-thread from the Token stuff, but how was that, that time period for you?

John: Yeah, that's going way back. I mean, that was- that was-very exciting times. And it's- it's-reminiscent of what we're doing now in that, you know, all these video card companies that were making the graphics processors and they were making these incremental improvements and that 3D effects. He said, well, we took a totally different approach and they had what's called a scan line line interleave. What if we just drew every other line with a different processor and you'd have twice the power. And so it suddenly just blew everything else away. So it was, I kind of created its own category. And so it was the solution to purchase because it took a while to get some traction, but it was really clearly this different innovation in a lot of ways that we're trying to do the same thing here of all the rest of the world is trying to solve this problem this way, you know, the old fashioned legacy way. And then here's Token. We're taking a totally different approach. We're going to get humans out of it and we're going to change this. So I hope we have the same success. And, you know, when you look at what happened to 3DFX, it got acquired by NVIDIA back when NVIDIA was a small company and Jen's building it. And, you know, of course he's off the charts as far as a gifted business person. But even back then, his focus was really on, you know, having the best technology and being that innovative leader. And he acquired 3DFX to get, I think mostly to get the hundreds of super talented engineers we had and to build this technology portfolio, but that was- that was-a great time. It really did, you know, people overuse the term so much, ‘disruption,’ we're going to disrupt the market. You know, very few tech- very little-technology does. 3DFX clearly did.  

Steve: The 3DFX marketing was also very different than other companies that had the- the-eyes in it, and it was colorful and it was just taking a completely different approach. And I feel like it was capturing a good market, but it was still the hobbyist market. It was those that were building their own machines and- and-PCs and stuff and felt like, and NVIDIA was in a similar spot. And it's just been the last 10 years with the GPU revolution around machine learning that NVIDIA has really blown up. How do- how do-you think about that market then, you said Token was in a similar spot, where are we going with these multifactor authentication devices? Because you've got this legacy status quo, but then you've got companies like Token, they're going to do things differently. 

John: When you look at how it was Help Net Security, one of their headlines, maybe over the summer, in the fall, was ‘Hackers aren't breaking in anymore, they're logging in’, and that's the problem. They are- they are-easily picking these simple locks that most organizations are using. So what do you do if your locks aren't working? Buy better locks. And so we set about making a much better lock that would stop them. They can still attack through, you know, RDP attack. They can look for vulnerabilities, you know, unpatch things, open ports. But that's, that's a small part of where attacks happen now. We wanted to knock out, you know, the number one vector. And so, and you see a lot more talk about phishing resistant MFA. So the industry is waking up to the fact that that's happening.

And so we feel very good about the attention and we, we're solving everybody out there, all 3,000 vendors are solving a problem, there's a problem we solve and you articulate that we solve the number one problem for every CISO, every board, every CEO, every organization, the number one risk they face. You know, breaches and ransomware, you know, I saw an hour ago, I read an update on Reuters saying that the amount of Bitcoin payments for ransomware had almost doubled last year. Yeah, a new record obviously, and it is billions and billions of dollars, and it's obviously what current approach isn't working. So we've come forward with this. Here's the new approach, here's what works. Now, maybe four years from now five years from now, they find a way around it or they just attack through other methods, but organizations can right now stop their biggest risk to the organization in the most common way cyber criminals are gaining access to their networks.

Steve: We're seeing more and more of these- these-data breaches and then as consumers, I feel like when I talk with people, there's like this- this-desensitization that's happening or because it's so frequent, it's just background noise. But I know CISOs are under a lot of pressure. IT teams are under a lot of pressure. They don't want to be the next headline. What would you say is the temperature when you're speaking with some of those leaders at these large enterprises? 

