You have stolen about two and a half thousand dollars worth of hotel points, and worst of all, you have put me in a middle seat? On a five hour flight. Oh, my God, and they just let you do it? Yeah. I am here in Las Vegas for two of the world's biggest hacking conferences, and for some reason I have agreed to be hacked. I'm meeting Rachel Tobac who specializes in a special form of hacking called social engineering, and I'm very nervous. I feel like I know pretty much everything about you. I instantly don't trust you. Am I going to be safe for today, thanks to you? You and every other customer will be safer today, thanks to what you're willing to let me do. Well, let's get started, I guess. Okay. You want to assume that everything that you put on social media is public. Information that can be found in places like this, can be used to authenticate you with different companies. Do you remember this tweet? Yeah. I used this to gain access to your current address. What? What I did, is I caught up this furniture company right here, and I basically said, "Hey, we're going to buy another one of these pieces of furniture, but I need to make sure that I don't accidentally have the wrong information on the account." They said, "No. I mean, you ordered something a while ago, but the thing that you ordered, we shipped to this address." Yeah, I think I got his updated address, which is pretty scary because that happened in 30 seconds. I got your current address, I got your birthday from Twitter, I called like pretty much every business that he ever listed that he used on his Twitter or Instagram. What you have to understand is when you do that, I now know which companies you use, and I know which companies to call as you. What did you get from the boutique hotel? Your phone number, and email address. They gave you my phone number? Mm-hmm. I'm going to be doing these phone calls. I'm going to be actually live hacking. When I call, your phone number is going to display on their caller ID. This is Donie O'Sullivan. Who are you really? No, this is Donie O'Sullivan. I can tell you my address, phone number, date of birth, whatever you need to know to verify that that's really me. That's wild. I am on the road right now and I'm having trouble getting access to my Internet, but I need to transfer points to my friend for her bridal shower. Hopefully, you can help me out over the phone. I have all the information. I have 90,000, is that correct? So the first and last name is Rachel Tobac. Oh, they've been transferred? Okay, fantastic. Thank you. Have a great day. Bye. Are your points gone? They're gone. That is crazy. When you call this airline, it's going to be coming from my number? Yes. As you know, I've lived in Vegas. I'll put you in the middle. I'm trying to do this personal essay thing, so can you move me to a middle seat in the back of the plane? I know you you don't get that request a lot. Oh, perfect. Okay, so it's a row right before the last row and it's in the middle seat? You're in the back of the plane in middle seat. I had an exit aisle. I know. He picked it up saying, "Mr. O'Sullivan, how can I help you?" If I was not sitting here with you, and didn't know they said, "Well, sir, you called up and requested this," I would flip. Think about how much you have to do to get into your accounts online. You have to have a password, two factor. We're basically living in the dark ages on the phone compared to how hard it is to break into accounts online. Until these companies learn to change their authentication protocols, there are certain things you can do to help protect yourself. Remove your geolocation tagging when you on Instagram, Twitter, Facebook. There's just no need for people to know exactly where you're staying at those places. After that, I would say, products that you buy, services that you've purchased, help that you try and get online like on Twitter, that you probably don't want to do privately, so maybe in DMS, because I'm just going to call them up as you and try and get your information. I think the most important thing is that I'm not going to victim blame you. Yes, sure, there are things that you can do to make my job a little harder. Ultimately, it is the company's responsibility to keep their customers data safe, and updating their authentication protocols over the phone is a really good way to start. I'm sorry about that Donnell. Well, I'm so glad I agreed to this, Rachel.