[00:00] Welcome, Jasson Casey and Josh Johansen

Rachael Lyon:
Hello everyone. Welcome to this week's episode of 'To The Point Podcast'. I'm Rachael Lyon, here with my co-host, Jon Knepher. Hi Jon.

Jonathan Knepher:
Happy New Year, Rachael.

Rachael Lyon:
I know, right? Happy New Year. I can't believe it's here. And you know what? I have to say I'm really excited for today's conversation because we've never dug into this topic. If you can imagine, in my many, many years here, we've never really dug into hospitality. So I'm super excited for what we're going to cover today. And also a real-world incident, and talking through that, and it feels very. I can't wait. I feel like it's a movie about to unfold.

Rachael Lyon:
So without further ado, let's introduce our guest today. Jasson Casey is Chief Executive Officer and one of the founders of Beyond Identity, where he steers efforts to eliminate passwords and build a secure chain of trust. He previously served as the company's Chief Technology Officer, bringing hands-on engineering leadership to scale secure identity platforms. He also balances industry leadership with policy and security scholarship as a visiting fellow at the National Security Institute, George Mason University Antonin Scalia Law School, and a CSIS Advanced Cyber Studies fellow. Please also welcome Josh Johansen. He is the Director of IT at Brent Hospitality Group, where he leads technology strategy and support for a portfolio of hotels operating across the U.S. He focuses on secure, low-friction systems that keep teams productive and guest service running smoothly. Thanks for joining us today, Jasson and Josh.

Josh Johansen:
Thanks for having us.

Jasson Casey:
Thanks for having us.

[01:57] Identifying Real-world Phishing Attacks

Jonathan Knepher:
So, Josh, I want to kick this right off with digging right into the meat of this. Right. So you know, I think we're here to talk a bit about a cyber attack that you uncovered. I'm hoping you can maybe start telling us by what was your initial impressions, what was detected, that you knew something was going on and, and how did it unfold.

Josh Johansen:
Yeah, I think in hospitality, the people that we hire to run our hotels and to take care of our guests, and to sell our product. We're looking for those folks that can really build relationships and are warm, accommodating, pretty much everything that a cyber attacker would love to see in a person. You know, they want to make things as easy as possible. And when it comes to the way our we sell our hotels, oftentimes we get. We work with travel agents or travel brokers, and there's sometimes commission payments that are paid back for groups and things like that. So it's not unlikely for us to get invoices from lots of different agencies. And there's various mechanisms that we use to kind of balance that out and make those payments. However, once in a while, you know, systems fail, something slips through the cracks, and a manual invoice has to be sent out.

Josh Johansen:
Unfortunately, that's also a huge vector of attack for us when it comes to phishing campaigns. Folks will send out, they look just remarkably good invoice notices, and then they attach them behind a wall where you need to log in to view it. They claim it's, you know, it's in OneDrive or use your Microsoft credentials. And we had recently rolled out Beyond Identity primarily to fight this because we do phishing training, and we do all of this, quarterly and annual tests and training to be PCI compliant. However, we know that our folks are just trying to get the job done, and they're trying to make sure that our vendors are paid and our guests are taken care of. And so when they're faced with something like that, you know, they feel a little bit panicked because they need to get this pa. And the GM had reached out to me, and they said, hey, I need to get into this invoice because I need to pay whatever travel agency it is for this invoice, but I need my password to log into it. I said, well, you don't have a password anymore.

Josh Johansen:
She said, well, no. I put in my email, and it's popped up. I have the Microsoft login screen, and it says password. I'm like, that's a phishing attempt. You can just delete it and ignore it. If it was valid, Beyond Identity would have kicked in and allowed you to view it, but you can just back out and just delete it. She was really sure that it was. She forwarded it over to me so I could take a look at it, and sure enough, it was a phishing email.

Josh Johansen:
They're very prevalent. We have lots of systems to try and stop them. But now the thing that we've noticed in the past few years is they're no longer trying to obfuscate their email address or try to spoof it. And so spoof protection doesn't work anymore. And they'll blatantly just spell out whatever email address it was. And so that lets people think, like, oh, well, made it through everything, so it must be good. But having Beyond Identity in place with that device-bound passkey is really the thing that stopped that phishing attempt or that harvest credential attack. And I wish I could say that that's the only time that that happens, but the reality is we're getting more and more of those calls.

Josh Johansen:
When the first time it happened, I'm like, wow, I really made the right decision by engaging beyond identity. This was really cool that it stopped it, but now I'm like, wow, it continues to bring value because I get this call probably quarterly about somebody who needs to get into something, and it's asking for a password, and they haven't equated that connection yet.