John: It's a- it's a-real priority for a lot of reasons. And yet I think consumers are being desensitized a bit, especially, I don't know how many letters you got last year, but take the last several years in total I probably got six offers for you get a whole year of credit monitoring or we're gonna give you two years. Well, they've got my social security for the rest of my life, what about year 3, 4, 5, 5, 7, 8, 9,  10, however long you plan to live? I hope I live a long time. So, you know, it's because my favorite thing you see in these breach letters is, is so disingenuous. What companies say, “We have not yet detected.” They say, “We have not detected any actual misuse of your Social Security number or credit card.” Okay, did you really go look that hard? And does that mean that my Social Security number being stolen will never be a risk to me? I mean, come on. And, I think- I think-people are desensitized to it. You know, last week, two weeks ago, there was a fake headline, 26 billion record dump. Well this was a conglomeration of previous, you know, breaches, but 26 billion is, you know, it says five or six times people on this planet. So it's all out there. It's all out there, but here's what's changing. Here's what's changing and why it's even more urgent now. You're seeing a lot more, you know, three reasons why a company wants to fix this problem. One, interruption of their business. If I'm a business and I'm shut down, you know, I'm Hanes Brands and I'm shut down, or I'm Clorox, people couldn't buy bleach. They just announced I guess in the last week that the price, the- the-financial impact will be $49 million. So that, that's a huge motivator right there. It also applies to smaller companies. There's an upstate New York care provider and they had a breach and HIPAA fined them $450,000. That doesn't sound like that much in terms of these $100 million losses, but it was $2,700 per employee. So isn't there a solution for less than 2,700 so you can stop this? 

And now here's the payoff I promised you. Here's what's really changing. I'm going to take you back in time, because you've taken me back in time. You remember 3DFX and others. All this time, whenever a share price in a company would drop, you know, it went down 20%, 25%, there's a group of plaintiff's lawyers who sue. Class action lawsuit on behalf of the shareholders. Okay, what's the cause of action? We'll figure that out later. There's clearly, there's a tortious action here because somebody lost 30% of their investment. And when you add it all up, it's a huge amount of money.

That same phenomenon is starting to happen now, where as soon as the company announces a breach, we're going to sue on behalf of the victims. So yes, Steve, you got your letter with your notice and your- your-monitoring, but you really were harmed and they should have done more to protect you. So now the company has the cost of remediation and getting back up and going, or the ransomware they paid. Maybe they have regulatory issues, maybe not - most don't. Now they have this class action lawsuit. And juries will undoubtedly be very friendly, especially in healthcare, where, you know, you probably read this story about patients who had cancer patients, women who had, you know, pictures of them, you know, naked, or, I don't know how to describe it, but, you know what I'm saying exposed, or they were extorted. “We have pictures,” you know, “of your upper body exposed. Pay us $1,000 in Bitcoin or $5,000.” Those judgments against those companies are going to be huge. So that's new, and that's an additional motivator where companies will say, we've got to solve this problem.  

Steve: Yeah, yeah. The ramifications of breached data, whether it be your Social Security number or your date of birth, stuff you can't change, you're with that for the rest of your life, or things that you wish you could take back, you know, pictures or videos that were hacked. These are really challenging and very jarring for- for-consumers, but then at the same time, they're still susceptible to these social engineering attacks. And I thought your company did a really good job with an example of one, it's called prompt bombing. And I watched the video, it's really interesting that person's like out and about and they're getting these- these-messages. Can you describe how that works and maybe any of the other social engineering attacks that you're seeing that consumers should be aware of? 

John: Yeah, you bet. You know, for- for-consumers, you know, you'll get that prompt that says, there'll be two and one will say, you know, you just logged into your social media account through a different device and if it isn't you, take action, but it was. Other ones will say, you are trying to log into this account, you know, do you approve or deny? And it's probably you, so you say approve and then boom, you're in. If you say deny, then, then you're not in. So, sysadmins at organizations, sometimes you use that same method to grant somebody who's trying to login permission. So, cybercriminals figure out if we just hit them with enough of them, sometimes they'll take the bait. If you go back and look at the news stories that give the story, the history of how Uber was hacked. There was, I mean I can't tell the story exactly, but here's the gist of it. There was a sysadmin who controlled that access and they kept getting hit over and over and over with these approval requests. Deny, deny, deny, deny, deny, and they finally hit approve. When they ask the individual, why did you hit approve? They essentially said, I'm just paraphrasing here, It was really late, I was really tired, I wanted to go to sleep, I wanted to make it stop.

Steve: I thought that you did a great job explaining that. What a lot of the, like the mainstream population that's not in these fields, what they don't understand is how these attacks work. Whether it be a fishy looking email or a random text message. What are other attack vectors in the consumer world? And maybe even like in the small business world where maybe you're not a large enterprise, like how are criminals trying to take advantage of those? 

