[HN Gopher] Facebook hacker beat my 2FA, bricked my Oculus, and ...
___________________________________________________________________
Facebook hacker beat my 2FA, bricked my Oculus, and hit the company
credit card
Author : tosh
Score : 384 points
Date : 2021-08-20 18:57 UTC (4 hours ago)
(HTM) web link (codewriteplay.com)
(TXT) w3m dump (codewriteplay.com)
| EMM_386 wrote:
| > Would I kick off the arbitration process to get that shut down?
| I'm actively exploring the possibility.
|
| DO IT. Please, do it.
|
| While it's a damning write-up, words won't change anything.
| Lawsuits might.
| tomhallett wrote:
| I had someone contact me on Facebook marketplace, we agreed upon
| a time/price and then they asked for my phone number (which I
| sadly gave them). Then they said "I'm going to text you a code,
| so I can verify you are legit". The text I got was from Google
| Voice's 2FA.....
| optymizer wrote:
| How would someone use that code to hack into my GV account?
| Wouldn't they also need to know my password or have access to
| my e-mail account to login or to reset your password?
| TomVDB wrote:
| They don't.
|
| They want to link a new GV account to a real phone number
| that is not theirs, so that they can use the GV number for
| other scams.
|
| It only works when your phone number doesn't already have a
| GV linked to it.
| bagels wrote:
| Wouldn't the victim have to send the code back to the
| scammer for it all to work?
| teraflop wrote:
| Because OP specifically mentioned Google Voice, my guess is
| that it was a phone number "ownership" code, rather than a
| 2FA code per se.
|
| The attacker was probably trying to create a _new_ Google
| Voice account forwarding to OP 's phone number. They could
| then use the new GV account as its own "legitimate" phone
| number in order to engage in other scams.
|
| (Alternatively, OP's password might have already been
| compromised, and this was the last stage of a targeted attack
| by someone trying to get into their account.)
| Jolter wrote:
| I don't use GV, but presumably if they can make Google send
| you an auth SMS then they have already input your password.
| I'm guessing it was leaked in some big password leak, and not
| phished at an earlier time.
| TomVDB wrote:
| This is very common scam. AFAIK it's a way to create a new
| Google Voice account (linked to your phone number) with the
| goal of using that account for other scams so that they can't
| be tracked.
|
| I fell for it, but since I already had a Google Voice account
| linked to that phone number, it didn't work for the scammer.
| But he didn't realize what it didn't work.
|
| I quickly realized that something wasn't right (and Googled the
| mechanics of the scam) and then was able to waste his time for
| another 30min.
|
| The reason I fell for it was because they use a text message
| from Google in some African language, so I didn't immediately
| realize what was going on. Still dumb to not pay more
| attention...
|
| But it taught me to not list my phone number in the open on
| Craigslist.
| WolfRazu wrote:
| That foreign language thing is genius. I've never heard of
| that before.
| FrameworkFred wrote:
| oh dang...good to know
| wil421 wrote:
| This happened to my mother in law but luckily she was wise to
| the scam. She said the reply was almost immediately.
| shkkmo wrote:
| The last time I posted something on craigslist for sale, the
| majority of responses were trying to get me to send them 2fa
| codes.
| cmattoon wrote:
| I can't tell you how many obviously-fake profiles and scammers I
| report, and see other people commenting about reporting, only for
| them to still be around days, weeks, sometimes even months later.
|
| All of these were obvious scammers directing traffic to a single
| profile - some forex guru or whatever. Shilling get-rich-quick
| schemes doesn't meet Facebook's definition of "spam", apparently.
|
| https://imgur.com/a/xihRPwE
|
| What a garbage app.
| neonate wrote:
| https://archive.is/jZQNs
| albertgoeswoof wrote:
| Fascinating blog post. However I don't know why it took him so
| long to reach out to Facebook support, everyone knows that to get
| your account unlocked you just need to write a viral blog post
| about your experience and use your existing popularity to ensure
| someone at Facebook reads it, realises you're not one of their
| typical peasant end users and unlocks your account for you.
