Rachel Tobac

Yeah, it's kind of wild. In the U.S., right now it's still possible because all of the telcos have to make the same decisions at the same time. And unless all of the companies get together and make the same choices, it's going to be really hard to implement the right solution. So at least in the U.S., spoofing is still really possible for me.

Yeah, it's kind of wild. In the U.S., right now it's still possible because all of the telcos have to make the same decisions at the same time. And unless all of the companies get together and make the same choices, it's going to be really hard to implement the right solution. So at least in the U.S., spoofing is still really possible for me.

I spoof my phone number. I make it look like Kelly on the account. And by the way, on data brokerage sites, when we're doing OSINT, open source intelligence, typically we can find most people's phone numbers within a minute or two. So when we're searching, we can just know, okay, this is Kelly. This is Kelly's phone number. I'm going to go ahead and spoof that. I set that up.

I spoof my phone number. I make it look like Kelly on the account. And by the way, on data brokerage sites, when we're doing OSINT, open source intelligence, typically we can find most people's phone numbers within a minute or two. So when we're searching, we can just know, okay, this is Kelly. This is Kelly's phone number. I'm going to go ahead and spoof that. I set that up.

It usually costs me a dollar or so on the tools that are available on the app store. These are not like heavily regulated. You can just find them on the app store. And I go ahead and I place that call.

It usually costs me a dollar or so on the tools that are available on the app store. These are not like heavily regulated. You can just find them on the app store. And I go ahead and I place that call.

You're going to make me act.

You're going to make me act.

Okay. Okay. Give me one second. I got to get into character. I'm going to change my clothes so I can get into character. Here we go. Okay. Here we go. Ring, ring, ring. Oh, wait. We both said ring. Okay.

Okay. Okay. Give me one second. I got to get into character. I'm going to change my clothes so I can get into character. Here we go. Okay. Here we go. Ring, ring, ring. Oh, wait. We both said ring. Okay.

Hi, I am so sorry. My name is Kelly Smith. So I'm traveling right now and I just lost my laptop. My phone's not working. I cannot get access to any of my funds. I'm super stressed out. Can you please, please help me?

Hi, I am so sorry. My name is Kelly Smith. So I'm traveling right now and I just lost my laptop. My phone's not working. I cannot get access to any of my funds. I'm super stressed out. Can you please, please help me?

No. So this bank knew that KBA, knowledge-based authentication, things like what's your address? What's the last four digits of your phone number? This bank knows that that information is very easily found online. So they don't use KBA, knowledge-based authentication, to verify your identity. They usually use MFA, multi-factor authentication. Now, this is great. This is exactly what I recommend.

No. So this bank knew that KBA, knowledge-based authentication, things like what's your address? What's the last four digits of your phone number? This bank knows that that information is very easily found online. So they don't use KBA, knowledge-based authentication, to verify your identity. They usually use MFA, multi-factor authentication. Now, this is great. This is exactly what I recommend.

You know, send a code to the email address on file and make them read it out to you rather than going through this process of verifying identity with information that can be found by an attacker in five minutes online. So that's good. But as an attacker, that's going to be a challenge because I don't have access to that email address.

You know, send a code to the email address on file and make them read it out to you rather than going through this process of verifying identity with information that can be found by an attacker in five minutes online. So that's good. But as an attacker, that's going to be a challenge because I don't have access to that email address.

And when I'm spoofing a phone number, I actually can't receive text messages. And if they call back, I'm not going to be the one that answers that phone call. I'm just spoofing. It looks like I'm calling, but I don't actually have access. Now, of course, I could SIM swap and many criminals will do that. But for the purposes of this pen test, that's not what I'm testing. So they say, okay,

And when I'm spoofing a phone number, I actually can't receive text messages. And if they call back, I'm not going to be the one that answers that phone call. I'm just spoofing. It looks like I'm calling, but I don't actually have access. Now, of course, I could SIM swap and many criminals will do that. But for the purposes of this pen test, that's not what I'm testing. So they say, okay,

We have an edge case here. Let me see if I can talk to my manager and have you send in a picture of your driver's license, your social security card, and a utility bill. And instantly I'm like, okay, bingo. We're in. The other half of social security is my husband, Evan. He does all the technical stuff. I do all the human hacking stuff.

We have an edge case here. Let me see if I can talk to my manager and have you send in a picture of your driver's license, your social security card, and a utility bill. And instantly I'm like, okay, bingo. We're in. The other half of social security is my husband, Evan. He does all the technical stuff. I do all the human hacking stuff.