She Can Hack Your Bank Account With the Power of Her Voice🎙Darknet Diaries Ep. 144: Rachel

Darknet Diaries
4 Apr 202462:32

TLDRIn this episode of Darknet Diaries, Jack Rhysider interviews ethical hacker Rachel Tobac, who shares her journey into the world of social engineering. Rachel details her experiences in hacking through phone calls, the intricacies of voice cloning, and her live hack on 60 Minutes, where she successfully tricked a correspondent's colleague into revealing sensitive information. She also discusses the challenges of conducting security tests without raising suspicion and the importance of consent in ethical hacking. Rachel's story highlights the power of human manipulation and the potential vulnerabilities in our digital era.

Takeaways

  • 📈 The story begins with Jack sharing an experience of being scammed by a caller who claimed to have a stock market prediction algorithm.
  • 🎓 Rachel Tobac's origin story in social engineering started from watching the movie Harriet the Spy, which inspired her interest in espionage.
  • 🚫 Rachel faced discouragement from her guidance counselor in pursuing coding classes, leading her to a career in neuroscience and behavioral psychology instead.
  • 🎭 Rachel's husband introduced her to the world of hacking and social engineering by inviting her to Defcon, a hacker conference in Las Vegas.
  • 🥇 Rachel's first experience in social engineering was at Defcon's social engineering contest, where she surprisingly won second place.
  • 💡 Rachel's success at Defcon led to her career in social engineering, founding SocialProof Security, a company specializing in penetration testing and security awareness training.
  • 🏦 Rachel's method of hacking involved posing as a customer, spoofing phone numbers, and manipulating customer support agents to gain unauthorized access to accounts.
  • 🔄 The interview process for a job at a tech company revealed internal information about upcoming mergers and acquisitions through indirect questioning and subtle hints.
  • 📺 Rachel's appearance on 60 Minutes involved a live demonstration of voice cloning and spoofing, successfully tricking a coworker into revealing sensitive information.
  • 🔐 The increasing sophistication of AI tools, like voice cloning, raises concerns about the authenticity of communication and the need for new security measures.
  • 🚀 The rapid advancement of technology and AI presents both exciting opportunities and significant challenges for the future of security and privacy.

Q & A

  • What was the scammer's initial approach to Jack when he first called him?

    -The scammer claimed to have information about a stock that was going to increase in value and wanted to share this information with Jack, whom he found in the phone book.

  • How did the scammer manage to predict the stock prices correctly for three consecutive weeks?

    -The scammer used a method of dividing his contacts into groups based on whether he told them the stock would go up or down. He then repeated this process, narrowing down to a group of people to whom he appeared to be correct every time.

  • What was the scammer's ultimate goal when he claimed to have cracked the stock market code?

    -The scammer's ultimate goal was to convince Jack to invest a large sum of money in a company that was supposedly about to explode in value, as part of an initial investor round.

  • What was Rachel's initial interest that led her to the path of social engineering?

    -Rachel's initial interest was sparked by watching the movie 'Harriet the Spy', which made her realize that being a spy or a hacker was a viable job option for women.

  • What advice did Rachel's guidance counselor give her that influenced her early career choices?

    -Rachel's guidance counselor advised her against taking coding classes because they were dominated by boys, and instead suggested she take home-EC classes.

  • How did Rachel's husband introduce her to the world of cybersecurity?

    -Rachel's husband told her about the Social Engineering Village at Defcon, where they demonstrated social engineering techniques like eliciting information over the phone.

  • What was the result of Rachel's first participation in the social engineering contest at Defcon?

    -Rachel placed second in the contest, despite having no prior experience in coding or hacking.

  • What led to the creation of Rachel's company, SocialProof Security?

    -After consistently placing second in the Defcon social engineering contest, Rachel was approached by companies wanting to know more about hacking and how to prevent it, which led her to start her own company.

  • How did Rachel use voice cloning and phone spoofing to trick Elizabeth into revealing Sharyn's passport number?

    -Rachel used a voice-cloning tool to replicate Sharyn's voice from audio samples and a phone spoofing tool to make her call appear as if it was coming from Sharyn's number. She then asked Elizabeth for the passport number over the phone.

  • What is the main challenge that companies face with the increasing sophistication of AI-based scams?