| Applejinx wrote:
| The interesting question is whether this process still
| functions if you're identified as a person of interest to
| Facebook.
| [deleted]
| jeffbee wrote:
| I don't think Facebook 2FA is terribly secure. They definitely
| err on the side of usability. I was using TOTP on Instagram and I
| forgot to backup my Google Authenticator before wiping my iPhone.
| But I was then able to just go the the settings on a logged-in
| device and disable 2FA without 2FA. And it wasn't like I had
| logged into that device recently, either. I only had to 2FA
| Instagram once, years ago.
| zmmmmm wrote:
| I really think for the Oculus side of this, they should be on the
| hook for refunding a significant portion of the cost of the
| user's Oculus library when they ban the account.
|
| This would put the cost of a ban to Facebook for real users in
| the order of hundreds of dollars which is more than enough to
| have a support person do a realistic evaluation of the situation.
| It also reflects the non-recoverable portion of the cost to most
| users - you can sell the headset, but you can't transfer the
| value of the library to anybody. That is a straight up and very
| significant financial loss.
|
| While other aspects of the ban policy are obviously still very
| problematic, the fact that an arbitrary ban that is caused by
| actions outside the user's control can result in hundreds of
| dollars of losses sits at a whole different level and _should_ be
| legally problematic for Facebook.
| SevenSigs wrote:
| > they should be on the hook for refunding a significant
| portion of the cost of the user's Oculus library
|
| If the purchases were < 6 months ago, I would do credit card
| charge backs...
| RIMR wrote:
| Or have ban groups. Ban someone from having a Facebook profile,
| buying ads, sending Messages, or having an Instagram profile
| based on their behavior on those respective sections of the
| site. Maybe disable a person's multiplayer capabilities if they
| have a reputation for harassment.
|
| But let them keep their hardware running, and access their game
| library.
|
| Seems good for business, tbh. You might not want neo-nazis
| posting whatever they want on their profiles, but who cares if
| they're buying video games?
| judge2020 wrote:
| This is another good part of steam - even if your account is
| banned from the entire community for site-wide spam, you don't
| lose access to your game library.
| loeg wrote:
| > refunding a significant portion of the cost of the user's
| Oculus library when they ban the account
|
| This incentivizes abusive behavior by users who want refunds,
| and cheapens the cost of abusive behavior. This mechanism was
| discussed in relation to OnlyFans somewhat recently -- creators
| that wanted to ban abusive "fans" had to refund them.
| (Unfortunately, I don't have a link handy.)
|
| The problem here is that Facebook couldn't tell OP had been
| impersonated by an abuser -- as you say, "actions outside the
| user's control."
| dkdk8283 wrote:
| That's ok with me - FB has enough money.
| [deleted]
| LegitShady wrote:
| stop giving facebook money
| unyttigfjelltol wrote:
| So in this story Facebook was responsible for $50 of charges, a
| business disruption and a huge and ongoing hassle. And Facebook
| refuses so much as to pick up the phone to discuss it. In the old
| days the equivalent would have been one of those roach motel
| businesses rated 'F' on the Better Business Bureau, buckets
| arrayed on the floor to catch rain leaking through the roof. And
| yet in _this_ day it 's one of the most profitable businesses in
| the world. Weird.
| shortstuffsushi wrote:
| This is largely my thought too. This exact story we've seen
| repeated how many times now? What is the outcome? It seems the
| users are left in the lurch, having lost access to their
| accounts and any associated resources without any recourse, and
| that's that. The end. What will it take to have them create
| some mechanism for recovery?
| lotsofpulp wrote:
| >What will it take to have them create some mechanism for
| recovery?
|
| People valuing it sufficiently to choose an alternative (and
| most likely paying for an alternative) over the benefits of
| free access to an established network.
| captainmuon wrote:
| There are many motels, but Facebook has a monopoly on facebook
| accounts. If you could make a facebook account somewhere else,
| you could "take your business elsewhere".
