Rachel Tobac
Appearances
Darknet Diaries
144: Rachel
Yes. And when we do a penetration test, it's very particular. I don't want to steal money from everyday people. That would be horrible and really scary for bank customers to just randomly have money stolen because of a pen test. So what we do is we create fake bank accounts. We work with the team on the back end so that the support organization, for all intents and purposes, sees a real customer.
Darknet Diaries
144: Rachel
but we've created fake bank accounts for me to steal so I don't actually harm real people. But the support team doesn't know they're fake.
Darknet Diaries
144: Rachel
That's right. So I started with the chat feature. And I posed as a customer to see if I could take over a customer account with just chatting. So I told the bank support people my sob story. I lost access to my phone, my email, my laptop. I got lost and I had a night out and I'm traveling abroad. I mean, like the whole story, right?
Darknet Diaries
144: Rachel
And I really need access to my bank account because I'm stuck and I don't have money. And the first thing that I usually try when I'm trying to do an account takeover is I try to see if I can get them to change the email address or the phone number on the account. Because if I can do that, then I can change effectively the admin on the account.
Darknet Diaries
144: Rachel
Just by changing the email address, I can then reset the password or reset to a phone number that I control. There's SIM swapping and all of that that could happen after that. But, you know, that's basically how it works. And they're like, oh, well, we can't do that because we need to only send the password reset to the email address already on your account.
Darknet Diaries
144: Rachel
That's exactly right. So good job, bank. Horrible for me as the pen tester. A lot of times I have to play both sides of this game. I have to train the company and update their protocols to prevent people like me from getting in. But when I'm first attacking them, it's so frustrating. So I try chatting with multiple other support people. I'm trying again and again.
Darknet Diaries
144: Rachel
They will not make any exceptions for me. It doesn't matter my pretext. That's who I'm pretending to be. It doesn't matter how I contact them, what I say, my story, nothing. So I decide to switch to phone call-based attacking because I tend to be much more successful. So I switched to phone calls. It leaves less of a paper trail. People tend to get less suspicious because I can build rapport.
Darknet Diaries
144: Rachel
They can hear my voice. They can hear how trustworthy I sound. And also when I'm calling, I can spoof phone numbers. And a lot of times that helps me gain access.
Darknet Diaries
144: Rachel
Yeah, it's kind of wild. In the U.S., right now it's still possible because all of the telcos have to make the same decisions at the same time. And unless all of the companies get together and make the same choices, it's going to be really hard to implement the right solution. So at least in the U.S., spoofing is still really possible for me.
Darknet Diaries
144: Rachel
I spoof my phone number. I make it look like Kelly on the account. And by the way, on data brokerage sites, when we're doing OSINT, open source intelligence, typically we can find most people's phone numbers within a minute or two. So when we're searching, we can just know, okay, this is Kelly. This is Kelly's phone number. I'm going to go ahead and spoof that. I set that up.
Darknet Diaries
144: Rachel
It usually costs me a dollar or so on the tools that are available on the app store. These are not like heavily regulated. You can just find them on the app store. And I go ahead and I place that call.
Darknet Diaries
144: Rachel
Okay. Okay. Give me one second. I got to get into character. I'm going to change my clothes so I can get into character. Here we go. Okay. Here we go. Ring, ring, ring. Oh, wait. We both said ring. Okay.
Darknet Diaries
144: Rachel
Hi, I am so sorry. My name is Kelly Smith. So I'm traveling right now and I just lost my laptop. My phone's not working. I cannot get access to any of my funds. I'm super stressed out. Can you please, please help me?
Darknet Diaries
144: Rachel
No. So this bank knew that KBA, knowledge-based authentication, things like what's your address? What's the last four digits of your phone number? This bank knows that that information is very easily found online. So they don't use KBA, knowledge-based authentication, to verify your identity. They usually use MFA, multi-factor authentication. Now, this is great. This is exactly what I recommend.
