She Can Hack Your Bank Account With the Power of Her Voice🎙Darknet Diaries Ep. 144: Rachel
TLDRIn this episode of Darknet Diaries, Jack Rhysider interviews ethical hacker Rachel Tobac, who shares her journey into the world of social engineering. Rachel details her experiences in hacking through phone calls, the intricacies of voice cloning, and her live hack on 60 Minutes, where she successfully tricked a correspondent's colleague into revealing sensitive information. She also discusses the challenges of conducting security tests without raising suspicion and the importance of consent in ethical hacking. Rachel's story highlights the power of human manipulation and the potential vulnerabilities in our digital era.
Takeaways
- 📈 The story begins with Jack sharing an experience of being scammed by a caller who claimed to have a stock market prediction algorithm.
- 🎓 Rachel Tobac's origin story in social engineering started from watching the movie Harriet the Spy, which inspired her interest in espionage.
- 🚫 Rachel faced discouragement from her guidance counselor in pursuing coding classes, leading her to a career in neuroscience and behavioral psychology instead.
- 🎭 Rachel's husband introduced her to the world of hacking and social engineering by inviting her to Defcon, a hacker conference in Las Vegas.
- 🥇 Rachel's first experience in social engineering was at Defcon's social engineering contest, where she surprisingly won second place.
- 💡 Rachel's success at Defcon led to her career in social engineering, founding SocialProof Security, a company specializing in penetration testing and security awareness training.
- 🏦 Rachel's method of hacking involved posing as a customer, spoofing phone numbers, and manipulating customer support agents to gain unauthorized access to accounts.
- 🔄 The interview process for a job at a tech company revealed internal information about upcoming mergers and acquisitions through indirect questioning and subtle hints.
- 📺 Rachel's appearance on 60 Minutes involved a live demonstration of voice cloning and spoofing, successfully tricking a coworker into revealing sensitive information.
- 🔐 The increasing sophistication of AI tools, like voice cloning, raises concerns about the authenticity of communication and the need for new security measures.
- 🚀 The rapid advancement of technology and AI presents both exciting opportunities and significant challenges for the future of security and privacy.
Q & A
What was the scammer's initial approach to Jack when he first called him?
-The scammer claimed to have information about a stock that was going to increase in value and wanted to share this information with Jack, whom he found in the phone book.
How did the scammer manage to predict the stock prices correctly for three consecutive weeks?
-The scammer used a method of dividing his contacts into groups based on whether he told them the stock would go up or down. He then repeated this process, narrowing down to a group of people to whom he appeared to be correct every time.
What was the scammer's ultimate goal when he claimed to have cracked the stock market code?
-The scammer's ultimate goal was to convince Jack to invest a large sum of money in a company that was supposedly about to explode in value, as part of an initial investor round.
What was Rachel's initial interest that led her to the path of social engineering?
-Rachel's initial interest was sparked by watching the movie 'Harriet the Spy', which made her realize that being a spy or a hacker was a viable job option for women.
What advice did Rachel's guidance counselor give her that influenced her early career choices?
-Rachel's guidance counselor advised her against taking coding classes because they were dominated by boys, and instead suggested she take home-EC classes.
How did Rachel's husband introduce her to the world of cybersecurity?
-Rachel's husband told her about the Social Engineering Village at Defcon, where they demonstrated social engineering techniques like eliciting information over the phone.
What was the result of Rachel's first participation in the social engineering contest at Defcon?
-Rachel placed second in the contest, despite having no prior experience in coding or hacking.
What led to the creation of Rachel's company, SocialProof Security?
-After consistently placing second in the Defcon social engineering contest, Rachel was approached by companies wanting to know more about hacking and how to prevent it, which led her to start her own company.
How did Rachel use voice cloning and phone spoofing to trick Elizabeth into revealing Sharyn's passport number?
-Rachel used a voice-cloning tool to replicate Sharyn's voice from audio samples and a phone spoofing tool to make her call appear as if it was coming from Sharyn's number. She then asked Elizabeth for the passport number over the phone.
What is the main challenge that companies face with the increasing sophistication of AI-based scams?
-The main challenge is verifying the authenticity of communications, as AI can convincingly mimic voices and videos, making it difficult to distinguish between genuine and fake messages or calls.
Outlines
📞 The College Scam Call
Jack shares a personal story about receiving a scam call during college. The caller, claiming to have a stock prediction algorithm, correctly predicts a stock's rise. Intrigued, Jack learns from a stockbroker that the scammer was dividing his victims into smaller groups, ensuring he appeared accurate to a select few. The story highlights the cunning nature of scammers and their manipulative tactics.