[05:35] AI-powered Impersonations

Rachael Lyon:
So with AI today, this impersonation and it's really, really compelling, and I'd be interested in Are you seeing more upticks in hey, it's the CEO, or are you guys getting audio messages, or are there other AI-driven risks that you're seeing becoming more prevalent today?

Josh Johansen:
That's interesting. No, we haven't seen that firsthand, but that is something that I am concerned about. I know that we often get people get the text messages that they say they're from our CEO, and he needs them to quickly go to go on out and buy these Apple gift cards because that's how we, that's what you need to do as a CEO, you know, and we warn people about those. But I am concerned that we will see more of an AI-driven type of thing where they'll, you know, maybe get like a video call or things like that. I know that's more prevalent for us when it comes to like the, our banking side. And so there's more controls in place that we rely on the banks for. But for our organization, AI impersonation hasn't become a full-level attack yet. But I'm sure that a lot of these phishing emails that we get, because they're getting better and better and better, are probably generated by AI tools to make them look like, you know, an AMEX GBTA invoice or whatever it might be.

Jasson Casey:
I'm going to add a little bit there across partners and customers, we actually are seeing an uptick in the AI-enabled adversary, and there are a couple different ways. Right. So like on the, on the sophisticated route through a partner's name tag, right. We've seen adversaries using AI to essentially generate images of government documents to pass ID verification, maybe more in the mid-range. We've seen a lot of voice cloning for phishing and essentially the forward of voice notes for escalation of credibility. That sort of thing. In fact, we even did this ourselves. So, for our holiday party, we couldn't have all of our executives together just because of travel and logistics and whatnot.

Jasson Casey:
And I had been meaning to do some of my. So one of my own projects is I want to build a Claude plugin Red kit for our security team to make sure that we're always kind of using, testing, and generating the most advanced AI tools. And I had been meaning to take a look into the voice cloning stuff. And over the course of a day, I basically got Claude to write a Christmas rhyme in the style of the Night Before Christmas that incorporated kind of the accomplishments of the company over the last 12 months, relegate a section to each of our executives. And then I built a voice cloning pipeline where I basically pulled and processed audio clips for all of the execs. Some of them I pulled off of Zoom, some of them I pulled off YouTube, and then built a mechanism that basically took the script and used the clone for each person for each try, and then kind of fused it together into a simultaneous audio file. And then we ended up playing that later on that night. A couple things that were eye-opening on this, right, I wouldn't necessarily call it Red team-esque, as opposed to this was just like a little bit of research.

Jasson Casey:
Number one, it was less than a day's worth of work. Number two, what I didn't quite appreciate from an adversarial perspective is when you're, when you're doing at least voice cloning, there's two approaches. There's what's called zero-shot or multi-shot voice cloning, where you take an off-the-shelf voice model. And by the way, there's a ton of them available in open source. And these aren't massive models, these are small models that run on your laptop, and you give it essentially 10 seconds of audio of the target or the victim, and then you give it the text, and it will generate an audio file, high quality, in the cadence of your person. And I would say this matched my execs. Seven out of eight of them were impreciate. Like no one would have questioned it.

Jasson Casey:
Right. One of them was weird. But I think that was an artifact in the text because some of the text was all caps. So he started screaming. But this was all accomplished in a day. Most of the tooling that I built out was really an audio pre-processing, like getting the highest quality 10-second clip to then feed into the cloner. I did all of this with basically zero knowledge before the day. In the area.

Jasson Casey:
And if I wanted to, I could have done something called fine-tuning the model. Right. And when you fine-tune the model, basically, you're letting the weights move, and you're essentially training on the victim's voice. This probably would have taken me an extra two days to do, but I'm speculating; I don't actually know. I'm willing to bet I would have closed the gap on that last person and made them realistic as well. So the point in all of this is that these tools are life-changing in how we do work. And let's not forget that the bad guys have jobs too. And it's going to change how they come after us.

Jasson Casey:
They're going to be able to impersonate us, not just in how they write things, but in what documents look like in imagery and in voice. And we are seeing an uptick in this. I think it's more in targeted attacks right now than kind of the dandelion style attacks, where you mass mail 50,000 people and see who phones home. But yeah, make no mistake, the world is changing very quickly in this regard.

[11:27] Protecting Yourself from Voice Clones

Jonathan Knepher:
Yeah, so this whole voice cloning thing is, I mean, it's scary. Like I've, I've received some of these attacks myself from, from folks impersonating people I know. And it's really hard to tell, just, you know, when you're on the other end of a cell phone. So what? What kinds of things do people need to do to protect themselves? Like what, what are the strategies now that these attacks are getting so good?