Darknet Diaries
144: Rachel
You know, send a code to the email address on file and make them read it out to you rather than going through this process of verifying identity with information that can be found by an attacker in five minutes online. So that's good. But as an attacker, that's going to be a challenge because I don't have access to that email address.
Darknet Diaries
144: Rachel
And when I'm spoofing a phone number, I actually can't receive text messages. And if they call back, I'm not going to be the one that answers that phone call. I'm just spoofing. It looks like I'm calling, but I don't actually have access. Now, of course, I could SIM swap and many criminals will do that. But for the purposes of this pen test, that's not what I'm testing. So they say, okay,
Darknet Diaries
144: Rachel
We have an edge case here. Let me see if I can talk to my manager and have you send in a picture of your driver's license, your social security card, and a utility bill. And instantly I'm like, okay, bingo. We're in. The other half of social security is my husband, Evan. He does all the technical stuff. I do all the human hacking stuff.
Darknet Diaries
144: Rachel
No. Okay. So my husband, Evan, he gets to work editing a driver's license, a social security card, and the utility bill to the exact information that they're expecting for this account, which again, we can find through a data brokerage site.
Darknet Diaries
144: Rachel
So we're hoping that this company does not know the actual driver's license number, the actual social security number, and they're just looking to ensure that the name and address that are on the account match those documents. I can find those pieces of information through OSINT. And a lot of times I've noticed that when they ask for these types of documents, they don't know the right info.
Darknet Diaries
144: Rachel
Photoshop, yes. We spend all night on these driver's license, social security cards and utility bills of the accounts we're trying to hack. I email the bank at 8 a.m. the next day. I tell them my story. I tell them the edge case that we have set up with support. I send them the driver's license and social security card and utility bill. By 9 a.m., I have full admin access to the bank account.
Darknet Diaries
144: Rachel
I have changed it to be controlled by my attacker-controlled email address, and I can steal all of the money in the account. So once I finally get in, I have access to everything. I use the same method again and again. I get access to two more accounts throughout the day.
Darknet Diaries
144: Rachel
I end up spreading out the request so that we're not raising suspicion with the same attack method over and over again, back to back. And in the end, we took over each bank account that we were asked to to hack within two days.
Darknet Diaries
144: Rachel
I know that in a lot of these organizations, there are edge cases. So I'm helping companies say, okay, we did this pen test. We figured out what the edge case is. We figured out how we got access. How do we make sure we don't fall into this trap next time when the real criminals get here?
Darknet Diaries
144: Rachel
So I then help them with, okay, let's set up some edge cases back to back so that we have something like a callback. That would thwart spoofing. If you don't want to use that, you can use email verification, one-time passwords, you know, sending a code or just a word to the email on file and having them read that out. SMS verification.
Darknet Diaries
144: Rachel
Okay, they claim they're calling you from this phone number, but maybe they're just spoofing it. See if they can read out a text message, callbacks toward spoofing, service codes, PINs or verbal passwords. If it's some sort of internal support ticket, you can loop in a manager.
Darknet Diaries
144: Rachel
There's so many ways to do this right that a huge part of the pen test is not just hacking the company, but helping the company figure out what is a real practical way that we can solve these edge cases in the future to verify identity the right way and make it harder for you to get in that. the next time. Because I'll go in, I'll make it harder for me to get in as an attacker.
Darknet Diaries
144: Rachel
And then the next year, I'm like, oh my, this is so hard for me to get in until the point where I can't get in anymore. And that's when I'm like, okay, you've done the most that you can do.
Darknet Diaries
144: Rachel
And so they approached me about doing a pen test to figure out how this M&A info was getting leaked. where they could possibly improve their training, their messaging, their internal protocols to figure out why is this happening? Why are folks being incentivized to talk about this and what can we do about it?
