 All right everybody let's kick this off. This time we're going to do a black hat style introduction for our next speaker. So, laser beams, laser beams, unza, unza, unza, unza, everybody get ready for the best amazing most cyber talk ever. Laser beams, laser beams, laser beams. Pew, pew, pew, pew! Please welcome Cat Murdock presenting Black Mirror. You are your own worst privacy nightmare. I thought I told you to set a low bar, man. Low bar. Welcome, thank you guys so much for coming out. As you now know, you are sitting in Black Mirror. You are your own worst privacy nightmare. We're going to go through this in like a bit of a narrative way. It's involving a lot of story points to hopefully wrap up and bring us all to the main goal of the talk, which is just recognizing the areas of our life where privacy is leaking that we may not realize exist at all. So first, hello, I'm Cat Murdock. For the past few years I've worked on red teams doing social engineering and penetration testing. This talk draws on those experiences pretty heavily. I am constantly curious. I'm really interested in where our actions leave us most vulnerable in my spare time. I like to threat model my life. My husband will probably attest to this. I like to make sure that we have plans like A through Z sorted out, so I have to know where all of our vulnerabilities are. So I really try and take our professional curiosities in the community and apply them to our lives. I also really like my dog. I currently work as a security analyst on guide points, threat and attack simulation team. I don't know if anybody here, they were very supportive of me. I'm very grateful for that. So the goal of this is to recognize the vulnerabilities that are created in our lives by using multiple services. We're going to do a nice little like black mirror Netflix theme, but we're going to draw this out into other areas of our lives as well. I'm going to talk about some tips for mitigating these issues and these vulnerabilities in your life and hopefully we'll learn through some entertaining stories. And a lot of research that I put into this specific talk here. So it's going to involve a little bit of a hard, deep look at our current reality and how we are impacting our own lives and how our family members are impacting our own lives. I know personally like I have a step daughter and she is growing up in this technologically really advanced world and it's really challenging sometimes to break down these privacy points for her and proper security as she is essentially learning how to craft her own digital image. It's really hard sometimes to thoroughly underscore how our own actions and your own actions online and just continuing to live your life can really like affect you on some deep levels. So those interactions with her have gotten me thinking a lot about how can these lessons and how can looking at privacy and our own vulnerabilities from different angles really be mitigated and affect positive change in our lives. As many people in this room probably know, I guess like if you work in privacy can you raise your hand? Thanks guys. So I want to be really clear throughout this that I am so grateful to all privacy professionals. They advocate for policies that help us and they do this within the confines of their companies and their companies trying to make money and continuing to be the commercial giants or little contributors that they are and I'm so grateful for everything they try to do and everything that they want to do. Those things typically are you know privacy professionals, their focal points are within their own company and their own services and we're going to explore kind of where those Lexis like lexicons of control end and therefore what happens on the edge where one person's privacy policy like one group's privacy policy may be very robust but what happens when those services start commingling with other services and you know and then in theory end users get some choice over their own privacy but at least you know and in this room I'm certain that so many people are very aware of how their actions impact their privacy and how their actions impact their own vulnerabilities but when we go home and we're talking to people our friends who don't work in the industry and we're talking to our family members like how do we translate these lessons and especially in a world where companies say like oh well end users had choices they're allowed to opt out we gave them XYZ and they're making these choices but you know really like do they um there are a lot of things especially for the lay person that are extremely overwhelming from a privacy perspective um you know they can have a lack of knowledge they don't understand where to look they can have difficult you know there are varying degrees of proficiency with technology and with applications um they could just be you know have other priorities like I'll be the first to own sometimes I know the right way to do something and I'm like I don't have time to spend up a burner email to register for this cocktail party for black hat I'm just gonna use this one because like this the idea of doing this right now in the midst of my very busy work schedule is overwhelming to me so that's coming from somebody who does this professionally maybe you guys are better than me and you've never slipped up but I know that you know where my family and friends are concerned they just have their we are all extremely busy and the world throws tons of things our way so it has to be a little bit in um empathetic to that and then occasionally there are really bad privacy policies or they don't cover occasionally I'm gonna be generous because I really really appreciate the effort that privacy policies have um but so even though they have this idea of choice and we can say like oh the end user can prepare themselves like do they actually have that ownership over their own privacy and I would posit that there are so many layers to this it's almost impossible to see for anyone where all of the risk could come from so let's start off talking about like what are some common services people use in their day to day life not from a business perspective like but each individual um you guys are