|
| Last I checked, FB actively banned using their APIs to build a
| competing product. I wish the government would make it
| _mandatory_ to offer federation if you had, say, more than a
| million customers. But alas, governments rarely do what 's
| convenient for customers.
| kapp_in_life wrote:
| That's pretty silly. Should I be able to use Amazon APIs to
| host reviews for my competing ecommerce site? Or be able to
| proxy user search requests to google and then intersperse my
| own advertisements in the results for my web search service?
| potatolicious wrote:
| > And Facebook refuses so much as to pick up the phone to
| discuss it.
|
| It's part of the business model - each FB user generates so
| little revenue for the company that you can't afford to offer
| anything resembling "real" support channels. The company is
| massively profitable by sheer scale - by making a small amount
| of money per year off of a vast number of users.
|
| This applies to Google as well - or really any ad-based
| engagement-centric business. Your individual users aren't worth
| enough to have human-intensive labor assigned to them, hence
| heavily automated support channels and little to no ability to
| ever have something processed by a human.
|
| One of many reasons I pay Google to host my email rather than
| use a free Gmail - when you are generating a non-negligible
| revenue stream suddenly companies' willingness to answer emails
| and pick up phones increases.
|
| When it comes to FB there's often the pithy "when you're not
| paying for a service you're not the customer, you're the
| product" - which is a simplistic take. In this case though at
| the very least this is true: "when you're not paying for a
| service your support needs are dead weight".
| mavhc wrote:
| Facebook revenue per US/Canada user per year ~$160
| lookalike74 wrote:
| I got Google One just for the telephone customer service
| option. They weren't very helpful for my needs in particular,
| but I think most people would appreciate the phone option for
| the $2+ a month it cost.
| xondono wrote:
| > One of many reasons I pay Google to host my email rather
| than use a free Gmail - when you are generating a non-
| negligible revenue stream suddenly companies' willingness to
| answer emails and pick up phones increases.
|
| If you think that does any difference, I hope you good luck.
| Google is unreachable for support, even if you are a paying
| user.
| milkytron wrote:
| In this case though, the customer did buy a product, the
| Oculus Quest.
| jokoon wrote:
| I think they are at a point where they would rather side with a
| scammer since they generate more money from this situation.
|
| I guess they have data that shows this particular kind of user
| will almost never buy ads ever again, so at least let a scammer
| do it.
|
| You're right, this is weird, but if you look at the profit
| model, it makes sense, and there are no laws that would really
| protect the user.
| jokethrowaway wrote:
| Those transactions are likely to be reversed thanks to the
| practically unlimited chargebacks practice which is rampant
| in our banking system.
| nijave wrote:
| Sure but then the question is "Should we leave an account
| with history of compromise in place that will lead to
| chargebacks or should we just permanently disable it"
| OneLeggedCat wrote:
| Exactly. From the article, "Personally, I think it's very
| telling that Facebook acts so swiftly to block out the
| original user who can stop an ad scam, and so slowly to stop
| a scam ad that they can still bill for."
| pjc50 wrote:
| Leaving aside the fact that they are profitable _because_ of
| the zero cost service, like Ryanair, we should consider how
| many businesses only have the standard they do because of
| consumer action through the media.
| cs2733 wrote:
| Companies like Facebook are as big as Nation States.
|
| Any positives that come out of this for the author are just a
| Facebook PR move. If they did care about users, their support
| system wouldn't be so anti-user.
| kbenson wrote:
| It's trite at this point that someone will respond that the
| users aren't the customers, they're the product, but it's
| trite because it's often correct, and deserves to be said, so
| I guess I'll be the one to say it this time.
|
| The sad thing is that this person actually _is_ a customer
| because they bought a product and pay for things on it, but
| Facebook still doesn 't realize that, or more likely these
| customers are such a small amount of their revenue they just
| don't care (and don't think it matters for growth of this
| area or don't care about that growth).
| shkkmo wrote:
| The problem is that "if you aren't a customer you are the
| product" is that frequently you are still a product even if
| you are a customer.
| ballenf wrote:
| > this person actually is a customer
|
| That's the reason the "you're not the customer" line is
| just a distraction.
