Rachel Tobac @RachelTobac CEO @SocialProofSec social engineering & hacking training/pentest/workshops/keynotes | 3X @DEFCON SECTF 2nd place | Chair @WISPorg | SrUXR @coursehero | She/her Oct. 12, 2019 1 min read

This year at @defcon I was asked by @CNN @donie to hack him live. I was able to take over 10+ accounts right in front of him. Here’s how I did it, what updates to demand of your service providers, & how to keep yourself safe. Teaser below, full vid here:  https://www.facebook.com/cnn/videos/2417977165158281?sfns=mo 

What can be done about this? Imagine if you could log onto your email online with just your address and phone number. Of course you cannot, but this is how it still works over the ☎️. Updating phone authentication protocols to include 2FA/calls back to avoid spoofing will help!

I will be covering the exact attack steps I took and my phone authentication protocol update recommendations to thwart phone attackers like me at GWU in DC Wednesday during my keynote (open to the public, register here:  http://go.gwu.edu/ncsam2019fbkeynote ) and at my @SAINTCON keynote in Utah

My whole goal with this hacking project with @donie is to demand all companies with phone support to update their phone authentication protocols to eliminate my ability to authenticate over the phone with knowledge based methods (address, bday, etc) and include 2FA!

I tried doing some of my hacking calls as @donie w/out a voice changer. Sometimes support assumed my voice pitch/freq didn’t match my pronouns & said “this isn’t your account”. Can only imagine how awful this is for folks whose pronouns & voice may not match support’s assumptions

This is just one of many other reasons why it’s essential for phone ☎️ customer support to authenticate with 2FA, not with authentication assumptions based on pronouns, voice pitch/frequency, and not with knowledge based authentication, but with strong phone call 2FA.


You can follow @RachelTobac.



Bookmark

____
Tip: mention @threader_app on a Twitter thread with the keyword “compile” to get a link to it.

Enjoy Threader? Sign up.

Threader is an independent project created by only two developers. The site gets 500,000+ visits a month and our iOS Twitter client was featured as an App of the Day by Apple. Running this space is expensive and time consuming. If you find Threader useful, please consider supporting us to make it a sustainable project.