Site icon Easy Prey Podcast

Predicting Network Vulnerability with Hari Ravichandran

Easy Prey
“Your life is not in pieces. Your security is one large continuum.” - Hari Ravichandran Click To Tweet

If AI knows your data patterns, it can help keep families safe online by preventing cyber security incidents from happening rather than just reacting once they do. Today’s guest is Hari Ravichandran. As an engineer by trade and entrepreneur by nature, Hari has a track record of founding successful businesses in technology and security. After a painful personal experience with identity theft, Hari founded Aura, a way to simplify digital security for consumers. He has since grown Aura into a business worth over 2.5 billion dollars dedicated to creating a safer internet for everyone through an intelligent, proactive platform.

“Do not use the same password across devices and services. If one gets breached, all the others are in danger as well.” - Hari Ravichandran Click To Tweet

Show Notes:

“Ease of use is a compromise to security.” - Hari Ravichandran Click To Tweet

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Hari, thank you so much for coming on the Easy Prey Podcast today.

Thanks for having me, Chris.

Can you give myself and the audience a little bit of background about who you are and what you do?

Great. My name is Hari Ravichandran. I'm the founder and CEO of a company called Aura. Aura is basically a company that's dedicated to helping families feel safer online. We've got an all-in-one product that helps people take care of cyber threats and prevent things from happening versus being reactive.

The question is, how did you get into that field? Is there something that happened in your life, or was that just, “I see a need to fill and I'm going to fill it”?

It's very much the former. I had an identity theft incident that happened to me in 2014. I was applying for a mortgage, or maybe refinancing a mortgage, and it got denied. I started looking into it, and there were a whole lot of fake accounts inside my credit. I got very curious. I'm like, “How does this happen?” Because I've never really thought much about credit or personal safety-oriented items, especially online.

The more I dug into it, it seemed to me that it was actually a fairly complicated problem without a real solution. There were a lot of point solutions. You talk to the experts and they say, “Hey, buy this thing, then this thing, and then this thing.” They were eight things you got to put together.

There are never really answers as to why, how this happens, and how you prevent it. That really was my motivation because I'm a technical person. I struggled with that. My sense was, there's got to be millions of people out there that just have the same kind of problem, a lot of anxiety around it, and not know how to fix it. That was my motivation around being interested in this space and started Aura.

Got you. As you're part of going through this, did you learn how your identity got out there, or is it still a mystery to this day?

I came upon the most likely situation. I never could prove it one way or the other. I think there had been a data breach some six or eight months prior because it was the first bank account that I saw. I think the information got leaked out to the dark web. I think it got picked up, a synthetic identity got created. As long as the credit supported it, whether it was one person or a team or two or three people, they kept creating new accounts that got set up.

Obviously, I never got the bill support for those accounts. I had no idea until they defaulted, so they created new credit cards, buy stuff, and then default on it. That shows up in your credit, and that's the first time you find out that you actually have the card. That's the closest I got to trying to figure out how this might have happened.

Got you. How long did it take from the time that the first account was opened until your refinance triggered the fact that this was going on?

It was seven months. It was a seven-month window. By then, I had marks on my credit that was three months overdue, four months overdue. I suspect that if I'd waited a month, there would have been a collections person that came back for me. I haven't quite gotten to that point yet, but it was six to seven months, basically.

They really had three to four months of playing around and utilizing your credits before things started triggering in a negative way.

Exactly. I think there were probably two or three months of card setup, et cetera. Typically, the credit companies, as I came to find out, will report 30 days, but it's not always. Some will report sporadically. It's not always to all three bureaus. Sometimes there are one or two bureaus and sometimes not to the third one. For everything to show up in a comprehensive way, it's going to be a six-ish month window is what I would say.

That is just messy. Coming from a technical background and maybe a little bit more understanding of these things, how long from the time that you found out about it until all the issues were taken care of?

It was a long tail, I would say. The basic stuff, which is getting my credit locked, credit frozen, and getting information removed, that actually did take me a few months because, again, the bureaus they have this issue where they don't know if it's a real identity theft incident or you just didn't pay your bills, and now you want to go back and have them modify stuff.

I actually had to hire a lawyer to help me go through that part of the process, then getting rid of all my credit cards, and getting new credit cards issued. At that time, it was probably a week or so right after to get it all back and then to go back and change all my passwords, modify all the account services. Some of the accounts, you set up and you just forget that you had that account. You tend to use the same password across many of these, like I used to back then. Now those are all at risk, so that took me a while.

