Rachel Tobac

Didn't realize it was possible for people like me. And now I do this for a living.

Didn't realize it was possible for people like me. And now I do this for a living.

So a bank hired me to penetration test them. Effectively, they hired me to hack them. And they told me that I could hack via phone call, email, or chat. And my job was to take over multiple accounts and steal access, effectively steal the money out of the accounts.

So a bank hired me to penetration test them. Effectively, they hired me to hack them. And they told me that I could hack via phone call, email, or chat. And my job was to take over multiple accounts and steal access, effectively steal the money out of the accounts.

Yes. And when we do a penetration test, it's very particular. I don't want to steal money from everyday people. That would be horrible and really scary for bank customers to just randomly have money stolen because of a pen test. So what we do is we create fake bank accounts. We work with the team on the back end so that the support organization, for all intents and purposes, sees a real customer.

Yes. And when we do a penetration test, it's very particular. I don't want to steal money from everyday people. That would be horrible and really scary for bank customers to just randomly have money stolen because of a pen test. So what we do is we create fake bank accounts. We work with the team on the back end so that the support organization, for all intents and purposes, sees a real customer.

but we've created fake bank accounts for me to steal so I don't actually harm real people. But the support team doesn't know they're fake.

but we've created fake bank accounts for me to steal so I don't actually harm real people. But the support team doesn't know they're fake.

That's right. So I started with the chat feature. And I posed as a customer to see if I could take over a customer account with just chatting. So I told the bank support people my sob story. I lost access to my phone, my email, my laptop. I got lost and I had a night out and I'm traveling abroad. I mean, like the whole story, right?

That's right. So I started with the chat feature. And I posed as a customer to see if I could take over a customer account with just chatting. So I told the bank support people my sob story. I lost access to my phone, my email, my laptop. I got lost and I had a night out and I'm traveling abroad. I mean, like the whole story, right?

And I really need access to my bank account because I'm stuck and I don't have money. And the first thing that I usually try when I'm trying to do an account takeover is I try to see if I can get them to change the email address or the phone number on the account. Because if I can do that, then I can change effectively the admin on the account.

And I really need access to my bank account because I'm stuck and I don't have money. And the first thing that I usually try when I'm trying to do an account takeover is I try to see if I can get them to change the email address or the phone number on the account. Because if I can do that, then I can change effectively the admin on the account.

Just by changing the email address, I can then reset the password or reset to a phone number that I control. There's SIM swapping and all of that that could happen after that. But, you know, that's basically how it works. And they're like, oh, well, we can't do that because we need to only send the password reset to the email address already on your account.

Just by changing the email address, I can then reset the password or reset to a phone number that I control. There's SIM swapping and all of that that could happen after that. But, you know, that's basically how it works. And they're like, oh, well, we can't do that because we need to only send the password reset to the email address already on your account.

That's exactly right. So good job, bank. Horrible for me as the pen tester. A lot of times I have to play both sides of this game. I have to train the company and update their protocols to prevent people like me from getting in. But when I'm first attacking them, it's so frustrating. So I try chatting with multiple other support people. I'm trying again and again.

That's exactly right. So good job, bank. Horrible for me as the pen tester. A lot of times I have to play both sides of this game. I have to train the company and update their protocols to prevent people like me from getting in. But when I'm first attacking them, it's so frustrating. So I try chatting with multiple other support people. I'm trying again and again.

They will not make any exceptions for me. It doesn't matter my pretext. That's who I'm pretending to be. It doesn't matter how I contact them, what I say, my story, nothing. So I decide to switch to phone call-based attacking because I tend to be much more successful. So I switched to phone calls. It leaves less of a paper trail. People tend to get less suspicious because I can build rapport.

They will not make any exceptions for me. It doesn't matter my pretext. That's who I'm pretending to be. It doesn't matter how I contact them, what I say, my story, nothing. So I decide to switch to phone call-based attacking because I tend to be much more successful. So I switched to phone calls. It leaves less of a paper trail. People tend to get less suspicious because I can build rapport.

They can hear my voice. They can hear how trustworthy I sound. And also when I'm calling, I can spoof phone numbers. And a lot of times that helps me gain access.

They can hear my voice. They can hear how trustworthy I sound. And also when I'm calling, I can spoof phone numbers. And a lot of times that helps me gain access.