welcome to shout at me um what are some things that we use every single day that our services other vendors provide email Instagram social media in general Netflix thanks apis yes Amazon instant messaging cell phones medicine so there's so many different services that impact our lives on the day to day namely banking we all need phone and internet I think I heard somebody say that um subscription media social media instant ordering be that food or Amazon I personally hate stores so I'm a big fan I'm a big fan I'm a big fan of social media and media and enjoyment so these are all services that most adults in this room out in the world are using very irregularly and so each of these disparate companies disparate services they all have their own terms of service they all have their own privacy policies but do they think about all the other privacy policies that they may interact with and that's often not the case unfortunately so we're going to focus in on two specifically we're going to look at banking which is regulated they're very compliance driven and subscription where their policies often have to protect or work around what their user data is being used for um you know can we resell this how do we obfuscate it how do we aggregate it how do we not make how do we make sure that people are not identified based on their um you know based on their watching profiles or their cookies etc etc um so in these two specific things it's so important because like outside of I think Michael Basil maybe I'd say everybody in this room probably has at least one bank account in their actual name because otherwise we wouldn't get paid and so that is something that we're not like we cannot avoid that at this point in the game um and it kind of so and then 60 percent of the adult population pays for subscription services where like Netflix like Spotify like um you know HBO now what have you 60 percent of the adult population is paying for that and then they are clearly you know like the 30 to 35 percent of the population that is just using one of those 60 percent accounts in some capacity or another so these two things are very pervasive and maybe you know maybe people are like oh I'm never going to give my information to media I don't have a subscription account that's great you do you but this is more of an analogy towards the broader implications of using multiple services to just run our lives which on a basic you know financial connectivity perspective is unavoidable we are all using services we're all using vendors in our day to day lives so a question for everyone what if you need to verify your identity with your financial institution what do you need social security numbers sometimes your driver's license sometimes the debit card number or debit card itself address secret questions yeah so all of these are ways that your bank may try and verify your financial information um and this is not targeting one specific bank I will backtrack to a little bit of my background I've worked in finance for the past six years I started my security career um writing policies for it essentially like merchant banks and investment banks so I got to see a lot of like how the policies were written from that side and then as a social engineer and penetration tester I have worked with a lot of banks to see if we can circumvent their controls and access accounts or access aspects of the infrastructure that we shouldn't have how shouldn't be able to see um so a lot of this came out of those very real experiences so no two financial institutions may have the exact same um exact same verification questions or verification policies but in my experience with a number of major providers this is something that does affect many of them um in this about to be very specific way so what you need to verify credit card number social security number account numbers other stuff those were all great ideas but what happens if you're on the road what happens if you don't have your account number memorized what happens if you forget your social or you're in a really crowded area and you don't want to say it how does your financial institution then verify who you are what they get them to an email potentially pen number potentially say what yeah they'll make sure and if you call in they'll make sure that that primary number matches the number on the account which okay these are interesting other places will often verify with knowledge of the account itself um many banks many financial institutions will assume that because you understand what is happening within the account because you have a really firm understanding of the current balance the most recent charges etc your date of birth your address your phone number because you know everything there is to know about the account except for the number many financial institutions will say okay that's cool this is your account this so where does this meet Netflix so what are the different defining qualities of subscription services there are a couple of things here that all subscription services rely on preferences did somebody say credit card recurring payments and those recurring payments are of a publicly knowledge like they are publicly known you know exactly how much you're paying for Netflix every month you know maybe you do the family plan or whatever for Spotify maybe you do the singular plan but there are not very many iterations of these monthly services pricing which immediately so it's not necessarily your bank's job to think about the implications of verifying with something like a recent charge but if we're all paying 999 every single month and we can kind of figure out what time a month that charge occurs any person who can figure out figure out what service you use and when it renews could know a piece of information that could get into your bank account and then how might we find out who uses these things people love to talk about their subscription services they love to talk about the music they like they love to talk about the shows they like and this is top quality open source intelligence also known as OSINT and it's everywhere so one year of net one year Netflix subscription on 612 what day every month are they paying 999 Netflix around the 12th got