|
| It totally misses the point that Facebook doesn't have
| customers any more than any other first world power has.
| Facebook has treaties with governments and follow laws when
| it's less costly than breaking them.
|
| FTC actions are like one country taking another to the WTO
| -- not something to ignore, but not really threatening
| either.
| jokoon wrote:
| Facebook seems to be "too big to fail", at a point where their
| game theory is "the scammer is generating profits for us, so
| letting some of our users get scammed is something we can let
| happen".
|
| It's pretty scary. I think they're really willing to let facebook
| die off and just keep instagram and whatsapp, I think that's
| their strategy.
|
| Even facebook dating is buggy and not worthy of a giant like
| facebook. Maybe it's the how GAFA will start to decline.
| fitzroy wrote:
| What is the point of setting up a hardware or Google
| Authenticator-type 2FA solution when most companies will fallback
| to SMS? Is there a way to prevent the SMS fallback (last I
| checked it was 'No' for most sites except maybe Google if I
| remember, and then you still had to go in and manually delete
| it)?
|
| Does a master list exist of companies that don't use SMS, or
| allow the user to exclude it? Otherwise it seems like most 2FA is
| just opening up a much easier attack vector (social engineering a
| phone number port) vs guessing a long, random, unique password. A
| password manager with browser plugin (or iCloud Keychain) mostly
| solves the phishing issue if you stop a second to think on the
| rare occasions when you need to manually copy/paste because of a
| weird subdomain or partner domain.
|
| I've been 'about to' set up 2FA for over a decade now, but it
| always seems like a bad idea.
|
| Edit: Also, who's to say customer service agents won't/don't
| fallback to sending an SMS reset code even if the account
| supposedly requires a dongle or app for 2FA.
| nijave wrote:
| It seems like the places that rely on SMS generally don't have
| hardware 2FA. Or, most websites that allow configuring multiple
| 2FA methods support disabling SMS
|
| The ones that let you configure a single MFA method or single
| with backup are usually where I run into issues, personally
|
| For instance, on Github, I have 2x U2F tokens and paper
| recovery codes but there's not even a phone number configured
| on the account
| Y_Y wrote:
| 2FA (is supposed to) mean you have both factors, not one or the
| other. It's strictly more secure that either alone, even if SMS
| sucks.
| someguydave wrote:
| > What is the point of setting up a hardware or Google
| Authenticator-type 2FA solution when most companies will
| fallback to SMS?
|
| One possible point is that you could still log in somewhere
| that has internet but no cell service
| beezischillin wrote:
| This is what I'm worried about, to be honest. Not necessarily
| getting hacked but just getting flagged, banned and burned with
| no recourse.
|
| This is why I commented on an article here some weeks ago that if
| they ever offered any paid user experience they'd be in trouble
| because they'd actually have to help their users with their
| issues.
|
| These tech companies should offer actual support the moment you
| spend money with them with some actual recourse to solve
| problems, especially if it's caused by them. It's insane to me
| that they can just go and run away with your money or burn your
| account at a moment's notice, even when it's just some automated
| filter going crazy. At the bare minimum something like Amazon has
| should be the standard the moment you operate a paid digital
| software repository or sell a digital service or ads. Losing your
| investment should not happen to you unless you're a really
| blatant abuser and if you're the one getting abused your bank or
| credit card provider should never be your only line of defense.
|
| I'm baffled that they have not been in any real conflict over
| this with any consumer protection agency for any of our
| governments.
| jsnell wrote:
| Here's my guess at what happened:
|
| How was the account hijacked? Via cookie theft. The author
| installed malware, maybe some dodgy windows binaries or malicious
| browser extensions. No amount or type of 2FA on sign-in will
| protect you against the session cookie being stolen. (Now,
| additional 2FA on sensitive actions might).
|
| Why was the account was banned with such finality, with no chance
| of appeal? Probably for something outright illegal, like the
| hijacker uploading CSAM to the account. It's totally plausible
| that in an obvious enough case, the policy is e.g. to refer the
| case to law enforcement and keep the account disabled.