Darknet Diaries
144: Rachel
Yeah, so insider threats happen. But what is usually most common is people just make a mistake. I kind of live in this world where I assume that people are making mistakes and I try and help them. So we came out with a few different attack methods that might work to uncover where this is happening.
Darknet Diaries
144: Rachel
Number one, I was going to attempt to pose as a journalist and reach out to various team members, asking them via social media DMs, email, text message, et cetera, about their experience in tech and see if I could siphon out M&A info and just see where it goes.
Darknet Diaries
144: Rachel
And number two, I was going to apply to their product manager role, go through the entire hiring process and see if I could extract M&A related info during the question portion of the hiring interview. I did not know what was gonna work and what wasn't, but I just wanted to try both.
Darknet Diaries
144: Rachel
So we call these ghosts, we call them SOC accounts. Sometimes they'll be real people, and so we'll fashion them pretending to be a real person. Sometimes they'll be fake people, and they'll just have this full life online.
Darknet Diaries
144: Rachel
With the fake journalist, I figured it was going to be a lot easier to pretend to be a real journalist and just not actually be them than create an entire persona of a fake journalist and populate real content. So I built a fake journalist pretext, email, background, and social media based on a real journalist who I'm not going to name, of course.
Darknet Diaries
144: Rachel
It's frightening. And I mean, the reality of the situation is that... Anybody can do a full background search in less than five minutes on most people in the U.S. And people don't realize that this information is out there about them. They have no idea that it's being sold. They just don't Google themselves.
Darknet Diaries
144: Rachel
Exactly. Or we can reach out over social media DM, you know, DM on LinkedIn or Twitter or Instagram. And I mean, that's the thing. Journalists really do reach out using all of those methods. So it's hard to know what's real and what's fake sometimes.
Darknet Diaries
144: Rachel
They let me know some minor details about excitement about potential M&A, but they're not going to confirm any juicy details. And I try to get people on the phone to talk with me, but I think there's just like this inherent distrust of this particular pretext. So I'm like, okay, I got to really go for the big guns here. I want to attack via the hiring process.
Darknet Diaries
144: Rachel
Something to understand is as an attacker, this is not easy to do. I've never been a PM. So to apply for a PM role takes a lot of background research. I mean, I led a UX research team at a tech company. So I do have a sense of what a PM, a product manager does, but I am in no way prepared for a PM interview. So I have to study for three full weeks for this role. I'm watching YouTube videos.
Darknet Diaries
144: Rachel
I'm doing interview prep quizzes online. I'm taking free online courses like, so you want to be a PM, like the whole nine yards. So I'm building a full persona, a resume, a Twitter, LinkedIn, Facebook.
Darknet Diaries
144: Rachel
All of these stock accounts have photos, thousands of friends, reviews of my work from networking groups on LinkedIn, people I've never met that like you give them a review and they give you a review. All of this stuff is so gameable.
Darknet Diaries
144: Rachel
Unfortunately, yes. We do change the names of many sock accounts, but then you have to populate a lot of new information. It ultimately takes me about three weeks to build a believable social media account and enough examples of previous PM work to get anywhere near convincible during the interview process.
Darknet Diaries
144: Rachel
Well, during this period of time, the tech hiring process wasn't as bad as it is in this current year. So I apply for the role. I get a phone screen. I am sweating bullets because if I don't get through this phone screen, I will not move on to a full interview process. I'm going to have to do a bunch of work to change my sock accounts on social media to match a new persona.
Darknet Diaries
144: Rachel
It's going to be a lot more work for me. Luckily, it took like 45 minutes. I passed. I get moved on to the next round. The next round has six different interviewers.
Darknet Diaries
144: Rachel
Yeah, I was terrified that they're going to be like, this person's a weirdo, like, let's not move them forward. So I waited until the actual official interviewers arrived. And it's going to be a packed day of interviews. I have six interviews back to back all day. These interviews are conducted over Zoom. I get all dressed up in my interview clothes that I haven't worn in years.