a Netflix subscription again time to re-up my HBO now subscription the key to successful campaign everyone around you know big TV shows come out big little lies game of thrones these service these service providers have an influx of tons of people so now there are you know millions hundreds of thousands of targets that we know probably signed up around these very popular releases so we can slowly accrue all of this information about somebody's essentially like how we might be able to get into their bank account if we can figure out what bank account that is and we can use this public knowledge of monthly subscription services to gain access to those accounts I have done this personally into multiple bank accounts at multiple financial institutions it works really well I personally kind of hate when people stand up and are like I did this thing just trust me so as one does I um I opened up a special bank account for the sake of this presentation um disclaimer I am not sure that this is an advisable move on anyone's part and I need you to be very clear I'm not telling anyone to go out in the world and start a bank account to test their own security controls I don't think it's illegal I couldn't find anything that said it was wrong but I don't necessarily advocate it so we're going to go on a little journey I wanted to see if I could using my own information I opened a bank account using ostentable information about myself unfortunately um and I wanted to see if I could gain access to that account through improper verification methods it was like pleasantly slightly more challenging than I originally planned on um but I didn't want to betray any like employers or clients so this seemed like the safest way to prove the point um without you know stepping on anyone's toes or making anyone particularly alarmed I will say yes we can find subscription information online we can find other ostent online about the the account holders we can find their birthday if they haven't moved around a lot we can probably figure out what area they open the account in uh we may be able to find their social some states still release that on like tax liens which is just baddie to me um so if you live in those states maybe you go make sure that on the publicly disclosed tax liens your social security number is not in the top corner because often they will only verify with the last four so some if not all of these things are ostentable I tried to keep this like very very basic um and I did put some subscription services on this account for the sake of this talk thankfully we had a lot of heads up um so it's a multi-pronged attack you do a setup call to make sure that you verify the most recent charge and you're like oh I don't really know a lot of information but I just got this like weird thing happen on my phone can I make sure my Spotify payment went through can I make sure my youtube red premium whatever it is went through so we're going to listen to a setup call where I call just to get information on the account to further my attack factor on my next step so here we go um so I am traveling around I'm just like really crazy so I don't think I had like my account number until the beginning um I just got one of those weird text messages for a charge and I wasn't familiar with the vendor I was wondering if you could like confirm what the most recent charge on my account is okay I can definitely go ahead and confirm what the most recent charges on your account may you please verify your full address including your state city answer code uh yeah okay thank you so much in this phone account and will be a matter of that charge um I don't it was like over it was like a pretty I think it was like a pretty significant one but I might be like a monthly thing I don't I wanted to verify like what it is okay so it looks like it's just that one yep what is instead she never had me verify it I just stumbled my way through confirming what the amount was and she was like oh was it this one I'm sure like yeah that seems right do you see like the whole vendor name I said that is a monthly thing I say cool that is okay okay that makes me feel better thank you so much you're welcome you're welcome you know I have you well I have you could you just verify what is my account balance right now I feel like with between like that charge and then like we I think I got paid recently so I just want to verify okay so your balance is okay okay awesome okay that's good then all right thank you so much I appreciate you you're welcome you have a great day and thank you for calling so now I have I know I you know if this was not my account I would have verified I had the right address because it went through I you know gave her the proper name and then she gave me my one ask can I just confirm this weird text message I got everyone gets the six digit text messages and finally at the end when she was all bought in she'd already helped me she felt super comfy in this interaction I was like oh can you also tell me the account balance like I would like to know this exact other thing about the account so now I have all of this great information to call a different teller because banks are giant places with multiple people and see if I can take it to the next level I will say shout out to that bank I did get shut down once but I want to share it with you because in the process of getting shut down one of the biggest things that I see in all of these cases of services leaking little bits of information and you know leaking your privacy just a bit on the fringes is that they a lot of times humans don't realize the value of helpful information humans typically are trying to be helpful especially if you're polite if you're amenable and they are all in for for trying to be as helpful as possible within the confines of what they believe they're allowed to do so we're going to start with a shutdown because it does happen but there was a really valuable little tidbit thrown in while he was being like no bro I can't do that as far as like getting at the account number without having to go to a branch it would be through the mobile average I don't think I remember my password right now you like you can't help me like I'm pretty sure I can