Rachel Tobac

No. Okay. So my husband, Evan, he gets to work editing a driver's license, a social security card, and the utility bill to the exact information that they're expecting for this account, which again, we can find through a data brokerage site.

No. Okay. So my husband, Evan, he gets to work editing a driver's license, a social security card, and the utility bill to the exact information that they're expecting for this account, which again, we can find through a data brokerage site.

So we're hoping that this company does not know the actual driver's license number, the actual social security number, and they're just looking to ensure that the name and address that are on the account match those documents. I can find those pieces of information through OSINT. And a lot of times I've noticed that when they ask for these types of documents, they don't know the right info.

So we're hoping that this company does not know the actual driver's license number, the actual social security number, and they're just looking to ensure that the name and address that are on the account match those documents. I can find those pieces of information through OSINT. And a lot of times I've noticed that when they ask for these types of documents, they don't know the right info.

They're just hoping that it matches and they stop there.

They're just hoping that it matches and they stop there.

Photoshop, yes. We spend all night on these driver's license, social security cards and utility bills of the accounts we're trying to hack. I email the bank at 8 a.m. the next day. I tell them my story. I tell them the edge case that we have set up with support. I send them the driver's license and social security card and utility bill. By 9 a.m., I have full admin access to the bank account.

Photoshop, yes. We spend all night on these driver's license, social security cards and utility bills of the accounts we're trying to hack. I email the bank at 8 a.m. the next day. I tell them my story. I tell them the edge case that we have set up with support. I send them the driver's license and social security card and utility bill. By 9 a.m., I have full admin access to the bank account.

I have changed it to be controlled by my attacker-controlled email address, and I can steal all of the money in the account. So once I finally get in, I have access to everything. I use the same method again and again. I get access to two more accounts throughout the day.

I have changed it to be controlled by my attacker-controlled email address, and I can steal all of the money in the account. So once I finally get in, I have access to everything. I use the same method again and again. I get access to two more accounts throughout the day.

I end up spreading out the request so that we're not raising suspicion with the same attack method over and over again, back to back. And in the end, we took over each bank account that we were asked to to hack within two days.

I end up spreading out the request so that we're not raising suspicion with the same attack method over and over again, back to back. And in the end, we took over each bank account that we were asked to to hack within two days.

I know that in a lot of these organizations, there are edge cases. So I'm helping companies say, okay, we did this pen test. We figured out what the edge case is. We figured out how we got access. How do we make sure we don't fall into this trap next time when the real criminals get here?

I know that in a lot of these organizations, there are edge cases. So I'm helping companies say, okay, we did this pen test. We figured out what the edge case is. We figured out how we got access. How do we make sure we don't fall into this trap next time when the real criminals get here?

So I then help them with, okay, let's set up some edge cases back to back so that we have something like a callback. That would thwart spoofing. If you don't want to use that, you can use email verification, one-time passwords, you know, sending a code or just a word to the email on file and having them read that out. SMS verification.

So I then help them with, okay, let's set up some edge cases back to back so that we have something like a callback. That would thwart spoofing. If you don't want to use that, you can use email verification, one-time passwords, you know, sending a code or just a word to the email on file and having them read that out. SMS verification.

Okay, they claim they're calling you from this phone number, but maybe they're just spoofing it. See if they can read out a text message, callbacks toward spoofing, service codes, PINs or verbal passwords. If it's some sort of internal support ticket, you can loop in a manager.

Okay, they claim they're calling you from this phone number, but maybe they're just spoofing it. See if they can read out a text message, callbacks toward spoofing, service codes, PINs or verbal passwords. If it's some sort of internal support ticket, you can loop in a manager.

There's so many ways to do this right that a huge part of the pen test is not just hacking the company, but helping the company figure out what is a real practical way that we can solve these edge cases in the future to verify identity the right way and make it harder for you to get in that. the next time. Because I'll go in, I'll make it harder for me to get in as an attacker.

There's so many ways to do this right that a huge part of the pen test is not just hacking the company, but helping the company figure out what is a real practical way that we can solve these edge cases in the future to verify identity the right way and make it harder for you to get in that. the next time. Because I'll go in, I'll make it harder for me to get in as an attacker.