Welcome to our podcast series Coffee with the Council. I'm Alicia Malone, Senior Manager of Public Relations for the PCI Security Standards Council. Today, I am so excited to bring you a sneak peek interview with PCI SSC's Community Meeting Keynote Speaker, Jenny Radcliffe. Jenny is a world-renowned social engineer, hired to bypass security systems through a mixture of psychology and con artistry. A burglar for hire and entertaining educator, she has spent a lifetime talking her way into secure locations, protecting clients from scammers, and leading simulated criminal attacks on organizations of all sizes in order to help secure money, data, and information. I am delighted to have you join us today, Jenny.
Jenny Radcliffe: I'm so glad to be here. Thank you so much for having me.
Alicia Malone: So, clearly you have an unusual profession. How did you get started as a professional people hacker?
Jenny Radcliffe: Well, there isn't a course you can take to be a people hacker! For me, the journey was really a family journey. Where I grew up in the UK - at the time I grew up – the area was in decline and there was a lot of crime and unemployment, although there were many lovely people. There wasn't really a lot to do, and I'd had some run-ins with local bullies and a couple of similar things that had happened to me. Consequently, my parents, who were both at work a lot, thought that it would be better if I was looked after by my cousins, who were boys who hung around in a big group, rather than mostly being on my own or with friends of my own age.
However, what my parents didn’t know was that the boys were involved in what we now call “urban exploration”. In practice, this meant that they were getting into empty, derelict buildings all over Liverpool, which is where I'm from, and essentially just looking around and exploring.
This isn’t that unusual! I speak at events all over the world and there's always someone at the end who comes up to me and says, "We did that too! There was a haunted house in the neighborhood, an empty place, and we used to do that."
As we got older the boys went to work in security in some of the bars in the city, and we'd talk about what we used to do as kids with some of the customers. Things like the time we spent a night hiding from security in the museum (we did that before the movie!) and I suppose that was really the start of the physical infiltration stuff.
Eventually, some of the wealthier customers took an interest in what we were saying and saw an opportunity for us to help them with their security, by seeing if we could break into their houses and then help them fix any security issues.
The issue with this was that now the boys were older they looked a bit threatening and most of the time, the wives and families of the clients were wary of speaking to them. However, I must have seemed friendlier to them because they tended to be happy to chat to me and so I would put them at their ease and talk to them about any problems, write up a little report (which the boys wouldn’t do) and recommend any new alarms or security that they might need.
So that’s how it started really, after their homes the next thing the clients looked at was their businesses and we got busier just through word of mouth, and although this type of test wasn't very well known at the time, we ended up being quite busy!
Over time the boys lost interest in that type of work, and I had a more conventional career as my main job. However, I had made connections that continued to ask me to do what we now would call a penetration test or a physical infiltration, so I still took on the work. I had learned fairly early that it was easier to talk my way into a site than to break into it, and because I must have appeared quite innocent looking, security guards and receptionists etc, generally didn’t question me.
Over the years, I always did social engineering alongside my other, more conventional jobs, sort of as a side-line. We call it a side hustle these days. But once the internet came online and I started to research, I saw that what I did was actually a legitimate job, and that particularly in the states, people were doing this, charging for it and admitting that this was what they did.
Prior to this, I would admit to what I did, because I never thought I could make a legitimate living from doing it! On top of that, I wouldn't get hired in a “normal job” if people thought I was an actual burglar! However, once I could see people online who did “pentesting” as security professionals I eventually came out the closet, so to speak and told people this was something I could do. This is why I’m now happy to say I'm a burglar, if you want to hire me, but I only rob you if you pay me.
Alicia Malone: So, in the payment industry, we focus a lot on technical security and various steps we can take to protect payment data. But the human side of security is just as important in this conversation. What are some security mistakes that we all make?
Jenny Radcliffe: There are mistakes we make as businesses and then there are the mistakes that we make as individuals, and in this area, the two things aren't really that separate.
From a business point of view, it can be cultural mistakes, such as a lack of awareness of what social engineering really looks like and how it operates. People have to know, what a social engineering attack or approach might look like. Is someone contacting me, giving me an emotional story, and content? Are they asking me to go out of context to move money away from the rules, or to do something very quickly, not giving me time to think, or to verify?
We need to make people aware of the red flags to look out for because social engineering, in some form, is responsible for the majority of security attacks and breaches. We need to educate first and then people need to know where to report any problems.
It sounds so simple, but, if someone gets a call or an email and thinks that it may be a phishing email or a social engineering approach, who do they talk to and how do they quickly get support and resolve the issue?