help you log into the account should have been that's a guy too um yeah I just you know I get I get in a lot of trouble if I'll do that um but I can I can help you get into your mobile account and then help you find it most definitely smart I can do we can try that let's see if I can like more feedback that one so that if you could log in or if you need help walking I can help you with that most definitely what were you seeing the handle was the user ID okay um oh shoot you know what the problem I don't think I can do this while I'm on the phone are you with Sprint yeah so disclaimer I'm not with Sprint and I actually didn't know that Sprint was the only character to not let you multitask now but now I do um but more importantly he's sitting there telling me like oh I can only help you log into the mobile app I can only help you do this like I can't tell you the account number on the phone but in the process I never gave him my user ID I never requested that from him and he offers it up I did request at the end and he just offers it up to be helpful to log into the mobile app so now as the attacker I have their name I may not have the password but there are a variety of ways some of which we'll touch on a bit later to get that password once you already have the account access you can probably find the email just associated with the account online as well and you can slowly build this robust profile using the knowledge of other services and what um other services and what you learn on the phone calls to volley this into a much bigger attack so then I called back because you can always get a sympathetic person the noise in the background is a track of airport sounds so if you need like a compelling phone pretext I recommend you turn to YouTube there are crying baby sounds or rent I don't know maybe you have a baby you can just use organically um you have a lot of airport a lot of like loud keyboard clicks so that really can seal it in um can really help other people be empathetic to your plight as you're gonna like storming to the next place so I entered into this next compromise I also did this with a shutdown saying that like my mortgage payment had failed and I needed some help to make sure that I could pay I'm on the road you know like you know how bad it is if you missed your mortgage payment like apparently it happened last month too so I really need to figure this out right now as far as like getting at the without having to have the first and last name on our valued customer is it on your account please yeah my name is Murdoch you know it's really funny is that's actually my cousin's name good afternoon shout out to Whitney Merrill Whitney Maxwell she's in the room she did that exact line on her winning scc tf calls last year so I was like I'm gonna give her a little shout out um saying that you know somebody with the same name as an instant rapport builder invites them into your tribe and now they feel like they have this connection with you so I'm all like oh yeah I know that person I have somebody with a similar name um pro tip if you do this don't contact it to a nickname I recently they were like oh hey my name's ginger and I was like my cousin's name is ginger but she goes by Jenny and she was like oh and I was like I did not realize that this was like stepping on some toes my bad so back to this man the first and last name on our valued customer is it on your account please yeah my name is Murdoch you know it's really funny is that's actually my cousin's name that is funny it's an unusual name great how may I help you today um so I'm in a little bit of a bind I'm so sorry for like the background noise I'm actually traveling today so I thought that I had my mortgage that's like autopay but now I'm being told by my mortgage provider that my payment didn't go through and that they need to verify the account information and so I don't have access to my account number off the top of my head I was hoping that maybe you guys could help me get to get to verify what my account number is I can go ahead and check our options over the phone can I confirm the address on the account yes ma'am it is so we're getting a lot of the same questions like these are things I already know the right answers to great miss Murdoch and what are the last four digits of your social security number ma'am so I am not completely out right now because I'm surrounded by so many people is there some other way we can go about this okay let me see I can ask you three other questions on the account they'll be random hold on before I do that what is your birthday miss Murdoch it is what is the current balance on your account ma'am I think it's like you think or you know I need I need the exact amount ma'am okay as of earlier it was okay and what was the last charge on the account oh that's easy I just saw that like my monthly that would have been wait and finally what city and state was the account opened in it would have it would have been thank you so much miss Murdoch the number on your account is literally every time this happens my blood runs cold and I have to go take like a 50-minute walk yeah thank you hopefully I can just go ahead and get this paid and like it won't be an issue all on the road thank you so much is there anything else I can help you with today um no that should that should probably be it I appreciate the time thank you for being a value customer have a good afternoon so suddenly because we know all about these other pieces of information in my life whether it be you know you found some you know voter records are super helpful place for OSINT that's another service that we use if we want to vote we have to give them our information you can find birthdays you can find locations you can find addresses through that we know our monthly service providers that is we've already discussed you know we know exactly how much our Netflix is we know probably how much the Spotify is and though this can be done in just the three quick calls or two quick calls that you guys listen to you know really savvy and committed attackers will keep calling back until they get like I've been in situations where I don't have the answer to some of the random questions and so I have to call