    -The main challenge is verifying the authenticity of communications, as AI can convincingly mimic voices and videos, making it difficult to distinguish between genuine and fake messages or calls.

Outlines

00:00

📞 The College Scam Call

Jack shares a personal story about receiving a scam call during college. The caller, claiming to have a stock prediction algorithm, correctly predicts a stock's rise. Intrigued, Jack learns from a stockbroker that the scammer was dividing his victims into smaller groups, ensuring he appeared accurate to a select few. The story highlights the cunning nature of scammers and their manipulative tactics.

05:02

🎓 From Childhood Spy to Social Engineer

Rachel Tobac recounts her journey into the world of social engineering. Inspired by the movie 'Harriet the Spy', she initially faced discouragement from her guidance counselor when expressing interest in coding classes. Despite her background in neuroscience and behavioral psychology, Rachel's path led her to infosec and hacking, eventually leading a UX research team in a tech company. Her career took a significant turn after attending Defcon with her husband's encouragement, where she discovered her talent for social engineering.

10:03

🏆 Defcon Competition and the Birth of a Social Engineer

Rachel details her experience at Defcon's social engineering contest, where she excelled despite her initial reluctance. She describes the competition's format, where contestants must extract information from companies through phone calls without arousing suspicion. Rachel's success in the contest, placing second three years in a row, led to the start of her career in social engineering and the establishment of her company, SocialProof Security.

15:07

🏦 Hacking Banks with a Phone Call

Rachel explains her role in penetration testing a bank's security by attempting to take over customer accounts through phone calls, emails, or chat. She describes the process of trying to change account details to gain control and the challenges faced when the bank adheres to strict protocols. Despite her efforts, the bank's security measures prove resilient, prompting Rachel to switch tactics and utilize phone number spoofing to trick the support team.

20:12

📞 The Art of Social Engineering

Rachel discusses her approach to social engineering, focusing on the human element of hacking. She emphasizes the power of persuasion and manipulation through simple phone calls. Rachel also highlights the vulnerability of customer support and the importance of training and protocols to prevent exploitation. Her experiences demonstrate the need for a balance between security and empathy in customer interactions.

25:12

🤝 The Inside Story of a Social Engineering Engagement

Rachel recounts a case where she was hired by a tech company to investigate leaks about mergers and acquisitions. She describes her strategies, including posing as a journalist and applying for a product manager role to extract information. Despite initial setbacks, Rachel's meticulous preparation and research eventually lead to success, revealing the company's internal communication issues and providing solutions to prevent future leaks.

30:15

🎥 Live Hacking on 60 Minutes

Rachel shares her experience of performing a live hack on 60 Minutes, where she aimed to trick a correspondent's coworker using AI and voice cloning. She explains the process of obtaining consent, the challenges of executing the hack without alerting the target, and the importance of making the interaction appear natural. The successful demonstration underscores the potential risks of AI in the wrong hands and the need for increased awareness and security measures.

35:19

🚀 The Future of Security and AI

Jack and Daniel Miessler discuss the implications of AI advancements in security, particularly the challenges posed by deepfakes. They explore the need for establishing trust and authenticity in digital communications, suggesting the potential for cryptographic signing as a solution. The conversation highlights the rapid evolution of technology and the importance of adapting security measures to keep pace with new threats.

Mindmap

Keywords

💡Social Engineering

Social engineering is a technique used by individuals to manipulate people into divulging sensitive information or performing actions that may compromise security. In the context of the video, it is the primary method used by the scammer to trick people and by Rachel Tobac to demonstrate potential vulnerabilities. The scammer uses it to extract information about stocks, while Rachel uses it to expose security weaknesses in companies.

💡Stock Market Scams

Stock market scams are fraudulent schemes where individuals attempt to profit by deception through the use of stock market investments. In the video, the scammer uses a form of stock market scam by predicting which stocks will rise and sharing this information with unsuspecting victims, creating trust and eventually attempting to lure them into investing in a fake opportunity.

💡Algorithm

An algorithm is a set of rules or instructions for solving problems or accomplishing tasks, often in computer programming. In the video, the scammer claims to have an algorithm that can predict stock market trends accurately, which is later revealed to be a ruse to manipulate victims.

💡Spoofing

Spoofing is the act of falsifying information to appear as something or someone else, often with the intent to deceive. In the context of the video, spoofing is used to impersonate someone else's phone number or email address, which is a key technique in social engineering attacks.