🎓 From Childhood Spy to Social Engineer
Rachel Tobac recounts her journey into the world of social engineering. Inspired by the movie 'Harriet the Spy', she initially faced discouragement from her guidance counselor when expressing interest in coding classes. Despite her background in neuroscience and behavioral psychology, Rachel's path led her to infosec and hacking, eventually leading a UX research team in a tech company. Her career took a significant turn after attending Defcon with her husband's encouragement, where she discovered her talent for social engineering.
🏆 Defcon Competition and the Birth of a Social Engineer
Rachel details her experience at Defcon's social engineering contest, where she excelled despite her initial reluctance. She describes the competition's format, where contestants must extract information from companies through phone calls without arousing suspicion. Rachel's success in the contest, placing second three years in a row, led to the start of her career in social engineering and the establishment of her company, SocialProof Security.
🏦 Hacking Banks with a Phone Call
Rachel explains her role in penetration testing a bank's security by attempting to take over customer accounts through phone calls, emails, or chat. She describes the process of trying to change account details to gain control and the challenges faced when the bank adheres to strict protocols. Despite her efforts, the bank's security measures prove resilient, prompting Rachel to switch tactics and utilize phone number spoofing to trick the support team.
📞 The Art of Social Engineering
Rachel discusses her approach to social engineering, focusing on the human element of hacking. She emphasizes the power of persuasion and manipulation through simple phone calls. Rachel also highlights the vulnerability of customer support and the importance of training and protocols to prevent exploitation. Her experiences demonstrate the need for a balance between security and empathy in customer interactions.
🤝 The Inside Story of a Social Engineering Engagement
Rachel recounts a case where she was hired by a tech company to investigate leaks about mergers and acquisitions. She describes her strategies, including posing as a journalist and applying for a product manager role to extract information. Despite initial setbacks, Rachel's meticulous preparation and research eventually lead to success, revealing the company's internal communication issues and providing solutions to prevent future leaks.
🎥 Live Hacking on 60 Minutes
Rachel shares her experience of performing a live hack on 60 Minutes, where she aimed to trick a correspondent's coworker using AI and voice cloning. She explains the process of obtaining consent, the challenges of executing the hack without alerting the target, and the importance of making the interaction appear natural. The successful demonstration underscores the potential risks of AI in the wrong hands and the need for increased awareness and security measures.
🚀 The Future of Security and AI
Jack and Daniel Miessler discuss the implications of AI advancements in security, particularly the challenges posed by deepfakes. They explore the need for establishing trust and authenticity in digital communications, suggesting the potential for cryptographic signing as a solution. The conversation highlights the rapid evolution of technology and the importance of adapting security measures to keep pace with new threats.
Mindmap
Keywords
💡Social Engineering
💡Stock Market Scams
💡Algorithm
💡Spoofing
💡Open-Source Intelligence (OSINT)
💡Ethical Hacking
💡Voice Cloning
💡Data Brokers
💡Deepfakes
💡Security Awareness Training
Highlights
The story begins with Jack sharing an experience of receiving a call from a scammer who accurately predicted a stock's rise.
The scammer uses a technique of calling a large number of people, telling half the stock will rise and the other half it will fall, and narrowing down to those he gets right.
Jack meets with a stock broker who explains the scammer's method and how he's playing a math game with his victims.
Rachel Tobac shares her origin story of becoming interested in hacking after watching the movie Harriet the Spy.
Despite her guidance counselor's discouragement, Rachel never pursued coding but instead got a degree in neuroscience and behavioral psychology.
Rachel's journey into the tech world was unconventional, starting as a community manager and leading a UX research team, without any coding experience.
Rachel's husband introduces her to Defcon, a hacker conference, where she discovers the world of social engineering.
Rachel competes in the social engineering contest at Defcon, where contestants have to trick people into giving out information over the phone.
Rachel's success in the contest, placing second three years in a row, leads to the start of her career in social engineering.
Rachel establishes her company, SocialProof Security, offering social engineering services to test companies' vulnerabilities.
As a social engineer, Rachel conducts渗透测试 on a bank, using a spoofed phone call to trick customer support into giving her access to accounts.
Rachel explains the process of spoofing phone numbers, a technique that is surprisingly still possible and legal in the US.
Through voice cloning and number spoofing, Rachel tricks a 60 Minutes correspondent's coworker into revealing personal information live on air.
The interview with Daniel Miessler discusses the implications of AI and deepfakes on security, suggesting the need for cryptographic keys to establish trust.
The episode ends with a discussion on the exciting future of technology and the human race, as we stand on the brink of a new era.