The longest tail item was with the IRS because once this incident happened, starting that year, every time I'd filed my taxes, I'd get a note saying, “Hey, show up to the local field office to prove that you are in fact you, so bring your last three years of printed-out copies of your tax returns and all this identification stuff.” That actually lasted five years. Basically, every year for five years, I would get a note saying show up to the local office, to the point where I got to be friends with the lady that was checking to make sure that I wasn't myself or somebody.

Letters from the IRS are never what anyone wants to receive, especially for five years in a row.

Exactly. There is a long tail to this incident for sure.

Wow. What tools does Aura provide to help? Do they shorten this tail, identify earlier? Let’s talk about some of those tools.

The thing I realized at that point, which again has been a lot of the driving force behind how we thought about products for Aura is, your life is not in pieces. There's not just identity, there's not viruses on your computer, there's not just transactions that are quirky type of thing. It's one large continuum. Your security is a large continuum in a lot of ways.

The thing I realized at that point, which again has been a lot of the driving force behind how we thought about products for Aura is, your life is not in pieces. There's not just identity, there's not viruses on your computer,… Click To Tweet

To be able to get a full view of your security footprint, you have to look at all of that data. Whether it's your transaction data, it's your desktop, file scans where there’s malware viruses type of thing, browser data, your connected device data at home. That was at the core of what we started building. How do you get a holistic view of this individual or this family? What did they actually do? And where are their safety gaps, basically?

Initially, it was a little bit more reactive where you say, “OK, if we find an issue, how do you speed up the learning of the family?” In our case, let's say it's an identity incident like the one I had. We made sure that we were connected to all three bureaus on the back end. You would get an alert from any of the three of them if there was an incident within a few minutes, basically.  It's rapid alerting.

Overtime, we've morphed now to how you try to prevent these things. The way we think about it is let's say your house is on fire. You want to have a really good fire alarm so you can get there as quickly as possible. But if you're still getting the alert, there's still a problem. Your house is still on fire. The best thing would probably be to prevent the fire, if you can.

That's a lot of our product direction now. How do you do things proactively so you can prevent these incidents, which could range anywhere from looking for patterns and the patterns look a little quirky, automatically locking your credit on your behalf, or both prompting and assisting you in changing passwords of vulnerable accounts, making sure that you've got real-time scanning happening out in the world? A lot of these actions end up creating a real security view of that individual or family and then coming up with the ways that we can help them toward potential issues.

So many of the tools involving identity theft up until now have really been more reactionary. I think one of the companies has always advertised it as, it's great, but you want the security guard to stop the event as opposed to say, “Hey, guess what? Someone broke into your building.”

Exactly, yeah. There's definitely value in knowing it, but there's a lot more value in preventing it, for sure.

here's definitely value in knowing it (identity theft), but there's a lot more value in preventing it, for sure. -Hari Ravichandran Click To Tweet

Is that just part of how the market has grown and this space has moved from being reactive to being proactive?

I think the reactive to proactive part, there's a few underlying trends, I would say. There's a lot more demand for these kinds of solutions now because families are a lot more connected than ever before. In our home, at any given point in time between the kids’ devices, my devices, my wife's devices, there’s probably 50, 60 devices that are online and operational. These are 60 potential entry points into your digital life to be able to gather data. A lot more data, a lot more connected devices. Families are a lot more connected.

From a criminal's perspective, now you've got a lot more entry points to get this stuff. On the good guys tally, there's a lot more technology, especially with AI and data processing. We've got the ability to scan through lots of things to be able to predict what could be potentially risky. For example, the way we do it is we create a large security graph with all of our customers' data. We try to traverse through it and we say, “OK, based on this set of patterns for this individual or family, and we do it in near real time.”

We say, “OK, you've got a high risk of this incident happening.” Once we know that, then we can try to cater the solution in a way that makes sense for you and your family. That benefit gets enabled because there's been more and more emergence of available compute. A lot more of the compute cost has come down quite a bit. A lot more learning models in ML and AI that have the ability to predict based on the past, basically, as well.

Is it the present or future, where you just start to look at these are normal behaviors and start to see, “Hey, there's something going on here on the financial side that's out of line with the consumer’s behavior. Here's more data moving around than we normally see.” Is that where you're going or what you're doing?