Darknet Diaries
144: Rachel
I'm prepped with all my anecdotes, my strengths and weaknesses, my KPIs and success stories. And a lot of these examples I'm using are heavily focused on UX research because if you remember, that's something I used to do. And many PMs do have advanced UX research skills. So I'm just like hoping that they don't think that's weird.
Darknet Diaries
144: Rachel
So I get to the first interviewer and the interviewer is like, okay, asking me all these questions. I seem a little nervous, but they're like, oh, you know, don't worry about it. It's going to be fine. We go through all the PM related questions.
Darknet Diaries
144: Rachel
No, see, the funny thing is when you're hacking people, a lot of times it makes sense for your pretext to match how you're actually going to feel when you're hacking. And a lot of times you are nervous when you're calling support because you can't gain access to your bank account. You are uncomfortable during an interview. These are normal human emotions.
Darknet Diaries
144: Rachel
And so it's okay to not be way too overconfident. Sometimes that can even read as strange. So yeah, I mean, I'm sweating bullets. It's clear I'm nervous. We finally get to the end and the interviewer says, so do you have any questions for me about the role? I have never been sweatier in my life. This is it. If they get suspicious during this moment, all of my work is for nothing. So I say,
Darknet Diaries
144: Rachel
I am so excited about this company. I hear there's a lot of opportunity for growth. I did a bunch of research. I did find a few news stories that mentioned XYZ potential merger. I know you can't confirm anything, but I just want to understand what an integration process looks like at your company during an M&A.
Darknet Diaries
144: Rachel
I know you can't confirm anything again, but I just want to understand how my role could potentially change over time. The interviewer takes a beat and says, you're right, I can't confirm anything. And my heart sinks. I'm like, no, this person's trained. And then they go, but just because I can't confirm doesn't mean I can't talk in generalities, right? And winks, actually winks.
Darknet Diaries
144: Rachel
I'm like, oh, this is going to be so good. So there's a lot of hand waving and, you know, I can't confirm, but throughout the rest of these interviews. But
Darknet Diaries
144: Rachel
It seems that everyone at this company knows you're not allowed to say information in plain language about M&As, but that doesn't mean that I can't glean pretty serious details about the upcoming acquisition plans that have been clearly discussed internally. By the end of this day, I got M&A info out of three of the six interviewers. So 50%.
Darknet Diaries
144: Rachel
Yeah. So they wouldn't tell me the names of the companies that were potentially going to be acquired. But I would say things like, I saw a rumor about XYZ company. Is this the type of company that you would be excited about? And then the wink, wink, hand-waving process starts of, you know, I can't confirm it, but we are interested in integrating things like XYZ.
Darknet Diaries
144: Rachel
So I was able to glean information such that when I reported it back to the team, they were like, I mean, yeah, you got the right information. Nobody said anything in plain language, but you can get people to say things kind of beating around the bush. So in the end, I got M&A info out of 50% of the interviewers, three out of six. I debrief with the security team.
Darknet Diaries
144: Rachel
I ask them when they want to discuss the results with the organization. They say, well, let's just wait up and just finish the hiring process so that it's not a distraction to them. And in the meantime, the next day, I actually get an email that I used to apply for this role, that I was being moved to the next stage of the interview process to get an offer.
Darknet Diaries
144: Rachel
So not only did I siphon out the info I needed during the interview pen test, I also got the job, I guess.
Darknet Diaries
144: Rachel
They realized that when they explained to people that they were not allowed to say the words of the acquisition, they realized that they needed to be clearer in their communication. That... No, just because you're not saying we are acquiring XYZ company, it doesn't mean that friends, family on social media, people can't glean information to understand, oh, they're interested in AI.
Darknet Diaries
144: Rachel
This person's talking about how their role is going to change. They're talking about how much they love this specific technology and they're tagging certain companies on Instagram or Twitter.
