Skip to Content
News

We asked a hacker to try and steal a CNN tech reporter’s data. Here’s what happened

I share, therefore I am.

I am the kind of person who posts Instagram photos (filtered, of course) from my vacation. I am also the kind of person who tweets about buying an overly-expensive piece of furniture because I fell for a sleek online ad about how it would change my life.

I am basic.

Thing is, I thought my social media posts merely betrayed my desperate need for attention and likes. It turns out, though, that they’re also a goldmine for hackers.

Using two of my posts — an Instagram check-in at a hotel on the west coast of the United States and a tweet about a piece of furniture — a hacker was quickly able to get my home address and my cell phone number.

How? Both the hotel and the furniture company handed my personal details to the hacker over the phone.

Logging into our social media and email accounts online can be an ordeal. We’re often asked for a password, a second code that is texted to our phone, or sometimes the answers to anxiety-inducing personal questions like the name of our first girlfriend (who was definitely not imaginary at all, thank you very much).

But there are still basic and important vulnerabilities hiding in our daily lives. Data breaches and hacks get all our attention, but a hacker with a good phone persona and a few basic tools can trick customer support agents from major corporations into handing over a shocking amount of private information and more.

I let one of these hackers do this to me recently. And I’m here to tell you, it’s disturbingly easy for them to do —even to someone like me who covers technology. It’s a lesson for all of us: be careful to think about what you’re sharing on social media and how that information can be used against you, and next time you’re on the phone with your airline, hotel, or bank and they let you access your account, think about the questions they are asking you. If they’re only asking for your birthday and email address to verify that you are who you say you are, ask if they can add some additional security to your account — maybe they could put a note on your account to require a special password or send you a verification code. Many companies don’t have an option like this, unfortunately, but it’s worth asking.

Here’s what happened to me: In Las Vegas this August at DEF CON, one of the world’s biggest hacking conferences, I met with Rachel Tobac.

Tobac is a celebrity among the DEF CON crowd. For three years in a row she has been among the winners in a competition in which hackers attack a company live in front of an audience of hundreds in Vegas — and do that hacking entirely over the phone.

Tobac and her competitors in the contest call up major corporations, often claiming to work in the companies’ IT department. Tobac is not a coder, but she has been doing improv since she was 10 years old. By tapping into those skills — and using some other forms of deception, like an app that can change her voice to make her sound like a man — she convinces the person on the other end of the line to hand over private information.

This type of hacking is called social engineering.

But Tobac is one of the good hackers — the kind typically known as a “white hat.” (The bad ones are called “black hats.”)

She works with companies to run what are called penetration tests to discover and show them where and how they may be vulnerable to social engineering hacking.

I asked Tobac to hack me.

Without having my password, and without hacking into my email account, she was able to get my home address, my phone number and steal my hard-earned hotel points. In perhaps the cruelest act of all, she was even able to change my seat on my five-hour flight out of Vegas, moving me from a spacious exit aisle to a middle seat at the back by the restrooms.

She did all this by using some information she found about me online, like which airlines I fly with and what hotels I stay at — because I tweet about them.

Then, using that information, she called up some of my favorite companies, using software to make it appear as if she were calling from my phone and a voice changer so that she could sound like a man if she needed to. It sounds complicated, but it’s worryingly easy to do.

To get my home address, she called up a furniture company I had tweeted about. Tobac claimed she was my wife and that she wanted to check that the company had my correct home address on file before she placed another order. She deliberately gave the wrong address and the person on the other end of the line corrected her with my full home address.

That simple.

She was also pretty easily able to convince a hotel I had checked into on Instagram to hand over my phone number.

Tobac isn’t trying to embarrass these companies: she wants them to start using the type of authentication processes on the phone that they use online. She says some of the biggest airlines and hotel chains are leaving open a massive vulnerability — and failing their customers — by not doing so.

Rather than a telephone customer service representative asking for my date of birth to confirm my identity (a piece of information Tobac or another hacker could easily have), Tobac suggests companies should send a code to the phone number or email address they have on file for that customer and have them read back the code over the phone.

That’s easier said than done, however. Often airlines get calls from customers who are in a travel emergency. Asking someone to take a few extra seconds to root out an email with a code in it might dissuade customers from flying with the airline in the future.

It is the ultimate consumer protection dilemma — we all want to be secure, but we also want everything to be easy.

Tobac hopes she can start convincing corporations and consumers that making things a little more difficult is worth it.

In the meantime, I have stopped tweeting about everything I buy. I still check in at hotels though. Gotta get those likes.

CNN