I would say we're halfway there. We're not all the way there yet. Every day, we get closer and closer. I'll give you a couple examples. With our new product we're rolling out now, let's say you get a phone call. The product will now analyze the call as it's coming into your phone. It'll ask your intent like, “Why are you calling?” Based on the intonations and the words you're using, it'll determine the intent.

The things that you have scam intent on, that will route you automatically to a messaging system where you can leave a message if you want to, transcribe it and send it over to your app so you can actually scroll through and look at it. If it looks legitimate, it will forward that to you. Doing all that in near real time as a call is coming in, that tech didn't used to be readily available three or four years ago.

Another example I'll give you is, let's say I'm looking at your transaction patterns with their bank account or a credit card. I say, “If Chris is spending $200 at Amazon, that doesn't seem weird because I see the data patterns where you actually do that periodically.” But if you're spending $200 at Starbucks, something's off kilter because that is not contextually what you typically tend to do.

Again, if you have all of that data sitting inside once in a central store, and you've got it mapped out in a smart way, we can do that in almost near real time, basically. We keep launching more and more use cases. The central trove of stuff is available, but every week, we're like, “OK, here's another thing we're seeing with customers. Let's roll out a case for that so we can help them prevent that issue type of thing, basically.”

There was a particular incident in my past that I was always impressed with, and I've never quite been able to figure it out. Someone had cloned my credit card or created a credit card with my number and used it at a local hardware store within the range of what I would normally travel. If you looked at my purchase history in the zip codes, you'll say, “OK, that's within his normal history of where he goes.” They tried to purchase, or maybe they did, a gift card or something like that at a name-brand hardware store.

They sent me an alert saying, “Hey, we think this is a fraudulent transaction. Can you confirm this?” I was particularly impressed because it's very conceivable that I would go to that store. It's very conceivable that I would spend that amount of money. How did you know that that was the fraudulent transaction and stop it?

That is actually pretty good. Typically, when you do geofencing, you will see that, hey. There’s another version of a Hari somewhere in Miami buying gas. I go, “OK, that's not the case because I see other transactions from the real me in Massachusetts.” Clearly, one is off kilter. The printing of the credit card, you can go to the dark web, and you can buy rows of credit card numbers that get pulled up in a breach or something like that.

The example you go through is good because whoever the criminal there was knew how to fence themselves inside the right geo and keep it under a certain range. I'm curious how they were able to determine it. That is actually pretty cool.

Unfortunately, I can't say that they've been consistent about it. I was just impressed with this one transaction. There was something about it or something about similar transactions that were happening at the same time that the credit card company was able to identify it. That starts to become more and more in the future when it works, but I imagine when you get systems that are overprotective and you get false positives, that becomes another problematic situation.

Yeah, it's an annoyance. People then get immunized to it in the sense that if I keep sending a bunch of alerts that don't mean anything, at some point, they're like, “OK, it's like a boy cried wolf. I'm not going to bother looking at it anymore.” It's a nuisance factor.

For example, even with the financial alerting, we would go to customers and say, “Hey, set up a threshold of where you think your alerts are odd, or set up a threshold or a limit.” People would set up $50 or $500 because you don't know how much you spend on a per-transaction basis. If it's 50, they get 50 alerts, and they say, “Oh, my God, this is really irritating to me.” If it's 500, maybe they don't have that many transactions, so you don't get very many at all.

I think we're asking the customer a question that they don't have an easy time answering. Let's actually go figure it out with the data. That's when we started doing something called a smart thresholding that we do now. Those are the types of things you learn about how much customers pay attention to stuff and how much you can use systems data AI to actually make their lives a little bit easier.

At the end of the day, our simple vision is families and users just need an easy button. They basically should be able to go and say, “Hey, I want to pay you my $15 a month, and I don't want to worry about this stuff. Click To Tweet

At the end of the day, our simple vision is families and users just need an easy button. They basically should be able to go and say, “Hey, I want to pay you my $15 a month, and I don't want to worry about this stuff.” Just make sure that it all works in the backend because everybody's got busy lives. They’ve got other commitments, and don't want to worry about this stuff. That's the core of the problem.

I've run into the same thing while setting the credit card alert balance. I think I found the sweet spot now that works for my wife and I that we get alerted on the things that matter and other things that are too small. We're not overwhelmed with alerts.