back and be like okay well let's try this again maybe I don't know your horse's name or maybe I do depending on your Instagram use but so you have the all of these like very very vulnerable pieces from different service providers that they may or may not realize exist in quite frankly it's not your bank's fault that you use Netflix it's not Netflix's fault that you charge that to the bank but it's incumbent to us as the users to pay attention to these things to understand that they're happening and put our critical thinking hats on on where could the gaps between these services that we use exist and how can we fix them so this is not a one off this happens to other services we use as well so it's not just banks and subscriptions it's you know that's a really fun one to use in the context of like I can actually pull this off as a case study for a talk but it also helps really happens with phone porting scams which is essentially you call the Verizon or AT&T which you can find very easily on like free carrier lookup dot com where who owns this number and then you call them and you tell them there are oftentimes very very very few security controls on asking for your calls to be forwarded maybe you're going out of the country and you're not bringing your phone maybe you're coming to black hat and you don't want to bring your phone you call them and you ask hey for this week could I just have all my calls forwarded to this new number and they're generally like yeah okay that's fine but what else do your phone calls do what else do your phone call are they used for if you use outlook you can oftentimes do your two factor with the phone call and they'll call you and they'll tell you like oh here's the you know here's the code it is one one one one one you're like oh man so now suddenly these things start to snowball and again it's maybe a little bit the phone carriers fault like they should not make that so easy but they're not really thinking about your phone number and calls to your phone number being used for multi-factor authentication should they be maybe do they know should we absolutely the other one is like all text messages all network carriers use the same as a seven network to send text messages over it's relatively easy to intercept there are a lot of vulnerabilities that affect text messaging so now your two factor authentication via your text message which I'm I'm positive many people in the room know is not like the preferred method you should definitely go with token based authentication methods when possible but not all vendors allow that not all financial institutions allow that they're not like yeah sure go do go use off the they're like we can either call you or we'll text you and that's it or we'll email you and all of these have like major problems with them occasionally so this intersection between different services be it Netflix and Black Mirror be it be at your bank account whatever these intersections are like where we are going to lose our money where we are going to get into desperate times this happened with a ton of people with coin base Bitcoin wallets like cryptocurrency is a huge target for S for SS7 interception and text message interception and then once your Bitcoin wallet is gone it's gone there's no tracking that down so this is not a one-off it affects almost all our services that come in goal especially telecom and banking providers and financial institutions and another really great case study is in 2016 a group of children basically which I'm there are brilliant teenagers there's a group of three 15 to 17 year olds who call themselves crackers with attitude and they were a hack to this group and their general messaging was that they wanted to free Palestine to do this they decided to be a great idea to hack a bunch of three letter agencies and also compromise the director then director of the CIA John Brennan's accounts and they did this by using the lapses between between different services so what they did first was they called Verizon his telephone provider that they found out using free carrier lookup or something similar so they called Verizon and they were like hey I've got to do some maintenance on John Brennan's account can you please confirm some account details for me including the last four of his visa card including his handle all the information they could possibly get from Verizon they got and then even if somebody at Verizon reported that some shady stuff happened to Brennan's account what would Verizon have done and how would that have helped with any other vendor that they would then use as information with there's really nothing there's nothing that Verizon this day and age could have done so then they took all of that information the last four of the account number the birthday the phone number etc and they went to his AOL account and they logged in his AOL account and in his AOL account was all of the information for when he got on board of the CIA which quite frankly again don't know why people would do that it's not ideal but people do your loved ones may and sometimes we're like in a moment of hairiness you're like I'm gonna forward myself this email because I need it on the road or whatever and suddenly you have something sitting there that really shouldn't be there but it feels you know maybe right now it was okay so they overtook his AOL account they locked him out of it and they found all of his onboard documents and leveraged them against him the kids have since been arrested but it's another it's a great example of how we can use these different services to essentially do account takeovers get extra information and really compromise and mess with someone's life and I don't want any of you or anyone I love or anyone I know to be one of those people who gets hosed because of this like very nebulous gray area between services so recap remember that any service or provider you use is only responsible for their own privacy terms and quite frankly as we have seen they don't always do that super well and so this leaves each individual to take care of their privacy themselves if we look at something like the Equifax breach that really underscores the necessity Equifax is a service that adults did not say I