Darknet Diaries
144: Rachel
They realized that they needed to be much more specific in their protocols and language, saying, when we're planning an acquisition, once we talk about it internally, please do not talk about it even in a hand-waving fashion with friends or family or on social media. Don't talk about how your role is going to change on LinkedIn. Don't talk about what you're excited about upcoming on Instagram.
Darknet Diaries
144: Rachel
They had to be really clear about that. And once they did that, those leaks stopped because it wasn't an insider threat. It was just people not 100% getting what an attacker is interested in and how they could find that info.
Darknet Diaries
144: Rachel
It did. Yeah, it doesn't necessarily mean that it's coming through the interview process. Now, maybe it was, but it's probably just that people in general at the company didn't understand that when talking in generalities, that can be used by attackers too.
Darknet Diaries
144: Rachel
Exactly. And they were like, oh, I get it. So I can't say that we're talking about this technology and how it's going to change my role as a product manager, because that tips off people to understand that we're going to be acquiring XYZ company in the next six months. That's where these leaks are coming from.
Darknet Diaries
144: Rachel
Yeah, last year or so, I started talking more on Twitter about how I'm seeing AI get used by criminals to trick people. So I'm talking about this, scammers are tricking grandparents out of 1500 bucks, posing as their grandson, spoofing the grandson's phone number, voice cloning, or just like modulating the pitch to sound like the grandson and saying they need money for bail.
Darknet Diaries
144: Rachel
Just talking about these examples. 60 Minutes sees this, They email me, they reach out, they say, hey, we want you to do a hack live. It's actually gotta trick somebody. Can you do that with us? And I'm like, I mean, yeah, I can do that, but it's complicated. I've done a lot of these live hacks over the years for large media pieces. You know, I need consent.
Darknet Diaries
144: Rachel
Before I do any sort of hacking, I get consent. Like when I hacked CNN's Donio Sullivan, I hacked him through his service providers, and I also hacked him through his leaked passwords.
Darknet Diaries
144: Rachel
And I had his consent with a lengthy contracting process and scope discussion before I was able to contact his service providers pretending to be him, before I was able to log into his LinkedIn using his breached passwords and the things that I found online. So I start explaining to them how much consent I'm going to need. And they're like, I mean, well, we'll try.
Darknet Diaries
144: Rachel
We'll just try and see what happens. So I start to talk to them about who my target is going to be. They want my target to be Sharon Alfonsi. She's an awesome correspondent for 60 Minutes. Rachel Toback is what's called an ethical hacker. She studies how these criminals operate. So ethical hackers, we step in and show you how it works.
Darknet Diaries
144: Rachel
I determined through OSINT, open source intelligence, that the best way to do this hack was to trick her coworker while pretending to be Sharon. Because sometimes our coworkers have just as much info and access on us as we do about ourselves. So I needed to get consent from the coworker. And here's the massive challenge.
Darknet Diaries
144: Rachel
I needed to get her coworker's consent because she was a major part of the hack. This coworker is named Elizabeth. I contacted her. I was like, hey, this is what we're going to do. We're going to do this hack. You need to consent to essentially being part of the hack, but you don't know when, where, or how it's going to happen. You don't know who I'm going to pretend to be.
Darknet Diaries
144: Rachel
You're not going to know the method of the attack, whether it's going to be a phone call, email, text, contacting your service providers, pretending to be you. Elizabeth is awesome. She's like, that's fine. That's like completely fine. I'm really excited. And I'm like, okay, let's do this.
Darknet Diaries
144: Rachel
So I decided that I wanted to do a phone call because I wanted to clone Sharon's voice and spoof Sharon's phone number to Elizabeth and trick her during a phone call to reveal some sort of personal information to me. Now, Sharon is a famous reporter, so her voice is everywhere. I grabbed about five minutes worth of samples of her voice just from YouTube videos from 60 Minutes.