We travel internationally from time to time. I had international. Anytime there's a one cent transaction internationally, alert me. Because for the most part, I'm not going to be traveling internationally. If I'm buying from a vendor overseas, I want to know that I felt that was safe. We recently went traveling again. It got very old very quickly that every time I used a credit card, I got an email, I got a text message, I got an alert in the app.

Even with the bank example you're talking about, when I travel internationally, if it's an off-pattern, now I've learned to actually call the credit card company because when I go there, it doesn't actually work. As soon as I tried to take money out of an ATM, they're like, “OK, for security reasons, we've actually now blocked you.” Then it's a hassle. You're trying to pay a cab or something like that, and you don't have cash.

Now, before I travel, I call them up and say, “I'm going to be in this place. Can you make sure that the alert doesn't trip?” I'd say it's 50/50. Half the time, they get it and half the time, it still happens no matter what.

It's funny because, at least where I bank, they used to say, “We want you to tell us when you're traveling internationally.” Now they specifically say, “We don't want you to tell us.” I'm like, “OK, you're sending mixed signals to me.”

This is a running joke between my wife and I. If we're going to travel internationally, and a card is going to get compromised that year, it will get compromised within 24 hours of us leaving the country. If we're going to leave on a Thursday, I get an email on Wednesday saying, “Hey, the card has been compromised. We're going to cancel the card. We’ll send you a new one, and we'll FedEx it.” I'm like, “Unless it would be here before I need to leave for the airport.”

One bank was like, “I could do overnight, but I can't guarantee morning delivery.” I was like, “Oh, gosh, what can I do?” I was actually pretty impressed because their suggestion was, “Fraudulent transactions are happening in the United States. How about this? We will only let your card work in the countries that you're going to visit,” which is usually the opposite of most people's behaviors.

I don't want my card working internationally. I only want to work in the US. They're like, “We can cancel it in the US and have it work internationally. When you get back, you'll have a new card.” I was like, “Hey, that is a great solution.” It's nice to see that entities are trying to be more solution-oriented, as opposed to, “Hey, we're going to send you a new card. We don't care what you do or don't want. If it sits on your porch for three days while you're out of town, tough luck.”

Yeah, and that's great. I do think people are getting smarter about the hassle factor because so many get affected by it. I do think that systems are progressing and getting better as well. I still think there's a lot of gaps. For example, on our site, we have a lot of content around different phishing scams or different scams that happen. Sometimes I'll talk to customers just on the chat, and I'm still amazed by how many variants of different scams there are out there. It's ranging from Facebook scams to romance scams, to any variety of human needs that people are able to now socially exploit and find a way to actually go for money from it. Some of them are fairly ingenious and very, very clever.

I think one of the challenging things is it used to be that you could say, “Hey, just watch out for someone who says this phrase. If they say this phrase, you know it's a scam.”

Yeah, it was the Nigerian prince, right?

Yeah. If someone says, “I'm a prince,” ignore it. Guess what? They’re not a prince. They're not your long-lost relative. They don't have lots of money for you. It was easy.

So many of these scams have gotten so nuanced, and there's so many flavors of them. They come out so fast, they adapt so quickly to what's going on in the world. You can't tell people, “Watch out for this, specifically.” Now you have to recognize this much wider pattern that's going on.

Yeah. That then puts the onus on the individual or the user because now they have to become better at pattern recognition. It's like, “Oh, like this is happening. I think that this could be a scam, so I'm going to be more cautious here, but I'm not sure. Should I respond to it or not respond to it?” It does put a little bit more pressure and stress on the individual.

You're exactly right. There's just too many variants that unless we're working on some solutions, even for the different scammers, because we've been studying that for a while, but again, without AI, without the learning systems, it'd be practically impossible because there's just too many flavors of it. It changes very, very dynamically.

I think the one to mention, as we're recording this, is in mid-February, there's been a big earthquake in Turkey and Syria. I haven't seen them yet, but it's just a matter of time before the fake charity starts popping up and saying, “Hey, help people.” For those that have good nature that didn't want to help, it's sad that we have to warn people. You can't trust people contacting you and asking you for help in natural disasters.

The inbound one. We're just past Valentine's. Believe it or not, that's a huge spike window for a lot of romance scams, setting up catfishing profiles, using that to then demand money. I think that social engineers know how to prey on the vulnerabilities of regular folks. The two biggest vulnerable elements inside of family that we find are kids and elders.