Jasson Casey:
So let's think about this, right? There's two things. So the most obvious thing that I think everyone kind of jumps to, to start with, is how do I know that this is fake? Right? How do I know if this is real? And it's a reasonable question. But the next step is a bunch of people, then jump to the solution, and it's essentially like fake detection, fake detectors. And I think we've had about a year and a half of companies producing the equivalent of deepfake detectors. And I kind of have a problem with that for twofold. From a technology perspective, the deception detection in that regard tends to overly focus on essentially what are signal processing artifacts. And if you look at how these models work and how these models are improving and over what time, it's really easy to imagine, or it's hard not to imagine, if we want to double negate it, that the models are going to be, the output of the models are going to be imperceivable from reality. So, is this really even going to work?

Jasson Casey:
But then ignore the technology question and just think about it as a user behavior. If all of this is there and you're sick, but you want to be on a call, why wouldn't you voice clone yourself? You got kicked. Look, we know you love your horses. We know they're really dangerous. You got kicked in the face over the weekend. And so your jaw is barely hanging on, but you still need to be on that call. And you probably don't want to let everyone say they told you so. So you're going to video clone your jaw back into place, right? Now, obviously, the more realistic example is like makeup filters, blemish filters, and enhanced lighting, and whatnot.

Jasson Casey:
But, like, what's the difference if AI is really around the corner? You can't take the position that only bad people use AI. Everyone's going to be using AI. So the detection or the presence of AI is not a meaningful question to even ask. A meaningful question to ask is, who is this coming from? On what device is it coming from? What's the level of trust and belief that I have there? And so I would posit that whether it's with a company like ours or someone else, the solution is attestation, right? So video products, audio products, communication, and productivity products need to actually start attesting to the author's identity, the device's identity they worked on, and that sort of thing. And you know, we have plugins for Zoom and Teams and Outlook that kind of do this in our product. But like, let's say we go beyond, beyond identity. I do think that's the way of the future, right? Like, if all sensor data can be faked, then ultimately we need to be able to track data provenance back to the sensor that produced it or the source that produced it. And so this concept of leveraging things like TPMs and hardware enclaves to do this attestation at a high level, like what we do with identity, I think it's here to stay.

Jasson Casey:
And I think it's actually going to go up the food chain. And I think it's going to go so far as the sensors that produce data or the humans and machines that produce the data are going to have to essentially watermark it right in this, in this way that you can actually attribute back to hardware and just to stave off, hey, watermarking. I can always strip something off of watermarking. Yeah, that's true. But let's remember what the problem is. The problem isn't, can someone strip something out? The problem is, can they attach it? Right. And they can't just insert the watermark if the watermark is based on a hardware root of trust.

Jonathan Knepher:
So you also mentioned like the faking of legal documents. Right. And we've seen too, there's a lot of push now for authentication via all sorts of things to get access to various things on the Internet, and the privacy concerns around that. Like, how do you reconcile what you're talking about to have strong authentication and attestation, but yet protect privacy elements of people in their lives?

Jasson Casey:
Yeah, no, it's a double-edged sword. Right. Let's talk about Tor.

Josh Johansen:
Right.

Jasson Casey:
Tor is a, it can be the boogeyman of certain conversations. Right. Tor is just used for the nefarious. But all right, well, let's remind ourselves who funded the original development of Tor. It was the United States Navy and the State Department. And why did they do that? Well, like one of their thoughts was this could really help the people in Iran. This can give them a way to actually get access to real information and not just what's being piped into them from the regime in charge. Privacy and security are always two sides of the same coin, and there's always a coin flip.

Jasson Casey:
There are technical solutions where, if you have trusted intermediaries, you don't necessarily have to reveal yourself, but you can still carry entitlements and authorizations to be able to kind of do certain things. But there are still technical means of revealing privacy in the future. So, for instance, you've all heard about store and decrypt later, right? Quantum is going to break all encryption, and so the bad guy is going to record everything now. And once Quantum shows up, read the secrets. Right. Privacy has a similar sort of problem set up. Right. So if you think about, like, think about Bitcoin, right? Technically, my Bitcoin wallet, ID, or address is anonymous.

Jasson Casey:
Well, it is, and until it isn't. And once I can actually associate you with a transaction, I can kind of unravel your entire history. So it's. Look, I'm not going to give you an easy answer to the privacy discussion. I think it's, I think it's a tricky answer. I think it's super nuanced. And I think part of the solutions to these problems are actually not technical. I think they're societal.

