CISO at @sardineai. Treasurer of @OWASP Board of Directors. (he/him) qatta' mIghtaHghach.
Phoenix, AZ
Joined July 2009
- Tweets 8,305
- Following 139
- Followers 776
- Likes 17,402
Excited to learn about pickpocking, lockpicking, social engineering, and historic cons at @Layer8Conf
1
I have swag from someone (they called it a USB condom), but I haven’t used it because I charge my battery pack and use the battery pack to charge my phone.
Depends on the threat model, but some companies use “voice prints” for phone authentication, some require you call from a known number, and similar. And some will require you show up in person if there’s a physical location (eg local store, bank, etc).
1
True, a phone call doesn’t in itself stop fraud, but the benefit of a phone call is that it can be recorded, so you’ll have a fraudsters voice, plus you can validate other factors such as the phone number, voice, etc, and it prevents abuse at scale - can’t be automated.
1
1
When I moved to Luxembourg, my US bank had my European address on file. One of their security questions is to enter my 5-digit zip code. Luxembourg zip codes are 4 digits. Their advice was to refresh the page until it asked for another identifier.
Oh I agree, it just gets tricky for sites obligated to validate real names (eg KYC in banking). For sites that don’t have those obligations, then it’s a matter of preventing fraud. Absent those concerns, sites should make it easy, lots of reasons why names change.
1
1
Depends on the service. If an attacker takes over your account and changes your name to theirs, they get the degree/certificate/award, or they pickup your purchase, etc. Or the reverse, they change their name on their account to yours and collect your payments, etc.
1
“Insurmountable” will put your brain into avoid mode. Focus on important individual items and recognize that you may not get it all done. If there’s more than 35 hours of work for the week, you’re wasting time working more. Some say 4hrs/day is the max. inc.com/jessica-stillman/thi…
3
Insightful report on the state of phishing and malware (by @Cofense) cofense.com/phishing-threat-…
If US Citizenship begins at birth, are all those pre-borns illegal aliens?
spokesman.com/stories/2019/m…
1
I’ll be there! Excited to learn more about pickpocketing.
Good morning!! In just 8 days on June 8 will be the Layer 8 conference! We can't wait to see you there! layer8conference.com #SocialEngineering #OSINT #Lockpicking #CTF #MentalHealth #Networking
1
1
1
Livestream today 4:15pm Pacific:
"What the Loss of Net Neutrality Means for Democracy and Innovation"
Speakers:
Congresswoman Anna Eshoo
FCC Commissioner Jessica Rosenworcel
Reddit CEO Steve Huffman
Stanford Law Professor Barbara van Schewick
cyberlaw.stanford.edu/page/l…
1
Safety in Numbers - Part 2. Don't miss his demonstration using his special assistant toward the end!
youtube.com/watch?v=yliqHuTH…
Safety in Numbers - Part 1. Don't miss his clip of Star Trek!
youtube.com/watch?v=utxI5qyg…
1
That brings us to present day. I don't know what Cresta is up now, but her story is a fascinating peek into the chaotic landscape that is the security industry. Thanks for reading!
#end
Cresta then went back to her roots and joined Trust Guard, which offers a product similar to the original ScanAlert. Her tale of entrepreneurship at Trust Guard is featured in the @Microsoft and @Inc "Road to Rapid Growth."
info.microsoft.com/rs/157-GQ…
1
Instead of giving away free iPhones and $1000 gift cards, they collected personal details to sell, and funneled the traffic to additional offers. They were ordered to pay their profit of $356,950, but it was suspended because they couldn't afford pay.
1
Cresta's time at eCommerce Merchants did not turn out well. The FTC investigated the company (and named Cresta as a defendant) for sending millions of spam text messages that deceptively claimed recipients could get free iPhones and $1000 gift cards.
ftc.gov/enforcement/cases-pr…
1