Darknet Diaries
144: Rachel
I put her voice into my voice cloning tool. I start tweaking the tool. There's voice clone settings for things like clarity, voice stability, style exaggeration. And I finally get the settings tweaked to a point where I feel like it's going to be credible at all during a phone call, but it's not 100% perfect.
Darknet Diaries
144: Rachel
And I do my open source intelligence to find the right phone numbers to spoof and the right phone numbers to call. Like I said, data brokerage sites have personal contact details for almost everyone. And I need to find the right details to use during the hack, like upcoming travel, the right information to try and siphon out for the demo.
Darknet Diaries
144: Rachel
You can find most of this stuff through social media when people talk about their lives. The only issue. Now, I'm going to have to somehow get Elizabeth to participate in this hack without her realizing it's the hack itself going down. How am I going to do that? She's already consented to this and she knows it's coming.
Darknet Diaries
144: Rachel
So I figure the only way that this is going to work is if it feels natural within the filming day. Otherwise, how is the film team going to catch the hack live so that anyone in the audience can watch it?
Darknet Diaries
144: Rachel
Not yet. Let me tell you these details. So I get my hair and makeup done for 60 minutes, right? I'm doing my vocal warmups. I'm like, la, la, la, la, la, la, la. I'm getting ready for recording. Sharon's still in her room prepping for the day. The light and the sound crew are getting the gear ready for the shoot. Elizabeth shows up. She's getting ready.
Darknet Diaries
144: Rachel
I pull aside the head of the sound and lighting crew, and I let them know that I think the only way they're going to be able to catch this hack on camera live is this. I'm going to go out into the hallway with my computer and phone. You, the camera crew, cannot follow me because it'll be way too obvious to Elizabeth if you follow me.
Darknet Diaries
144: Rachel
And it really shouldn't matter anyway because it will be me on the other end of the phone call. So you should catch the interaction from her end anyway. So you, the crew, must ask Elizabeth to stand in for Sharon so you can get lighting, sound, everything prepped so that when Sharon finally comes down, she can just slide into the shot and we can get started.
Darknet Diaries
144: Rachel
That way, when I start the hack, you'll be able to actually see and hear Elizabeth and be able to catch the attack in motion.
Darknet Diaries
144: Rachel
The crew is like... What did we sign up for? This is ridiculous. I am so nauseated by this plan. Like I'm so freaked out by this because if this doesn't work and Elizabeth is like, sure, crew, I'll stand in for Sharon and immediately realizes what is happening. Then this entire shoot, all 15 members of the 60 Minutes team, the lighting crew, sound, hair, makeup, everybody's here for nothing.
Darknet Diaries
144: Rachel
And I will just have to basically demonstrate what I would have done. That's not going to be fun for anyone. And now, mind you, it's like 7 a.m., so this feels like the crack of dawn for all of us. People haven't even had a cup of coffee yet. So people are like, okay, Rachel, sure, we'll do that. So I walk over to my hacker laptop.
Darknet Diaries
144: Rachel
I announce to the room that I need to go help my team with something back home. So before we get started for the day, everyone get your coffee, whatever, set up. They say, no worries. I step out into the hallway. I've got my laptop and phone. I can't hear anything that's happening in the ballroom now where we're filming.
Darknet Diaries
144: Rachel
I just have to hope that the sound and lighting crew have successfully gotten Elizabeth into the, quote, stand in position with the sound and lighting on, because otherwise they're not going to catch this. And like, I'm not going to fake it for them later. It needs to be real. So I'm just like praying this works. So I open up my voice cloning tool in the hallway.
Darknet Diaries
144: Rachel
I type in my opening line into the voice cloning tool. And to be clear, this voice cloning tool, I cloned Sharon's voice. I can then type in any words and it will spit out those words spoken in Sharon's voice. So I type in my opening line. My opening line is, Elizabeth, sorry, need my passport number because Ukraine trip is on. Can you read that out to me?