Jasson Casey:
Right. Ultimately, there must be a consequence for breaking society's rules. Like you should probably go to jail for certain things. You should probably not be able to come back for a while for certain things. Society has to actually enforce those rules. Every now and then, we get into these conversations around how do I prevent my employees from doing this and how do I prevent my employees from doing that? And it's like, look, we can work on all these problems. You're well past diminishing returns. It's pretty easy for you to have a tamper-evident log of everything that's happening. And if someone breaks the rules, you're eventually going to find out, and you can eventually figure out all the history.

Jasson Casey:
And at some point, you just have to realize that like your deterrence against this is this big stick called you're going to go to jail.

[18:39] Social Media Exposure and Trust

Rachael Lyon:
So coming back to this idea, I'm always interested in the societal elements, particularly when, you know, we have so many people embracing social media and just sharing their lives on social media. And in that realm, I mean, you know, Jasson, you're out there, you're doing podcasts, you're doing interviews. Josh, same thing, you're doing interviews, you're out there, you know, it's part of the job. And so is this making these impersonation attempts easier for the attackers? Is there something that we need to start thinking about right as brands, as businesses, right as we wanna reach out to our audiences? So what do we do? Because it seems like we're just giving them more audio input, more video input of our person, so that they could facilitate an attack more efficiently.

Jasson Casey:
If you've put more than 10 seconds of audio of yourself on anything that's public, you are cloneable. I don't know what the stats are in video, but it's just be prepared to be astounded that it's a lot less than you think it would be. If you've ever written, what are the writings? It doesn't take much of a writing sample, either, to kind of understand your writing style. The horse is out of the barn on this one. What you can do, what your companies can do, what brands need to do at the end of the day is that the idea already exists. It's been horribly, horribly implemented and executed by the companies that have existed. It.

Jasson Casey:
But let's talk about the blue check mark. Like, there is something to the idea. Even if the implementation is false, people need to stand behind what they're producing in a way that attributes back to them. That's the only answer that I really can kind of see and understand. Not for all communication, but for managing your brand, for managing your company, for managing your image. If you're a company, a product, or a public figure, you need to speak and communicate through attested channels.

Rachael Lyon:
Yeah, I feel like the Ship has kind of sailed in a lot of ways and everybody's information's already out there, so it's just becomes a way of life. I mean, is that really where we're at? I mean, it's now you have to literally question everything in your personal life, in your professional life. It's a lot of work. Jasson.

Jasson Casey:
There'S probably a policy angle to this as well. I don't think we're currently living through the times that's willing to do that, but there's probably a policy angle of like, what's the big stick here? Right. While people need to protect themselves, there should be some expectation over time that reputational damage by a bad actor or an adversary needs to be punishable by a way that is an effective deterrent.

Rachael Lyon:
Absolutely. Agreed. Coming back to hospitality, Josh, when we were talking earlier, there's so many different entities involved in the hospitality world, and so managing security, and we talk about supply chain attacks, third-party attacks. I mean, how do you manage through that in the hospitality world? Particularly when if we're talking about impersonation, right. You can have people come in, I'm the CEO, and they're talking to maybe someone who's a little more junior, and they take action because it's time-bound and all these other things. How are you guys managing through that?

Josh Johansen:
Yeah, so we like as a branded partner, we work with the major brands, Hilton, Marriott, IHG, Hyatt, and so each brand gives us variable degrees of what we can do on our side versus what we do on the brand side. And so any opportunity we have where we can do everything on our side, we'll take it. Like if we can have that reception, welcome desk workstations managed by us, we'll do that because we know that we have the most up-to-date data of who works for us and when they start and quit. If you're relying on a brand managed platform, we're relying on that general manager, once they've been employed and brought into our domain, where we've given them their beyond identity passkey and their email address and everything else on our side we're relying on, if it's a brand managed desk, then we're relying on that general manager to submit those forms to create those employees to use the reception desk. And when it comes to the end of it, at the end of the day, if you're a busy GM and you're taking care of everything, you're usually there in charge of 100 to 120 room hotel. They've got various departments, they've got housekeeping, and they've got food and beverage, they have the sales department, and they have the reception folks. And then they're still trying to make sure they're Bill is a good process for us so we can keep them operating and all that stuff. The last thing you're probably is on your list is probably removing those old people just because it takes time.