John: Well, there's a ton of them. You know, number one is still just the text and the email phishing, that's the number one risk and the attacks are, you know, more innovative than ever. And well, there's a lot of different ways. I mean, if I can- if I can-attack your, if I want to attack your business. I might attack your personal email first. And an incident eight years ago where, you know, I'm a somewhat technical guy and the CEO said, “Hey John, can you help me with this? There's this, you know, message from my wife on email.” So I look at it and I'm like, don't touch that. Someone has hacked your wife's email account and that's not really her. I call her up and she's like, “no, I didn't send that.” And so they were trying to reach him, the CEO, because they'd hacked the wife's personal email. And then that's how we're going to get into his business email. And then they'd be in the organization. So there's this incredible ingenuity. Anyway, you can think of attacking, you know, they'll try. When you look at this army, I mean, you know, in the US, not everybody gets to go to university - incredibly expensive. Nobody wants to graduate with six figures of college debt. Russia, China, if you're smart, they figure it out when you're young, you're paid all the way through. you graduate, what do you do? Well, you work for the state and attack American targets or work for a private enterprise and work at the direction of the state to attack American targets. There's such huge money in it that you've got this, this growing army of enemy state agents that are incredibly smart, incredibly well educated that that are attacking America, American assets, American businesses, because there's billions of dollars and it funds, you know, activities by enemy states of ours, North Korea, Iran, and it's, but it's got, it's more than just. Well, it's unfortunate somebody was, you know, some old lady got her purse stolen, or a bank got robbed. This is billions of dollars that are funding terrorist activities, other criminal activities that really impact every american.

Steve: I recently watched a documentary on YouTube by DW that's a German media outlet and they were talking about the business of these scam centers where people go from other countries into a different country to take a job. They think it's a call center job or a sales job and they end up going into forced labor to do these attacks and there's big business in it.

Your company just recently posted a news article about a $25 million scam from a deepfake. Can you share a little bit more about that- that-scenario?

John: You bet. Most people haven't heard of deepfakes. Remember they, maybe they heard about deepfakes and they you know saw an example on Youtube or something where someone created a video that wasn't really that person but it looked like like, you know, or they see it in a movie, an action movie or sci-fi movie. But I think, you know, a few weeks ago, when Taylor Swift deepfakes were circulating, people realized, wow, this stuff can really happen. But, you know, Taylor Swift's a great artist, but the real money, nobody made money on that. Well, they could because they can send that out. ‘Hey, Steve, here's a video of Taylor Swift, this video, click on it.’ But it's really taking you to a malicious website and you're getting malware. But a company that's based in China that has offices in the UK, they got a senior finance person on a webcast, you know, Zoom, like you and I are right now. And this person was talking to their CFO, not just their CFO, but a couple other members of their senior management team, just like you and I are talking right now. That's Steve, of course, that's Steve, but it wasn't really them, these were deep fakes so they put a huge amount of effort into it. So and the person said this was really suspicious $25 million, you know, it's a big organization Steve. We have secret projects all the time We don't bring people in the tent until they need to know you need to know right now. The reason why you need to know is I need $25 million sent right now.

Well, this is really fishy, you don't believe me? And then I bring in these other colleagues that you work with. And you're like, there's my colleague, there's my peer, there's my boss, there's my boss's boss. And you're like, this has got to be legit. Okey dokey off goes the $25 million. And that's an example. And you'll see those on a more simple basis where a lot of attacks now people are a lot more suspicious and they want proof. Oh, you want proof? Okay, I'll do a video call with you. Employees, we're not a big company every new employee that we get hired. Somebody has a bot on linkedin. They can see new employee At Token. Okay, they get a text that says, “Hey, this is John. It's real urgent. I need you to buy some gift cards and send them to this.” They're only trying to steal, you know, $500 or $1,000 from us, but it's the same thing, impersonating somebody. But if they sent them to a website to download malware or other things, and you're going to see a lot more of that, a lot more of that is coming. A lot of it's going to drive this generative AI. It's enabling all of that. It's a great tool for business productivity. It's an incredibly dangerous tool in the hands of cybercriminals. 

Steve: Generative AI and AI used for bad or malicious purposes is a common thread in this podcast. And I saw that you were recently at the Cybersecurity Summit, and you were talking about the weaponization of Gen AI. Are there any takeaways that you can share, or maybe how Token could have helped one of those scenarios, like the $25 million?

