You Asked, A Hacker Answered: 7 Questions With Rachel Tobac

Social engineering expert and white-hat hacker Rachel Tobac tells us just how cautious we should be online.

White-hat hacker and social engineering expert Rachel Tobac is the CEO of SocialProof Security, where she helps businesses and individuals learn to protect themselves against cybersecurity attacks. How does she do it? By demonstrating exactly how she would hack into someone’s accounts, using tactics like “vishing” aka voice-elicitation to impersonate others. (See her hack this CNN reporter’s hotel points in real time to get a sense of how she works.)

During Tobac’s recent webinar with Dashlane, attendees had some questions about cybersecurity, like how much should the average consumer worry about getting hacked and what the deal is with deepfakes. 

Read on for Tobac’s answers so you can get into the mind of a hacker and protect yourself against future cyberattacks. 

How can companies protect themselves against advanced methods of phishing like deepfakes and voice changers? Should individuals be concerned about this type of tech?

Rachel Tobac: First, threat models have to be discussed when it comes to deepfakes and voice-changing technology. Most folks won’t encounter phishing with deepfakes and voice-changing technology, but those with elevated threat models (such as executives, celebrities, politicians, journalists, activists, those with admin access in support) have to prepare to verify identity to avoid falling for these tactics. We’ll get to elevated threat models next. 

For those with a lower threat model—meaning those who are not in the public eye and don’t have an elevated threat model role at work—this isn’t an everyday concern. The most likely way that manipulated media will affect the average person of a lower threat model is through disinformation on social media. It’s essential to leverage verified and trusted news sources on social media to avoid the consequences of manipulated media.

Now for those with an elevated threat model—specifically those in roles at work whose job it is to wire money or make admin-level changes on accounts—you will want to be on the lookout for advanced social engineering tactics that attempt to circumvent identity verification protocols. For instance, if a bank uses date of birth, current address, last four digits of SSN, and “voice authentication” software to confirm that someone calling into customer support is the owner of the account, an attacker will be motivated to thwart that voice authentication software because the other knowledge-based authentication (KBA) questions are easy to find the answers to online, or in breaches. That is why I recommend that organizations move away from KBA and toward multifactor authentication (MFA) rather than other methods of identity verification, such as “voice authentication software.” 

Say you want to request support or show support of a brand by tagging a company on Twitter or leaving a Google review. Is this a bad idea? Is there a safe way? 

RT: If someone tweets at an airline frustrated that they’ve lost their luggage, I could create a social engineering pretext pretending to be from that airline requesting more details about their luggage, which sends them to a malicious lookalike site to harvest credentials, [their] address, and more. Or I could call up the airline myself and get that information through customer support by pretending to be the target on the call.

So how do you support the companies you love? I would say you have you decide what is right for your threat model. If you really want to write reviews on Instagram, Yelp, or other platforms, use an alias so it’s not tied to your name. Everything is based on your individual threat model, and what feels like a social engineering risk for one person may not be a risk for another. 

If you do reuse passwords across different sites, and you are being harassed online, or you work with sensitive data but also check your personal email on your work machine, then I would say you’re going to want to upgrade your security practices before posting reviews to minimize your risk.

What would a hacker want from me? Is it flawed to assume that if I’m not high profile or don’t have a lot of assets that I won’t be a target for a hacker? 

RT: This comes right back around to threat modeling, which I love. A few things to discuss here. First, folks often think “I don’t have access to anything of value, no one will target me,” without realizing that many attacks aren’t personal in nature. If an individual reuses a password and that password shows up in a credential dump on Pastebin because, say, the delivery website they use was breached, then an attacker is going to try those credentials in as many locations as they can. If that person reuses that password on that delivery website and their Gmail, or that delivery website and their bank, or Instagram, etc. then they may have their account taken over without ever having personal beef with the attacker. That’s why it’s so essential to avoid password reuse, store those unique random passwords in a password manager, and turn on MFA.

Folks often think “I don’t have access to anything of value, no one will target me,” without realizing that many attacks aren’t personal in nature. [They] don’t realize just how much they have access to that an attacker might be interested in.