The other key thing for organizations is to foster a culture, that is more about support than about blame. We can't blame people for falling for con artistry. We can't blame people for falling for scams. We can't blame people for falling for something that is designed to provoke them into making bad decisions. People need to be more interested in reporting problems, than scared of losing their jobs or being shamed for doing so, alongside continued conversations around security best practices that really is the key to a more secure culture.
From an individual point of view we need to be careful about what we put online. It is so tempting and easy these days, to put every aspect of our lives online, but this can be a very bad idea from a security perspective.
"Oh, I'm having a great coffee with my friend in this coffee shop I go to every Saturday."
It's not bad to share it, but we need to be mindful of whom we are sharing it with!
Does this show everybody some aspect of your personal routine or whereabouts? What other personal or private information could be in the post? It is helpful to have the mindset of really thinking for a while about who can see that post and what could someone who meant you harm really do with the information?
Once you’ve taken a moment to think about the potential of what you are posting, then by all means go ahead and make a decision as to whether or not you want to post it, and if you still want to, go ahead, that's your choice! As long as it is an informed choice that has considered any potential risks involved!
Alicia Malone: So, how important is an organization's culture in maintaining a secure environment?
Jenny Radcliffe: In addition to my previous comments, I’d add the idea that the security team are sometimes thought of as the only people who really can speak about security, rather than involving wider teams in the conversation.
In the same way that we talk about health and safety, we need to involve everyone in an organisation to talk about security at all levels. We need to get to know our people as well as we possibly can at team level, so that we have a chance of realising if something has gone wrong. We need to know if people are scared or stressed or if they are acting in an unusual way, because that both helps us get ahead of insider threats and opens up conversations about security and potential scams and breaches.
Security has to become part of the culture and become part of everyday conversation for everyone. It's the most important thing. It is just as important as just putting the right tech in place to try and prevent attacks and contain them. Without a culture of openness and communication around security your humans will always be more of a vulnerability than a key aspect of your defences.
The difficulty with this approach is that you can't throw money at it and assume it will be fixed. Rather, it takes time, effort, concentration and attention, and those things are harder than just saying, "I'll write a check."
Alicia Malone: The payment industry, and cyber security roles in general, are often male dominated. And I'm wondering if, as a woman, you found it easier or harder to commit a criminal attack simply because of your gender. Can you speak about what you've noticed about the role of women in security?
Jenny Radcliffe: I'm asked this a lot and first of all, if someone's good, they're good. Gender is neutral in terms of how good you are!
Personally, as I mentioned before, to most people I don’t fit what they understand to be a potential threat, based on numerous and incorrect prejudices and cultural stereotypes of criminals and hackers. Most people would not think that I look threatening or like someone who's going to commit some sort of crime. I don't look like someone who is dangerous in any way, especially not to a male security guard who is twice my size.
Especially now that I'm a middle-aged woman, in many ways I've become almost invisible to many people if I don’t make an effort to stand out. Particularly in my job, that's actually superb because if no one really notices me or suspects me, then I can do all sorts of terrible things if I’m asked to do them (Don't forget, you've got to ask me to rob you and you've got to pay me!) I can do those things the majority of the time without anyone really being suspicious of me unlike someone who more fits the common physical stereotypes we have come to believe suggest criminal behaviours. For example, hackers are not always criminals or people in black hoodies sitting behind a computer, but that is the typical expectation people have of the profession.
I would just add that female security guards have typically caught me out more often than male security guards, which suggests that they are more suspicious of another woman than some men may be. This is a great argument, among a million other great arguments, for more diversity within the security industry.
Alicia Malone: What do you enjoy most about what you do? And what do you find are the biggest challenges?
Jenny Radcliffe: The infiltration side of the job can be very physically demanding, and that is a challenge for me these days as I am older now and used to be much fitter! Once you're inside a building, you're running around all the time and climbing stairs to avoid cameras in elevators and that type of thing. That is quite demanding, and its easy to get tired, hot and bothered very quickly!
On the other hand my job is always interesting and generally exciting and I love what I do. I’m often told that I tell good stories and have interesting anecdotes, but that's because there genuinely is always a story behind every assignment. At the end of the day, I'm in someone's office and I'm not meant to be there! My crew and I are channelling different personas, different characters, wherever we go and the inventive, creative side of that is - is so much fun. Additionally, I also get a lot of satisfaction nowadays in spreading the word about social engineering and increasing awareness about the dangers because I know that spreading good advice about the issue genuinely helps both companies and individuals.