know what I want to do I want to open an account with Equifax that was not how that happened and we all you know so many people were negatively affected from that breach so we have to remember that all of these things touch our lives whether we're constantly thinking about them or not whether or not we're watching Black Mirror every night or what have you Grayson Frankie it's great but all of the dark all of the other little bits of our lives that are being logged that are being looked at that are being used those are entry points into our our lives are well-being our financial happiness and they should absolutely be considered in like your personal threat model and that of your family is to make sure that you're not John Brennan he was the director of the CIA like he should have been a champion of professional like decorum and security and like this really hurt him so it you know any of us are vulnerable I truly believe that every person in the whole world under the right circumstances could be socially engineered to give information they didn't intend to give and all of these wildcard people work at all of our vendors and we are wildcards ourselves like we don't necessarily know when something's going to go sideways so trying to maintain that active like threat modeling mindset and constantly staying on top of what could go wrong when we have the time to think about that is extremely important to your longer term well-being and that of your financial security and family is financial security so like own your own privacy sure most people in this room do a great job of that but social social engineers obsession with OSINT open source intelligence like relies on poor privacy hygiene from users often it relies on those moments that you want to they're excited and sometimes that's hard to contain but when you can't contain it be very aware of what you're choosing to share with the world and who can see it so recognize where individual services privacy policies are supposed to cover you try and recognize how they're actually covering you and where they are not actually covering you and like your vulnerability is in the connection of these privacy policies or one of them it is the most often overlooked in my experience and then question your role like the role in your own privacy question your role in your family's pop pop the privacy recognize that the surface is always changing the policies themselves are changing how organizations conduct business is always changing and how it affects you positively or negatively is always changing so make sure that you are owning your own privacy and you know try and do routine hygiene checks like pick a day every quarter or a day every month to say like what have I signed up for what is new what might have been shared did somebody else share something about me often times and there's information on you like maybe your aunt like uncle Joe tagged you in a photo on Facebook and it was public and then you can't go and untag that because Facebook's rules are ridiculous and so everyone can go and find out where you're tagged and now you know the world knows a little bit about yours and Joe's relationship and that's not your fault but it is very helpful to be able to explain to people why that might be a problem and why it might affect you or them negatively so what to do observe and analyze your actions and those of your loved ones you know like one of my best friends was saving passwords in a truly nauseating way we had to have a nice little sit down about sticky notes are not proper password management tools whether they're on your computer on your physical desktop like thank you don't share what subscription subscription services you use and I'm not saying don't share them with your mom or your sister your brother use your mom's or use your exes or whatever though it's probably like ill advised what I mean is like if you want to share a song that you really like publicly do you have to link it to the the service you actually use do you need to share it directly from Spotify or can you find it somewhere else if you're really excited and you really feel like you need to share how can you do this while protecting your own opsec if you do want to share a song or video like find a public link find something that doesn't show you're using premium dot spotify dot com and then use token based multi factor authentication use duo use Google Authenticator try and avoid the SMS and call based um two factor wherever you possibly can and then most importantly because that's not always possible make sure you call especially your telecom and your financial institutions call them and have them put a pass phrase or a verbal pass phrase or a pin number on your account try make that pin number at least six digits and in theory before any information is given over the phone they will have to ask you for that exact pass phrase or that exact pin number on this will prohibit things like call forwarding text message forwarding um and a lot of ways that SMS multi factor authentication is like circumvented um and also like please stay in touch um I love making new friends I really value friends so feel free to come see me say hi let's chat you can follow me on twitter at cat murdoch that O is a zero um and then email cat murdoch O is still a zero at proton mail dot com um I'd love to hear from any of you and then we hopefully have a few minutes for questions um so if anybody has any questions about the presentation other bit of curiosity I am all yours so just let me know plenty of time for questions and please walk up to the human microphone stand if you have mobility issues I will bring the mic to you join the party hi super big fan by girl um so my question for you is when it comes to like knowing the questions that they're going to ask do you just kind of wait to see if they ask him if you don't have that piece of information you're like okay like note that for later and try and come back and get it or like how do you find out all the questions that they're going to ask so that you can kind of decide your path to like gaining all that information. Yeah that's a great question so often times if it's for a client and you're doing it routinely or if you're an