– Rachel Tobac

Secondly, folks sometimes don’t realize just how much they have access to that an attacker might be interested in. Do you have a boss or coworker at work who can approve purchases or wire transfers that you chat with via email or chat? Then access to your email or chat is valuable because then they can attempt to steal money by leveraging that trusted relationship with your coworkers. Do you have the ability to read internal documents at work? That is useful to an attacker who is interested in attacking your company (even if your personal threat model isn’t elevated). We have to think of the whole picture when it comes to threat modeling to understand why a person may or may not be targeted.

What should I do if someone is trying to reset my password or log in to my account and I’m getting those annoying reset emails? Does this mean I’ve been hacked?

RT: Everyone has probably experienced those spammy, back-to-back password reset email requests before. Sometimes this is because your credentials were found in a breach and attackers are using a script they created to attempt to reset your password and the service is alerting you to that fraudulent request. Sometimes it’s just a person attempting to bother another person by manually requesting those password resets to the email on file. Other times, those spam emails are actually phishing emails and an attacker is attempting to get you to click on their malicious link so they can steal your username and password and use it themselves. 

Many services, like social media platforms, have tools that allow you to see when legitimate emails are being sent by the service. For example, you can log into your Instagram, click “Security,” then “Emails from Instagram,” to see if their security team has issued those emails or if someone is pretending to be from Instagram. In general, someone attempting to reset your password by sending that form to your email address isn’t harmful, just obnoxious, and this could be scary for folks who don’t know what it means. 

It’s important to turn on MFA so that even if an attacker did gain access to your credentials and was able to reset your password, they still wouldn’t be able to take over your account without your multifactor authentication.

Let’s say I already use a password manager or plan to. What recommendations do you have for creating really strong master passwords to protect my password manager?

RT: I love this question because it’s so actionable. Your master password should be long, random, and unique. In general, I feel great when my passwords are longer than 20-characters long (a personal preference for my threat model), don’t include any guessable or common phrases, words or lyrics or anything that I talk about liking on social media, and aren’t used on any other site in any form.

If you’re always talking about how much you love the Grateful Dead on Instagram, then you wouldn’t want your master password to be “scarlet begonias tucked into her curls” because that is not random—it’s related to you and your interests which can be looked up online and tried.  

If you’re nervous you’ll forget your master password and you feel like it’s a great match for your threat model, choose a long, random, and unique master password, then store that in a locked box in your home.

How important is it really for me to keep my browser up to date? 

RT: Keeping your machine and software up to date is essential to preventing malware on your machines. Keeping your browser up to date is one of the most important pieces of that puzzle! Known vulnerabilities are found, reported, and patched frequently by companies that then push out updates. If you let those update recommendations go by for days, weeks, or months, your computer and software are now vulnerable to exploits that are known and public, that any attacker could look up and use against you, sometimes even with a kit they can download; they don’t need to be a highly-skilled attacker to succeed. When you receive browser update notifications, I recommend updating by end of day at the latest if you use that machine for email, social media, work, shopping, or personal use.

Keeping your machine and software up to date is essential to preventing malware on your machines.

– Rachel Tobac

How often should I update my passwords?  

RT: Frequent password updates aren’t necessary with long, unique, and random passwords stored in a password manager. That’s the beauty of password managers: They don’t require you to update your passwords constantly because you’ll be using a strong password that’s unique to every single site. That’s why it’s also important to turn on MFA so that if a website gets breached and those unique credentials are available online, they won’t be able to be used by the attacker on any site, let alone the site they’re from, because they’ll be unique and you’ll have MFA on.

The requirement to update passwords every 90 days, for example, is an antiquated security practice that isn’t recommended anymore by NIST (National Institute of Standards and Technology), and it actually creates more security holes because forcing people to change passwords every 90 days means they’ll choose insecure methods of updating their password, by changing a single letter or digit, for example. The best practice is: unique, long and random passwords for every site, stored in a password manager, with MFA enabled. 

The best practice is: unique, long and random passwords for every site, stored in a password manager, with MFA enabled. 

– Rachel Tobac
    Rachael Roth

    Rachael Roth is a content creator with over a decade of experience in print and digital media. She is a longtime contributing writer for Dashlane's blog and is the Assistant Editor and Copywriter for NYC & Company, New York City’s CVB and marketing organization.

    Read More