I think that social engineers know how to prey on the vulnerabilities of regular folks. The two biggest vulnerable elements inside of family that we find are kids and elders. -Hari Ravichandran Click To Tweet

I think they're really targeted like with elders, for example. They know how to call at 2:00 PM or 3:00 PM, which is the dip in their day. They'll use cue words like church, services, et cetera, that then gets the elder to open up. They've gotten so smart and it's so very programmatic now that the pressure then comes back to the user to say, “OK, I need to know about this stuff, and I need to protect myself to make sure that I don't get in trouble.”

I know that you are huge on protecting connected families with your products and whatnot. What is the most common low-hanging fruit weak spot that people should be like, if there's one thing that you start to work on…

I'll give you one that's almost a tie, I would say. I'm going to give you two. One is definitely going to turn on MFA on all your devices to make sure that you've got 2FA or whatever the factory protocol is. If you have the availability, too, with the service, make sure you've turned it on.

The second is don't use the same passwords across all your services. Try to use a password manager because, again, if you have 50 different services, now if you think about if one gets breached, now all other ones are in trouble as well. Make sure that you're going to start segregating your risk a little bit as well.

I have a question about two-factor authentication that I ask everybody when we talk about two-factor authentication. Everybody has an opinion, question about 2FA. The way I look at it, there are three primary 2FA mechanisms. SMS messages, which pretty much everybody's familiar with an authenticator app, which is basically the same thing, but within an application, and then a hardware token.

I think the conventional wisdom is, hardware token is going to be the most secure, then authenticator app, and then SMS. Security purists will say, “SMS, don't even bother. It’s not worth it. Don’t waste your time.” While they go with a hardware token. But I know my mom is not going to use a hardware token.

There is the problem. You have to look at the convergence of the purity of tech and the usability of the tech as well. In a lot of ways, you say, “Hey, you have to go get a hardware token to be able to cycle through the codes, so it's changing much more frequently. An elder would have a lot of trouble, so they will do nothing. If it's a spectrum of 0-10 or for safety, you'd rather somebody be at a 3 or 4 by using either an app or SMS, which is much easier to use, versus being at a zero because the hardware is so hard to get set up and not be able to use.

If it's a spectrum of 0-10 or for safety, you'd rather somebody be at a 3 or 4 by using either an app or SMS, which is much easier to use, versus being at a zero because the hardware is so hard to get set up and not be able to use.… Click To Tweet

For an enterprise, it's a different story, where you have an IT team. You have the ability to train your employees. In that kind of a setup, at a minimum doing app-based, whether it's Okta or whatever the services that you decide to use, that feels like the bare minimum, to be honest, versus a text-based thing again, for an enterprise. But for a family, if you can even get them to do SMS-based 2FA, that's better than not having that at all.

Yes, the security purists are right. There are many cases where that can be spoofed, and there could be lots of issues that you're going to create out of it. But if it reduces the incidence of fraud by 30%, 40%, 50%, you're still better off with that because it's usable versus having nothing at all. It's the way I see it.

My belief on it as well is I'd rather have insufficient security versus no security.

A hundred percent. I'd say there's a spectrum. Again, if you are in that little bulk, where you're already a nine, but a nation-state is coming after you or something like that, again, the amount of security and the kind of surveillance and stuff you need to set up there is very different than a regular person that basically is just trying to go about their lives, and don't want to think about five passwords because they're using the same password over and over again, and have no periphery security and nothing watching out for them. If you can bring that person from a zero to a five, it's still movement in the right way. It's the way I see it.

Some security is better than no security.

A hundred percent.

I know you have a book that, as this episode launches, it will be immediately available. Intelligent Safety: How to Protect Your Connected Family from Big Cybercrime. I've done a number of episodes on that.

Cybercrime is no longer the guy sitting in his mom's basement, but it's big business. It's almost corporations. It's groups of people doing very complex things these days. What are families supposed to be able to do versus entities that have made it their mission to get as much money from people as they can?

I think what you said is really insightful and important because 10, 15 years ago, if somebody was hacking into somebody else's devices, maybe a script kiddie that wanted to go tell their buddies that, “Hey, that system is our pride and that type of stuff.” Now it's an organized system. There are people that harvest data, there are people that know how to monetize the data, and there are exchanges where you can transmit and look through the data.