attacker and you have all the time in the world you'll call and you'll see what questions they're asking I typically personally like combat a lot of nerves when I do phone pre texting calls or pen tests or whatever by finding way too much information so I try and equip myself with all the information I can possibly find online sometimes you don't have that luxury but yes I will keep calling until I build out that like okay what questions am I going to get how can I find the answers to these questions and then can I call back up time to at least because generally they'll have a bank when I did policy review and had more insight into how it actually work usually they have a bank of a handful of questions and they're going to ask you some as a woman said like some number of those questions and so my hope is always to kind of be able to find like 60 to 70% of the answers because then the odds are in my favor and yes sometimes you don't have that luxury and you have to like kind of like BS your way through it we recently had to I had to reset a password and we had absolutely no indication of like what the questions would be but we knew there would be questions turn into a 30 minute call and they wanted asking me like who my manager was but the person I was impersonating was new and like this is not directly related to those but very much like how you find out these questions so I knew the person was new and I called and I just pretended they were like oh well what day did you start and I was like well I signed my contract like four months ago but I started really recently so I don't really know what it would be there and they're like oh actually it's not here like apparently because you are new like things got messed up and I was like cool yeah must be the case and then they kept asking like the next one was oh can you tell me your employee ID number and I was like well as I said I'm like in a Starbucks just met with like a potential new hire like I don't have that memorized like what else can we do and they put me on a hold like a number of times I was like surely unburnt and they'd come back with another question and it got to the point where they're like well who's your manager I named someone else in HR that I'd seen online and they're like well that's not your direct manager and I'm like okay um and I was like well what about this person who's like the like head of it all they're like no you poor dumb thing and I was like yeah I don't know what I'm doing um and so they went so far as to call my manager and pull him on the phone and asked him to verify my voice to which he said yeah that sounds like her and I was like what so a lot of it is perseverance because I would be lying if I said during one of the like seven moments he put me on hold I didn't want to hang up real bad because I was just like there's no way this is going to work and then at the end we like pulled it out and he gave me this passphrase I raised the password and we got in it's like that took 30 minutes I cannot believe it worked um so it really comes back to like that tenacity and you do call and you make sure that like you know what as many of the questions as you possibly can and maybe you'll look out and it'll be the ones you know off the top of your head I did try for the sake of this like be really authentic and I didn't like I only used information that I had called and obtained or I know you could value fine online it was an interesting it was an interesting experiment. Thank you uh so just to flip this around a bit have you had any experiences where you called a call center and it was effective security so something that they did maybe an OTP via SMS I don't know um or something like that where you thought hey that's that's pretty secure maybe I'll move on money here. Yeah absolutely I mean some some institutions have really robust security questions um and that can like you're just not going to find them online and some people are super well trained and you will have them say like we are instructed to not give the account number over the phone because that is typically what they're not supposed to do but you know maybe you're a new mom and you called somebody who was once a new mom and so now she's like oh your babies crying like I know this pain and it's like a little bit terrible feelings like prey on those emotional times but like in those moments if there is not something as binary as I cannot access the information on the account until you give me this until you tell me this passphrase or pin number um that is a really effective way but honestly the effective security aspect tends to be removing the information from the teller until they get proper authentication like don't let their emotions be manipulated or influenced um so on on the screen the most effective thing I've seen is like I cannot see your information until you give me this one answer because if they can see it then now they have a choice as to whether or not they reveal it so if you have like a pop up that says here's the question and you must put the answer in before the teller or who or the call the person who received the call just they just literally cannot see anything until you get the one or whatever very secure question correct and that is the most effective security I have seen like repeatedly. Just to follow up that's primarily okay right what that's primarily knowledge based questions and answers but have you seen anything technical like an Authy push notification or Google Authenticator OTP in your experience? From my perspective specifically with financial institutions or telecom companies I have not seen that on like the person to person level um like with I haven't even seen it on the corporate accounts quite frankly but I'm not saying it couldn't exist or hasn't been implemented some places since I tested them or maybe it's a place I've never tested but in my experience I have not found anything that is that technically advanced um to protect you like end user accounts sadly it's a great idea I'd love to see if you think. Hi great talk really enjoyed it. Thanks. Um I guess I have a follow up kind of that as well as the original question which is that a lot of those like OTP token based authentication