John:  I'll start with in that we stop that, we stop phishing attacks, but during the presentation I say I'm going to show you three easy steps for any one of you in the audience that can become a cyber criminal? And it's incredibly simple to do that. I mean, everything is right there because, you know, ransomware shifted to ransomware-as-a-service. I don't have to write the code to do ransomware. I can rent it. I can do it on a per use basis. I can do it on a share of the profits, different licensing models. I can find my targets, you know, among those 26 billion records. I can set up a crypto account. I can use TOR to anonymize myself. And the one thing that was missing there was, got to have a great phishing email. Well that changes with Gen AI and there's two things I'd encourage people that are watching this cast to do. One, Google Jennifer Carruthers, IBM, X Force, Red Team and Gen AI. She wrote a great blog where she tested world famous, you know, Red Team, White Hat Hackers. She tested them against a version of ChatGPT with the safety rails taken off. And it was fascinating. She writes a blog about it. Everybody should read it. She found that her success rate against really smart executives was 14%. ChatGPT was only 11%. Okay, not quite as good yet, but it's- it's-advancing incredibly fast. Here's the difference. On average, it took her team about 16 hours to create a really effective phishing email, ChatGPT, five minutes. I asked an IBM exec, about how many people on this planet you think have the skills that that team does could write phishing emails that good 10 or 20,000, maybe total universe. Okay. You know, many people could use ChatGPT or FraudGPT is the unlocked version of it to write a really effective phishing email, about one or 2 billion, almost anybody with a connection. And when you look at that, I mean, what do, what's, what's the economy when they call it Steve, the- the-, we're all in the gig economy. You got a car, you could drive for Uber part time. Good way to make a living, nice people, you know, or you could do packages delivery. This is the gig economy. Well, if you don't have a strong moral fiber, you could, you could do a gig thing part time, jump on the darknet, and you could start sending phishing emails using those tools I just mentioned. I mean, I'm not revealing any great secrets, you know, that's unethical for me to reveal. It's all right there. And almost anybody with access to the internet can now launch these really effective phishing attacks. So if you look at ‘23, which was a landmark year for victims of ransomware, phishing attacks, and you say, now there can be much more attacks by much more people. I mean, what do you think ‘24 is going to look like? 

Steve: Just a few moments ago, you mentioned some of the, the rogue nation states are - call it the cold war enemies of the modern time. They have operations that are attacking us. A lot of the ransomware attacks come from Russia or from China or from Iran or from North Korea. And there's this ongoing debate we see in the news about physical border control. And we need to take control of our borders in the south, and we need to prevent people from coming in. But our cyber borders are wide open. People are using VPNs. They're in different countries that we can't even touch them and persecute them if they do get caught.

Where do you think the strategies as companies look at new tools, or even as a country, how do we defend against those, combine that with the Gen AI attacks.  

John: Yeah, great question. And I think it's simply looking at what type of attacks are coming in and how do you stop them? And right now the majority of attacks are phishing attacks that are designed to put malware on, steel data, get malware in, get access, exfiltrate data, lock up the business, extort them, you know, single, double, triple. And, but most of them are getting in today by defeating legacy MFA. So our mission is to stop that, break that chain. Make them find some other way in. And it's not like all these cyber criminals are going to say, “Oh, wow, we can't get in because of Token Ring. I guess we'll go find, we'll go find other jobs. I'm gonna paint. What are you gonna do? Plumbing?” I mean, they're just gonna attack other methods. But if you do it first, they'll attack other companies instead of you. And the other methods are well protected and much harder to get access to. So the single easiest best first move for most organizations is to look at their MFA, look what they're using, and say we have this group of privileged users and senior executives. We have to protect them in a much better fashion right now. Or they'll become, they'll become the next MGM, Caesars, Johnson, Haynes, Dole, and so on. 

Steve: That's great advice. Well, as we look at this is early 2024, as you look at the next year for Token, and maybe even the bigger picture of the company, where do you see your market going? Authentication, wearable authentication? How is this going to evolve over the coming years? 

John: For us right now, it's we've come out of the gate strong, huge interest from what we do. I think part of it is that there's so many great vendors out there at most- at most-events and they're, you know, sending out information and a lot of it is hard to discern and we show up with something that's totally different. So, you know, we're getting huge interest. We've got over a hundred POCs that are running and the Ring just became available across every industry, auto, healthcare, finance, big banks, little banks, insurance providers. So for us, it's building that business out, bringing those POCs into revenue, expanding. Obviously, ransomware is a worldwide phenomenon. And many of the larger organizations we're talking to have global offices. So, expanding globally to do that. We're also looking at other form factors where we can use the things we're doing, making it passwordless, making it biometric, making it easy to use and hard to lose. And so we're, we're already looking at other form factors that we'll bring out and then, and then improving their Ring, making it smaller, you know, easier, less expensive, all the things. When you look at, you know, iPhone 1, someone gave you an iPhone 1. Now you'd think things, I'm supposed to use this, you know, when it came out, it was world changing. So this is kind of like our iPhone 1 where right now, compared to what's out there, it's kind of world changing. But there's still a lot of opportunity to enhance his capabilities. . 