💡Open-Source Intelligence (OSINT)

Open-Source Intelligence (OSINT) refers to the collection and analysis of publicly available information to gather intelligence. This can include data found on social media, public records, and other online sources. In the video, OSINT is used by social engineers to gather information about their targets, which can then be used to craft convincing scams or penetration tests.

💡Ethical Hacking

Ethical hacking, also known as penetration testing, is the practice of testing a computer system, network, or web application to find vulnerabilities that an attacker could exploit. Ethical hackers use the same methods and techniques as malicious hackers, but with permission and for the purpose of improving security. In the video, Rachel Tobac is an ethical hacker who uses her skills to help companies identify and fix security weaknesses.

💡Voice Cloning

Voice cloning is a technology that enables the replication of a person's voice based on existing audio samples. Using artificial intelligence, it can generate speech in the target's voice, often used for deceptive purposes as seen in scams or for educational demonstrations on security. In the video, voice cloning is used to imitate Sharyn's voice in a phone call to trick Elizabeth into revealing information.

💡Data Brokers

Data brokers are companies or individuals that collect and sell personal information about individuals, often without their knowledge or consent. This information can include contact details, financial data, and other sensitive information. In the video, data brokers are mentioned as a source of the personal information that social engineers can exploit.

💡Deepfakes

Deepfakes are synthetic media in which a person's likeness — their face and voice — is replaced with someone else's using artificial intelligence. This technology can create highly convincing fake audio or video content, often used to deceive or manipulate. In the video, the concept of deepfakes is discussed in the context of how they can be used to trick people into believing they are interacting with someone else.

💡Security Awareness Training

Security awareness training is educational programming designed to teach people about the risks and best practices associated with internet, mobile, and general data security. In the video, Rachel Tobac not only performs ethical hacking but also conducts security awareness training, indicating her role in educating others on how to protect themselves from scams and other security threats.

Highlights

The story begins with Jack sharing an experience of receiving a call from a scammer who accurately predicted a stock's rise.

The scammer uses a technique of calling a large number of people, telling half the stock will rise and the other half it will fall, and narrowing down to those he gets right.

Jack meets with a stock broker who explains the scammer's method and how he's playing a math game with his victims.

Rachel Tobac shares her origin story of becoming interested in hacking after watching the movie Harriet the Spy.

Despite her guidance counselor's discouragement, Rachel never pursued coding but instead got a degree in neuroscience and behavioral psychology.

Rachel's journey into the tech world was unconventional, starting as a community manager and leading a UX research team, without any coding experience.

Rachel's husband introduces her to Defcon, a hacker conference, where she discovers the world of social engineering.

Rachel competes in the social engineering contest at Defcon, where contestants have to trick people into giving out information over the phone.

Rachel's success in the contest, placing second three years in a row, leads to the start of her career in social engineering.

Rachel establishes her company, SocialProof Security, offering social engineering services to test companies' vulnerabilities.

As a social engineer, Rachel conducts渗透测试 on a bank, using a spoofed phone call to trick customer support into giving her access to accounts.

Rachel explains the process of spoofing phone numbers, a technique that is surprisingly still possible and legal in the US.

Through voice cloning and number spoofing, Rachel tricks a 60 Minutes correspondent's coworker into revealing personal information live on air.

The interview with Daniel Miessler discusses the implications of AI and deepfakes on security, suggesting the need for cryptographic keys to establish trust.

The episode ends with a discussion on the exciting future of technology and the human race, as we stand on the brink of a new era.

Casual Browsing

Nobody Ever Loved Her But She Was Reborn As A Baby With The Strongest Powers Adored By Her Family

2024-05-03 03:30:01

When She Wakes You Up With Her Body | Funny Anime Moments

2024-04-16 23:30:01

SOUNDRAW API ~Amplify Your Products with the Power of AI Music~

2024-05-19 02:45:01

This image Can Hack You (The .webp Exploit)

2024-04-21 20:40:01

Hollingshed FACEPALMS Brink, So She FIRES The Ball At Her! | #2 Stanford vs Colorado, Pac-12 Tourney

2024-04-05 03:30:01

Unleash the power of Local LLM's with Ollama x AnythingLLM

2024-03-29 00:45:02