systems I would think you'd run into a situation where like for example my phone you know it got erased for some reason and now it's basically collapses into the same threat model as before where now I can basically get them to remove that second factor from my account so that'd be a scenario I'd be worried about but one of my my original question was uh is there a kind of a breach boundary style approach that you would recommend like you know you mentioned before having burner emails um one thing that came to mind when I was listening to your talk was like oh if I just used uh different credit cards for different types of services where oh maybe they can go and figure out like how to compromise my whatever card but not my other not my debit card for example like is there an approach that you would recommend um so first off gonna give like Michael Basil a plug he just released his new book that is like how to be invisible in America um like a guide to privacy and if you really want like expert level privacy tips go read his stuff because he is truly amazing and also maybe like a bit extreme and extra but like power to him because yes you absolutely could you can also go and you know you can withdraw cash and go and buy the prepaid credit cards and buy them for a year and use that for Netflix so like Netflix will not be able to leak information about you uh you can use proton mail you can actually like create and spin up like a fake Gmail account because they're like usually you're supposed to have another email address and or phone number to start up a Gmail account um but if you can put in your phone number and then later remove it in settings um and so then you have like a semi disconnected Gmail account that is immediately like uh service provider to typically like oh it's a Gmail that's pretty like that's pretty legit because they have all these precautions in place um so you can do that like absolutely you can obfuscate it you can put your house in a trust so the mortgage is paid um not in your name and that's not a way to find out your address there are tons of like little ways that you can absolutely improve your personal privacy and your personal privacy posture um you can make um you know like even do like a 33 mail email which will allow you to put like infinite subdomains at the start of like username at subdomain dot 33mail dot com um like all these could like um this casual advice could still be linked back to your identity but it would keep your you know crown jewels and your finances secure um and so that would be if you really want to go to that level I would say like go get cash get your you know Amex points from like a little Amex card from Kroger or wherever you shop for groceries and then you can be like alright I'm gonna put 10 times 12 like dollars on this so I have the exact amount I need for a year and then I'm gonna set an alert on my on my phone to make sure that I like re-up to a different credit card of the year mark or whatever you would have so there are absolutely ways you can get around it and there are definitely ways that you can like increase your security it also comes down to like back to the end users having choice how much time do you want to put into it like where is your baseline risk also like if you use instead of using your debit card like I'm not endorsing anybody go out and get a credit card to rack up a credit balance but uh credit cards like American Express will often like they don't they they will protect you know your information slightly better they will generally like give you your money back if something bad happens to your money because of one of these things um and so I you know I appreciate the vendors who are like yeah crap happens like I'm gonna help you not feel the negative effects of this quite as much oh they'll never hear you on the recording does the recurring payment on a prepaid card work I was under the impression that that like they check against that now on a phone or an account I was talking more for like the service accounts though like if you were to go to the supermarket get like a prepaid AMX like could you buy Netflix with that I thought like they don't like that because it's used for like money laundering or something um potentially I'm I cannot currently speak to like every single person like every provider's policies on what types of cards they will or will not accept but like also these subscription services also have their own gift cards that you can also buy with cash so like if they say boo hiss I don't like this card because the digits say it's temporary um then just be like alright well instead I bought this Netflix gift card with cash loophole so yeah absolutely and I mean sometimes people will not like sometimes uh feels won't like certain email addresses because they feel shady or like with Gmail you can put a plus sign at the end of your username and have like limitless usernames but some vendors are like oh I don't like this because I know that you can make like limitless usernames so you definitely have to say on top of what specific vendors requirements are and they do constantly change um I even like with my gym I did the plus thing on an email address and now they have put up a precaution that says like oh you can't use the plus sign rule and so now I can't reset my password at my gym because it says that it's not a valid email address and I was like oh this is a weird loophole I've gotten myself into so yes there are moments where it's like non-ideal and you have to continuously like if this is a commitment you want if this is if you depending on how secret secret squirrel you want to go um it does take a bit of work and a bit of maintenance but to not lose you know all the money in one account or making sure you keep that money in separate accounts if you lose a little bit like there are multiple strategies for how to keep yourself safe but I recommend investing a little bit of time in those things instead of relying on the vendors do it for me because that clearly has a lot of a lot of areas for improvement in their privacy policies and how they interact with one another all right thank you so very much thank you guys so much for coming out I really appreciate you all