Darknet Diaries
144: Rachel
It has to be short and sweet, direct and to the point, without requiring a lot of follow-up because the issue with these tools is there's a delay in me typing it into the voice cloning tool and when it spits out the words in Sharon's voice.
Darknet Diaries
144: Rachel
I'm also holding my phone up to the computer, so there's like kind of a strange audio vibe going on with this phone call, and I just want to minimize it and make it happen as fast as possible. So I open up my spoofing tool on my phone. I type in Sharon's number to spoof. I type in Elizabeth's phone number to call. I hit go. It is 100% silent. I hear Elizabeth's phone.
Darknet Diaries
144: Rachel
It's audibly ringing inside of the ballroom. And I'm just hoping she like goes over and picks it up, right? My stomach's in knots. I am sweating profusely. And then I hear her go, hello? Sharon. Like I hear it through my phone and I can also hear it in the ballroom. And I'm like, oh my God, she can like hear out here. So I hit my voice cloning play button.
Darknet Diaries
144: Rachel
And then silence. Silence. For what feels like hours, I am sick to my stomach. My hands are shaking. This forever silence that I was experiencing was Elizabeth holding her phone in her hand, looking at the caller ID during the call to ensure it really does say Sharon because the voice sounds weird. I mean, I'm voice cloning plus spoofing.
Darknet Diaries
144: Rachel
So it looks like it's calling from Sharon, but it sounds kind of far away because I'm holding my phone up to the computer. Elizabeth finally responds.
Darknet Diaries
144: Rachel
And then she reads out the passport number I just asked for. I'm like, let's just get off this call as soon as possible. So I say, thank you. She starts asking me questions. You know, when am I going to be down for the shoot? Do I need anything else? And I have to deal with this delay back and forth typing in my replies. So I'm just thrilled that by this point, I like siphoned out information.
Darknet Diaries
144: Rachel
And I just wanted to get off this call as fast as I possibly could. So I said, I'm just coming down. And I end the call. I walk into the ballroom. Elizabeth is sitting under the lights with the mic pinned on her. And I'm like, oh my God, it worked.
Darknet Diaries
144: Rachel
All I have to do now is do the interview with Sharon and explain the mechanics of the hack to her live and make sure that Elizabeth knows that anyone would fall for this style of hack because most people don't realize it's possible yet. I wanted to make sure she didn't feel like horrible about it.
Darknet Diaries
144: Rachel
Okay, my origin story. So... My first time that I ever thought about being any sort of hacker was when I realized that being a spy is a job that people do. And it's a job that girls could do. And I learned this through the movie Harriet the Spy. She goes around sneaking into people's houses, spying. She takes her notebook everywhere.
Darknet Diaries
144: Rachel
She sneaks through the dumbwaiter in this rich woman's house and gets caught. And I just thought, oh my, I had no idea that a girl could be a spy. So that basically became my personality for my childhood.
Darknet Diaries
144: Rachel
I did not get into computers. I wanted to get into computers. I went to my guidance counselor in, I think, sixth grade. And I said, hey, I want to take these coding classes. And my guidance counselor, she said, Rachel, you don't want to take those coding classes. Those coding classes are 40 boys. You'd be the only girl there. Just take home ec instead. Wow.
Darknet Diaries
144: Rachel
I know. And me being a child, I was like, oh, good call. I mean, yeah, I don't want to like blame her for like me never learning to code. I mean, I could have tried later in life, right? People try later in life all the time. But no, I've actually never written a single line of code. I ended up getting my degree in neuroscience and behavioral psychology. I was a teacher's assistant for statistics.
Darknet Diaries
144: Rachel
Yeah. So my path to InfoSec and hacking, to the untrained eye, it doesn't make any sense. It's almost completely nonlinear. To me, looking back, it makes a lot of sense. So I got my degree in neuroscience and behavioral psychology. I was doing improv on the weekends. I was a teacher. I then was like, hey, I want to try and get into tech. I moved to San Francisco.