I think, a little bit, the motivation behind the book for me around this intelligence safety notion is just making people aware of the fact that there's so much of the stuff going on underneath the surface. Because if it's not part of your line of sight and your filter day by day, you just don't think about it because you get occupied with whatever your day is bringing their way.

This is a way to say, “Hey, there is a lot of this happening. It's something you have to pay attention to.” It's almost a step-by-step guide that basically helps people first understand and then how to think about security. Again, it's less about buying our product or whatever. That's less than motivation for us here. It's more that this is a real problem that a lot of people are unaware of, until it hits them right in the face.

In my case, my identity got stolen. You've got this huge pain point in the backend, where you now have to go back and clean up all the stuff. A few weeks after that happened, I was not very focused at work. I was like, “Oh, my God. I got to go solve this issue.” I'm not available for my family, because I'm stressed out about this stuff saying, “Hey, is this going to be a real problem for me or not?” That tail continued for a while.

Just being aware, smart, leveraging some technology that's already out there, and turning the tables a little bit on the bad guys. Can you get yourself protected enough that they're not able to get into your systems or your periphery? Like what we were saying earlier, a basic amount of protection is still better than none at all on the backend.

I think it's more of helping people understand the landscape and understanding what they can actually do and giving real examples of, “Hey, like this actually happened.” Some of the examples are like, “I didn't think that that could happen, but it makes sense that it did, and now it could impact my life in this manner.”

We were talking earlier about you've got 40 or 50 devices connected to your network in your household. I've got about the same amount here as well. At some point, in the recent past, I was looking at some of the tech that I had on my network and went, “Let me check for firmware updates on these. These things have been on my network for a long time. Let me check for firmware updates.”

I was surprised that there are a couple of devices that have been on my network for four or five years, and there were no firmware updates. Coming from a programming background, things break all the time. Mistakes are always made. For there to be no firmware updates means no one's maintaining this. Whatever weaknesses this thing has, it's got weaknesses for five or 10 years. I bought this because it was cheap.

Consumers have to start thinking differently about the things that we connect to the network in terms of not just what's the security profile. One thing is like, “Oh, I want a doorbell camera. Oh, let me just buy the cheapest one that meets the bill.” As opposed to, “Who's going to maintain the security of this thing for as long as I have it installed on my front door?”

You’ve got to go one way or the other, which is either put some sort of protection on top of what you're buying to make sure that you are in control of your own security, or do the diligence on, “Hey, is this something?” Think about it in the physical world. How often do you invite a complete random stranger into your home? You don't. You basically say, “OK, this person could be crazy, and they could try to do something harmful to me or my family.”

You're always thoughtful about it. You lock your doors. It's not like you leave your windows open and lock the doors, but you lock everything if you can. In a lot of ways, you think about your digital life in the same way, which is, who are you letting inside your network? Are you making sure that all your doors and windows are locked, and if there isn't somebody entering your digital world, do you have enough sentries in place that are alerting you, letting you know this is happening, helping you prevent some of these negative issues from happening?

You either have to go that path, where you're getting a service, getting some set of services that get you comfortable, or you’ve got to go down the path of saying, “OK, I know that this company is well-funded. They have a real reputation to maintain. If they get breached or their devices get breached, that's going to be reputationally really bad for them.” It may cost a little bit more, but the price you pay when you add it all up, if something negative would happen is going to far exceed the extra dollars you're paying for that piece of hardware or device.

You hope that's the case. Unfortunately, I think there's been a couple of notable bad choices by a couple of large companies. I know Eufy had an incident recently where they hadn't really maintained data the way they should.

There’s definitely those types of things that happen. You're playing a little bit of a probability game. Again, if these things look right, it's a big company, probably have a lot of resources, probably care about their reputation, it doesn't mean that it's always the case. But it's better than somebody that you say, “Hey, I haven't launched a firmware update in 10 years.” It's the two ends of the spectrum, if you will.

At the end of the day, the big lesson is, it's a little bit buyer beware. It basically comes down to the individual or the family. That's where our mission comes in, which is, “Hey, how do you actually aid these folks?” Because if I go to my mom and say, “Hey, you’ve got to do all this stuff to keep yourself safe, she's like, “OK, can you just do it for me? I don't know what to do.”

I might be able to help her, but there will be families where you don't have the time or the expertise to be able to help them. Helping guide these folks and making sure that they're safe is a large part of what we do on a day-by-day basis.