Steve: Yeah,well, you'll adapt to different styles and preferences, and if you are going to have different form factors, I think that is a powerful way to extend your reach and to reach more consumers and businesses. That's phenomenal John. 

We're- we're-running up on time. If you've seen any of the episodes of Executive Series, you may know, I like to go just a little bit further than the LinkedIn profile. And I was doing somebackground research, I see you're, you're based in Chicago. Are you a Chicago sports fan, go to any teams that you work for? 

John: It's not as easy these days to be a Chicago sports fan, you know, I grew up in LA, so I'm you know, falling asleep at night, listening to my transistor radio at the Dodgers, and Scully calling the Dodgers, and Tommy Lasorda, so if I'm a fan of anything, it's probably the Dodgers. Sorry, my fellow Chicagoans. 

Steve: All right. Well, where do you like to spend your time outside of evangelizing Token and building up the company? Any causes that are important to you or hobbies? 

John: Absolutely, you got another hour for me? [Steve: Yeah. I've got time.] It's really about people, you know, it's feeding Amer… I'll put a pitch up for feeding America.

Number two charitable organization in the US, 99.9 cents of every dollar goes to help people. I'm a huge supporter of theirs. They can actually feed a person for just five cents. You give a dollar to them, they've created 20 meals. And so I love that organization. 

And then children in the foster system. You know, these are kids that are awesome, gifted kids that just need help. So I think it's really about, you know, helping people. In a way, Token Ring helps people because when companies get, 60% of small businesses, I mean these type of businesses, get hit with a cyber attack. More than half of them have go out of business in six months. There's people who've lost jobs, they've lost income. Huge impact on their family. And I do like the patriotic element of what we're doing and that we're protecting, you know, US businesses from, you know, our enemies - Iran, North Korea, China that are trying to hurt our way of life, interfere with our democratic process, hurt our businesses. So, I, that's also helping people.  

Steve: Yeah, you're absolutely right. One of the recurring themes for the podcast is just speaking with the superheroes of our industry. Because you're fighting crime. You're- you're-stopping money laundering, which is helping terrorism and human trafficking and those two causes outside of work that you mentioned, you know, helping people with food insecurity and supporting the foster system. Those are, those are really great, John. 

Well, as we wrap up for- for-those that are listening to the podcast, what type of conversations are you interested in having? How should people reach out to you? 

John: You know website's a great place to start. You know, we have a form on there when you can learn a lot about the product. You can learn a lot about the types of attacks. I mean, people are experiencing, they know what texts are getting. But, there's a big button at the top, try Token Ring. Anybody says, this sounds interesting, I'd like to put one on my finger. I'd like to try it, you know, see how easy it is to use and implement. We love getting Rings out there. That's, that's the easiest thing to go website, click on, try it. We have all kinds of experts that we'll talk to people about their situation, their, IAM architecture. We- we-fit in without a heavy sales pitch. We just, we love our product, it is in high demand already. So, it's not a hard sales, but it's just, here's information. You can draw your own conclusion. 

Steve: Great. I've seen the Token Ring in person, actually myself. I was at the FIDO Authenticate show in this past October. So I definitely recommend people get- get-your demo in the mail or go to a show. Are there any events coming up that are top of mind that people could see your product? 

John: Yeah, we do about 30 or 40 events a year. We'll be at RSA. We'll be at the Authenticate again, and we'll be at Identiverse. And then the Cyber Risk Alliance has a traveling show that goes to 30 or 40 cities in the US and we're usually there telling our story and with Rings to demonstrate. And people can find us at- at-those events. 

Steve: Great. I'll be sure to link your events page in this episode too, so they can see all the different places you'll be at. John, thank you so much for taking the time to speak with me today. I'm really excited to watch your progress in the market and to see you grow and succeed. So, thank you. 

John: Thank you. It's been- it's been-a great pleasure to join you. I really appreciate the invitation. I hope listeners, got value what I shared and happy to answer any questions people can reach out to me directly on LinkedIn with any questions, I'll- I'll-engage with them. I'm happy to, it may be short answers, but we're we're out here to- to-promote a new way of solving an old problem that is a huge problem. So thank you again very much, Steve. You have a great program. It's an honor to be on it.

Steve:  Oh, thank you, John. Alright, bye.

0 Comments