Darknet Diaries
144: Rachel
I was a community manager at a tech company. I actually ended up leading a UX research team. And then while I was at that tech company, my husband was in security the entire time. I actually met my husband in high school. I met him when I was 15 years old. So my husband was like, hey, I heard about this thing called DEF CON. I think you would get a kick out of it. And I was like, uh, pass.
Darknet Diaries
144: Rachel
They do this thing where... They put you in a glass booth. It's soundproof in front of an audience of 500 people. You call companies and you try and solicit information out of them over the phone. It's the exact same skill that you use every month to get the bill lowered. When you call these companies, you build rapport, you get a deep discount on things like the cable bill. You'll love it.
Darknet Diaries
144: Rachel
He called me back and he's like, I just saw more of these calls, these social engineering calls. You have to come. Like, I promise you, if you don't like it, we'll just go gambling. As an aside, I love gambling. So I was like, okay, fine. I pack my bags. I get the first flight out Saturday morning.
Darknet Diaries
144: Rachel
And as you know, if you're at DEF CON Saturday morning, it's like DEF CON's like a third over at that point, if not more. So I show up, I see a few calls.
Darknet Diaries
144: Rachel
I see a few calls and I'm like, oh my, this is me. Like, I can do this. I was born for this. And my husband was like, I know, right? I told you.
Darknet Diaries
144: Rachel
And I was like, oh, I got just the thing. I made this Twin Peaks style video to convince them to let me get in. And somehow they agreed to let me participate. Hundreds of people apply and 14 contestants are selected every single year.
Darknet Diaries
144: Rachel
I contact my target company. I pretend to be an employee who's confused, who's just starting out. And I end up getting flag after flag. And I get out of the booth and I'm like, maybe I did okay. And then there's like a standing ovation. I'm like, oh, maybe I did better than okay. And I ended up getting second place that first time ever hacking anybody.
Darknet Diaries
144: Rachel
That first time ever hacking somebody happened in a glass booth in front of 500 people.
Darknet Diaries
144: Rachel
And then I ended up getting second place the second year, and I got second place the third year as well.
Darknet Diaries
144: Rachel
After folks started seeing me get second place at DEF CON, they'd see me on stage, they'd be like, hey, I want to chat with you. Can you come speak at my company about how you hack and how we can catch you? And I live in Silicon Valley, so I got really lucky. that people started asking me to do things that like, are a job, right? Like, I'm like, Oh, I guess I need to make a company.
Darknet Diaries
144: Rachel
So I made social proof security in 2017. And I mean, I live in Silicon Valley, I was so lucky. Some of my first clients were like Facebook, Snapchat, PayPal, Twitter. And from there, it was like US Air Force, NATO, Uber, Google, Cisco, it's like, Oh, my gosh, you know, I feel like I just got really lucky in this life.
Darknet Diaries
144: Rachel
Oh, it's totally wild. I mean, if you would have asked me decades ago, like, what did you think you were going to get into? The word hacker would have never even made the top 100 list because I didn't know it was possible, didn't know it could be a job, and I certainly didn't think I would be good at it.
Darknet Diaries
144: Rachel
When I saw the concept of a hacker in TV or movies, it was usually a guy who wore a hoodie in a basement. I mean, I wear hoodies and basements are fine, but I didn't think that I was going to be good enough. Yeah, you just have to see yourself in the position. And I've had multiple women come up to me and say like, hey, I saw you in that competition.
Darknet Diaries
144: Rachel
Didn't realize it was possible for people like me. And now I do this for a living.
Darknet Diaries
144: Rachel
So a bank hired me to penetration test them. Effectively, they hired me to hack them. And they told me that I could hack via phone call, email, or chat. And my job was to take over multiple accounts and steal access, effectively steal the money out of the accounts.