Alicia Malone: You are the author of the recently published book, People Hacker: Confessions of a Burglar for Hire. Congratulations!
Jenny Radcliffe: Thank you.
Alicia Malone: Tell us a little about the book and what lessons you want readers to take away from it.
Jenny Radcliffe: It's a memoir. So, it's an autobiography in some ways, but it's more of a memoir because I was conscious that I wanted to write something that people could read quickly and be entertaining. So, I wanted to leave out the boring bits that you sometimes find in autobiographies and just get to the meat of it, which is what people usually want to know about me, which is how I got the job and what it really looks like to do it.
The first half of the book is mostly my background and details some of my first jobs, and what the security industry was like in terms of social engineering when I first got into it. In the second part of the book, I detail eight or nine jobs that I've done that show the range of what social engineering and physical infiltration work really covers.
Some of them were funny and others were dangerous, whilst still others show how frustrating a job can be when you don’t have all the answers as to who is hiring you and why. I think the reader has to make their own mind up as to what is going on in the background sometimes, but frustrating as this is, I do say in the introduction that this is sometimes the reality of security. In real life when we do this work things can be incomplete, unlike in a movie there are gaps in knowledge and information that are not neatly filled in.
I do think though, that readers have enjoyed trying to fill in the gaps themselves and I get a lot of messages, emails and social media asking me, "Well, who was that guy? And did you ever find out what that was about?"
What I also tried to do was give insight into what it was like to be a woman in the industry, to run a small niche security business, and to show the evolution of how security is changing.
I also wanted to make some arguments for things like diversity and women in the business, and some of the issues that we have with things like plagiarism. I was trying to give, really, a snapshot as well of what I see being at the level I'm at now in my profession.
I want people to be entertained by it because no one wants a boring book, but I also wanted to show a little bit more about what social engineering really is and how to prevent it. So, when I describe what goes into a job and how we plan it, really what I'm showing is what we look for so that maybe the reader can use that knowledge to prevent an attack by a malicious social engineer in the future.
Alicia Malone: I'm really looking forward to reading your book and also hearing you speak at our Community Meeting.
Jenny Radcliffe: Thank you.
Alicia Malone: Since you're on Coffee with the Council, we like to ask our guests how they take their coffee. Or, if you're not a coffee drinker, what do you prefer instead?
Jenny Radcliffe: If you'll indulge me a quick story, there was this one time when we needed to buy some time from a target, and he asked if we wanted coffee, and we needed him to leave the office. So, I said, "Yeah, can I have a decaf, please?"
Now, if you know me, you know that absolutely isn't me because my motto is “death before decaf” right?
Anyway, because he was hunting for my decaf, we had enough time to get what we needed from his office and then leave. By the time he got back with the drinks, we were gone and he was hacked!
I actually take my coffee in the morning, strong, a little cream, no sugar.
I don't drink coffee after 11:00, ever, and I very rarely will take anything milky or, you know, sort of fancy. You know when people go to a coffee shop and they want a halfer, three shots, vanilla? Not for me. For me It's got to be good coffee, but it's got to be strong and then a fairly simple order, and, really, that's all I do although I never drink, ever, ever, ever that instant coffee that's in hotel rooms! I would rather drink tea!
Now, I do drink tea because I'm English, but I drink that only until 4:00, because obviously I'm not, you know, an animal. And then after that, we don't drink coffee or tea. So, there you go. That's a long answer. I suppose some people just go black or white. And that's it, right?
Alicia Malone: I like your answer. It's very thorough. There's nothing wrong with that. And I, too, actually take my coffee the same way, so.
Jenny Radcliffe: There we go.
Alicia Malone: Well, thank you so much for joining us on Coffee with the Council, Jenny, and we look forward to seeing you at the Community Meetings this fall.
Jenny Radcliffe: Oh, it's been my pleasure. I'm really looking forward to meeting you all.
Alicia Malone: You can catch Jenny as the keynote speaker at PCI SSC's North America Community Meeting in Portland, Oregon, September 12 - 14, and at PCI SSC's Europe Community Meeting in Dublin, Ireland, October 24 - 26. Registration is now open on our website, and we hope to see you there.
Like what you’ve heard? Subscribe to PCI SSC’s “Coffee with the Council” podcast by visiting any of the following platforms: Spotify, Amazon Music, Anchor, Castbox, Google Podcasts, iHeartRadio, Pocket Casts, RadioPublic, or Stitcher. Coming soon; Apple Podcasts.