@golemwire lmao where do you see those words? Please send me a screenshot. This was originally posted on Twitter and is very much not AI generated so that's wild LinkedIn would claim that.
*Account Takeover Prevention Guide* If you watched the SEC account hack that moved markets yesterday & wondered how to prevent account takeover for your personal, business, or high profile social media account, here's an Account Takeover Prevention Guide for you and/or your org.
Article link (no sign on should be needed to view):
Let's discuss the 23andMe data leak -- what happened & what can we do about it?
*What happened in this data leak?* Cyber criminals were able to find passwords that were involved in other breaches online and use a method called “credential stuffing” to attempt those previously breached and reused passwords on 23andMe to login as other users. Unfortunately, most folks reuse their passwords across many sites and apps and when those passwords are stolen they can be used to gain access to your account anywhere else the password is used online. The attackers took the passwords from other breaches, stuffed them into 23andMe and then used an opt-in feature called DNA Relatives to enumerate genetic data of similar groups. 23andMe doesn’t yet appear to be hacked itself, rather the formerly breached passwords reused by the 23andMe users allowed the attacker to gain access to user accounts by logging in as the user and stealing sensitive genetic data.
*What can organizations proactively do to prevent similar intrusions?* Companies have options to help their users avoid account takeover. First, haveibeenpwned.com allows for integrations with sites to warn users if their password is reused and findable online in a previous breach. This helps prevent users from reusing their passwords on a website. I highly recommend that companies use the haveibeenpwned integration to prevent password reuse on their own site — because remember, everyday folks don’t understand the difference between a credential stuffing attack that leads to account takeover and data leaks vs the site itself being hacked/breached with malware, etc. It’s in an org’s best interest to prevent password reuse on their site to avoid the negative impacts of data leaks no matter what (because a data leak will impact a brand regardless of the attack method in use).
Second, using a website without MFA on should feel like driving a car without your seatbelt on — obvious and with a clear next action. If your users don’t have MFA on, make it extremely clear and easy to turn MFA on. I thank Jen Easterly & Bob Lord for the seatbelt analogy.
*What can individuals do to limit their risk of account takeover on sites?* 1. Avoid password reuse. Use long, random, & unique passwords on each site, generated and stored by/in a password manager. Or use passkeys anywhere they’re offered to avoid passwords altogether. 2. Use the right MFA for your threat model/digital literacy on every site & tool you use. For many people, that’s at least app-based MFA. Even SMS 2FA is better than nothing for many credential stuffing focused attacks. FIDO solutions are a great match for many people — I personally enjoy using Yubico YubiKeys. 3. Sign up for haveibeenpwned.com to get alerts when your usernames, email addresses, or passwords turn up in a breach, then change those passwords immediately and ensure MFA is on those accounts.
The MGM attackers claimed they used one of the easiest ways to breach/ransom a company, a method I use often in my hacking: 1. Look up who works at a org on LinkedIn 2. Call Help Desk (spoof phone number of person I’m impersonating) 3. Tell Help Desk I lost access to work account & help me get back in
While we wait for attack method confirmation, I’ll say that the attack method they claim worked for them does indeed work for me. Most orgs aren’t ready for phone based social engineering.
Most companies focus on email based threats in their technical tools and protocols — many are not yet equipped with the social engineering prevention protocols necessary to catch and stop a phone based attacker in the act. Teams need protocols to verify identity before taking action.
The 1st teams I go after when hacking are the folks who deal with requests from people constantly — IT, Help Desk, Customer Support, etc. I often pretend to be an internal teammate to convince them to give me access, and I usually start with phone attacks bc they work fast.
Email phishing attacks can get caught in good spam filters and reported. The soft spot for many teams are the folks who handle the phone call requests. There’s a perfect storm: lack of verification protocols, easy spoofing, compensation tied to how fast they handle requests.
Questions to ask internally to see if your team is prepared to catch this attack: - Do the folks who handle requests from team/customers use identity verification protocols? - Do we rely on knowledge based authentication? DOB + caller ID matches ☎️ number in system, for example. - Are our IT/Help Desk/Support teams compensated or promoted on the speed of saying yes to requests? Have we incentivized time for security protocols in Support? - How do we verify identity first?
Remember, most folks at work want to do a good job and often times “good work” means “fast work”. We can’t expect every employee to be able to come up with their own identity verification protocols on the fly — it’s our job to provide the right human protocols to catch this fast.
We’ll need to wait to learn the details of the attack and get confirmation. In the meantime, I can tell you I compromise orgs w/ the exact phone attack the attackers claim to use and many orgs don’t have phone call based identity protocols to catch it yet.
Update your phone based identity verification protocols to catch account takeover attempts! You know your org best & there’s no one size fits all. You can move from KBA (like DOB) to OTP on 2nd verified comm channel, call back to thwart spoof, service codes, pins, and much more.
After hacking & educating orgs on how they can catch me, the biggest task I spend my time on is updating verification protocols to spot me next time. It’s maddening to get caught on their new identity verification protocol on the next pentest but there’s also nothing I love more. More details here: https://x.com/RachelTobac/status/1701801025940971792?s=20
Here’s how I used AI to clone a 60 Minutes correspondent’s voice to trick a colleague into handing over Sharyn's passport number. I cloned Sharyn’s voice then manipulated the caller ID to show Sharyn’s name on the caller ID with a spoofing tool. The hack took 5 minutes total for me to steal the sensitive information.
So, how do we protect ourselves, our loved ones, and our organizations? 1. Make sure the people around you know that caller ID is easily faked (spoofed) and that voices can also be easily impersonated. 2. If they receive a dire call from “you”, verify it’s really you with another method of communication (text, DM, FT, call, etc) before taking an action (like sending money). Kind of like human MFA.
Some suggest setting up a secret “verification word” with their folks ones so that if someone impersonates & demands money/access etc you can ask for the verification word to see if it’s a real crisis. This won’t work for all people but could work for some. If it’s a match, use it.
In general, I recommend keeping advice simple: if premise of call is dire use a 2nd method of communication to confirm a person is in trouble before taking action (like wiring money or sensitive data). Rapid text, email, DM, have others message repeatedly — before wiring money.
Bottom line is: Scammers use urgency & fear to convince victims to take actions (like sending money, data, etc). If premise of a call, text, email, or DM is too dire (or too good to be true), that’s a likely scam. Use a 2nd method of communication to check it’s real before taking action!
Hacker, CEO of SocialProof Security: security awareness/social engineering training, vids, talks, tests, 3X @Defcon🥈, Chair of the WISP board, Tech Advisory Council for @Cisagov