Josh Johansen:
I gotta log into the system, gotta pull them up, gotta remove them, make sure that they processed. So when we're able to shift that over to our side, we can integrate things much more tightly so that when somebody's hired within an hour, we've got their account created. And then our goal is like, hey, the first step of your. When the employee starts, first thing that they do is they're going to log into Beyond Identity's portal, download that passkey, bind it to that device, and rinse and repeat for any computers that they're going to work on. And then we assign the license from there, and then they can continue to go. And then we know that as soon as they leave, we can tear down that license, revoke that passkey, and we've moved on. Versus the other model of relying on a GM to go into a portal, create the account, make sure, you know, they've got access, they've created their password, they've added their MFA tool, whatever it is that the brand requires, because every brand has a different one, you know, and then they go and then suddenly they leave in a week, well, oh, I forgot to terminate them. They've actually, they show up in my hotel for the next four months, you know, and we don't want that to be able to.

Josh Johansen:
A lot of the brands put like limits, you know, like every 90 days or whatever, to change the password. But it's still an opportunity of a time where that stays open. So that's why we try and do that directly. But then on the flip side, there are smaller organizations where they maybe only own one hotel, and maybe they run it themselves, and they don't have the bandwidth to have that. So hopefully, I think there's a trend to engage with MSPs to help them with that. But a lot of them don't see that as a valuable expense because it's still, hey, we never had to pay for this before, why should we add that? And the brand going to get us. Yeah, exactly.

Rachael Lyon:
Target us. Yeah, exactly.

Josh Johansen:
And then, okay, we're just going to use what the brand provides, you know, and hopefully then that they're a little bit more diligent in keeping up with that. But as we add more and more systems into hospitality and we're asking people to put passwords into all of this, that just creates another area where it can, you know, another failure point or another breach point. My biggest concern is employees that leave. I mean, hopefully we've got, you know, fairly good folks, but still, when you leave, you don't want to leave all those holes open. And with the traditional model is, hey, you sign into, you know, Kip sue for messaging, and this is your username and password. And you sign into the pms and here's your username and password, and this is your Windows login username and password. And I can guarantee you that these employees, again, we're hiring, you know, great, warm, easygoing folks that are like, they love taking care of people. They probably are reusing the same password everywhere.

Josh Johansen:
So they've got these bad password habits. That's why I've been on a mission to. I'm so passionate about removing the password for hospitality folks, because not only does it make their life so much easier, but I've had so many comments of people. We recently opened a hotel in the GM called Automagical. He's like, this is amazing. You know, on our side, all he had to do was type in his PIN code, and he was logged into everything. Every time he would click, like, oh, I need our purchasing platform. And then he'd see that beyond identity verification come up, and he's in no passwords.

Josh Johansen:
He's able to do all of our systems. And then he's like, hey, can you put this on my brand account, too, so I can just log in with that and, sorry, that separate. Separate entity. Separate controller. You're going to have to use Duo for your push, and you'll have to use them Microsoft Authenticator, and you'll have to add your password. And yes, you have to change every 90 days because that's the rule. So we love the fact that, at least on our side, we're doing whatever we can to control that. And I'm hopeful that we'll get the brands to take notice and realize the fatigue that comes with a password and using an MFA device.

Rachael Lyon:
And I hate to do this, everyone, but we're going to pause today's discussion right here and pick back up next week. Thanks for joining us this week, and as always, don't forget to smash that subscription button. And we'll see you next week. Till next time, stay safe. 

About Our Guests

Jasson Casey, CEO, Beyond Identity

Jasson Casey is the CEO and co-founder of Beyond Identity, where the focus is on eliminating passwords and establishing secure, device-bound identity as the foundation of modern authentication. He previously served as the company’s chief technology officer, bringing hands-on engineering leadership to the development and scaling of identity security platforms built for today’s threat landscape.

Beyond his industry work, Jasson contributes to cybersecurity policy and research as a visiting fellow at the National Security Institute at George Mason University’s Antonin Scalia Law School and as an Advanced Cyber Studies fellow at the Center for Strategic and International Studies (CSIS). His work sits at the intersection of identity, trust and emerging technologies, with a focus on how organizations can adapt as AI-driven threats accelerate.

Check out Jasson Casey on LinkedIn

Josh Johansen, Head of IT, Brandt Hospitality Group

Josh Johansen is the Director of IT at Brent Hospitality Group, where he leads technology strategy and day-to-day IT operations across a portfolio of hotels in the United States. His work centers on building secure, low-friction systems that support frontline hotel teams while protecting guest data, financial systems and brand operations.

Josh brings a practitioner’s perspective to cybersecurity in hospitality, with deep experience in identity and access management, phishing defense and employee lifecycle controls in high-turnover environments. He focuses on reducing risk by eliminating passwords, streamlining onboarding and offboarding and aligning security controls with the realities of hotel operations.

Check out Josh Johansen on LinkedIn