Maybe this is a challenge that you're trying to address. As we get more and more technology involved in our lives, it's harder to maintain that tech, harder to understand what the risks are of it. Even me living from a tech perspective, I just don't know all the risks that every device brings. How are we supposed to be experts about all of this even if we want to be?

You can. You can just apply some best practices upfront, and then after that, whether it's our service or a series of eight other services that you're going to go buy individually, you have to put that stuff in place. Because if you don't, as you're saying, I can't be an expert on the Ring, Alexa, Nest, and all of these different things. No one person can do all of that stuff, so you definitely need something that's a sentry that keeps you safe.

Technology is amazing. It makes our life so much more easy, so much more convenient, but I don't think a lot of people equate ease of use as a compromise against security. It doesn't feel like it ought to be that way. Those should not be the parallel opposing ends. But unfortunately, the way it's set up now, it is. The more tech you enable, the less secure you are because of all these things we've been talking about, in some ways. That's just how the ecosystem has evolved, unfortunately.

It's a constant battle. Again, I'm an optimistic person, so I feel like every day, every week, every year, people do get better, things do get more safe. The criminals also, unfortunately, get smarter. Same tech also enables them. It's always this cat and mouse, but overall, it's a good trajectory, for sure.

You're not saying we should all just unplug everything and go live in a cave.

You would certainly be safe, that's for sure, but you would also probably be bored out of your mind at that time as well.

I don't think anyone wants to unplug the refrigerator.

Yeah. I think those days are gone.

Let's try to get practical on something useful for people with a connected home. Is there something like, “Here's one thing that you can do to keep your connected home safer from cybercrime”?

Anything that's able to be monitored. There's lots of solutions out there for IoT scanning and IoT security. That basically will list your device. It'll basically tell you when the last update was on the device, et cetera. You're going to have a little console, so you can look to see what's happening inside your household. That, I think, is very beneficial.

I do think that again, like we were saying, on the front end, if you can do a little bit of diligence before you buy things that you're putting into your home—do they have a history of breaches? For example, for our kids, we're buying baby cameras. Those are enabled with IP addresses, as you might know. We did a little bit of work to see if there was any incidents of breaches or break-ins through to these devices. That, again, is your most precious property. It's your kids, it's your privacy.

Doing a little bit of diligence upfront will go a long way. It doesn't give you a guarantee. As you were saying, even with the smartest programmers, security bugs can happen that's just too complicating a system, but you are bettering your odds to make sure that your home is not crazy-vulnerable, basically.

Do you see a time when the routers will ship with implemented security zones by default, where it's like, “OK, put your computer and your phone on this network. Your IoT stuff on this, and put your kids on this?” Do you see manufacturers going that direction at some point?

Again, it comes back to that same thing we're talking about with the 2FA piece. It's the convenience versus the security piece of it. Because if you're starting to zone out your router, and you're basically telling people to connect things into different ports, set up different zones, and sell your Wi-Fi, if you're a technical person who's like, “Oh, wow, you just made my life a whole lot easier because I don't have to go do that all manually.” But if you are my mom and she says, “Oh, I was just trying to figure out where to plug the wires, and now I got to go do all this other stuff,” that I think is the struggle for router makers as well, which is, how do you make it as easy as possible and as safe as possible? Unfortunately, sometimes those are in dire conflict. If you can make it very easy, it’s hard technically to actually get things separated nicely than I think.

Convenience and security have a certain amount of opposition to one another.

Yeah, that's exactly right.

Where can people find the book, and the title again?

The title of the book is Intelligent Safety. You can get it on Amazon. You can get it at any bookstore site. Feel free to read it. I feel like it's got a lot of good tips that would be helpful for folks, hopefully gets you a little bit more educated on this ecosystem and how it all works, and keep your family a bit safer.

Awesome. If people want to find out more about the services that Aura offers?

Aura.com.

That's just too easy. If people want to find you online, where can they find you?

You can find me on Twitter. I'm on two hours of work. Instagram, it's available as well and via email (Hari.ravichandran@auracompany.com). It's all listed on the sites. Feel free to drop me a line. Happy to talk with you.

We'll link all those in the show notes. For those who don't want to have to scribble and write things down, we'll make it easy for you and link to it all.

Great. Thank you so much, Chris.

Hari, thank you so much for coming on the podcast today.

Wonderful. Great to see you and I appreciate all the time.

 

 

Exit mobile version