|
| Why did the attacker want to get the account permanently
| disabled? Maybe an account disable doesn't stop ad campaigns on
| FB. So the attacker sets up an ad campaign, and then gets the
| account banned so that the owner can't reverse it.
| jokethrowaway wrote:
| The attacker should have replicated the browser fingerprint and
| IP on top of stealing the cookie - or just flat out used his
| computer remotely while he was sleeping.
|
| I haven't used FB in a while but I remember login from other
| places were detected.
| jsnell wrote:
| If the session cookie was stolen, there's no new login to
| detect and send a security notification about.
| EMM_386 wrote:
| Can't they detect that the session cookie is coming from a
| different IP than the one it was originally issued to?
| qwertox wrote:
| A carrier-grade NAT could make you change IP address. TOR
| will do it. You would cause yourself more problems if you
| would start to bind a session to an IP address.
| nijave wrote:
| Yeah and turns out CGNAT is ubiquitous among U.S. mobile
| phone carriers (which is a huge market for Facebook)
|
| IPv6 privacy extensions are generally considered a
| feature
| tobyjsullivan wrote:
| Technically that's possible but there would be too many
| false-positives. People would be signed out every time
| they took their laptop home from a coffeeshop or
| connected over a mobile hotspot.
| wolpoli wrote:
| Yes. Facebook has implemented features to try to keep
| their users signed in, even if the user indicates that
| they want to sign out. Therefore, Facebook wouldn't want
| to sign people out if they go to a coffee shop.
| [deleted]
| ricardo81 wrote:
| >cookie theft
|
| I think that's quite likely. I have a (somewhat throwaway) FB
| account, not much of a profile and mainly used for a local
| cause. Co-admining a page I'd clicked on a clickbaity headline
| posted to the page and several days later my account was
| disabled.
|
| The account recovery process was completely broken/circular but
| somehow the account revived itself after a week.
|
| The fact that my 'friend suggestions' were untainted by a
| friends list seemed to confirm the hack as all my suggestions
| were from people in an entirely new continent.
|
| Nd ads/CC attached to the account.
| drummer wrote:
| That is correct; ads keep running while account is blocked.
| bob229 wrote:
| Just delete fb already
| cwkoss wrote:
| Facebook's walled garden around oculus is really disappointing.
| Updates frequently broke mods, and the last time I tried to get
| it working again my Quest got bricked. Need to try factory
| resetting or something to see if I can get it working again, but
| it's left such a bad taste in my mouth I'm considering just
| selling it instead and buying a better VR system.
|
| The only people I've heard have positive experiences with the
| Quest either:
|
| - haven't had it for very long, or
|
| - use Virtual Desktop or sideloading to break out of the walled
| garden. And are willing to frequently repair the issues that
| arise after frequent breaking updates.
|
| I predict that gap in the fence will closed off and non-Oculus
| Store games will no longer work within the next two years and
| Quests will be junk. Please consider other options if you're
| thinking about buying oculus.
| SrslyJosh wrote:
| > I've gone from a position of caution about Oculus + Facebook to
| a position of "Run, don't look back."
|
| As if this wasn't an obvious problem.
|
| Relying on any of Facebook, Twitter, Instagram, TikTok, etc. for
| _anything_ is a risk. Doubly so if it involves your business or a
| product that won 't work without permission from $PLATFORM.
| drummer wrote:
| Aah yes, another day, another user fucked by fuckerberg. When are
| people going to learn?
| tibbon wrote:
| For those who have worked at Facebook - why in the world are
| their policies like this?
|
| Why is customer support so... unfriendly and unhelpful? No
| escalations possible? No way to reach anyone?
| dataviz1000 wrote:
| How to become a Facebook power user: go to
| https://www.facebook.com/deactivate and follow the instructions.
| mdoms wrote:
| You told your wife to get some sleep at 11:30am?
| tedivm wrote:
| > my wife who works remotely overnight
| rsync wrote:
| In other news, I built and deployed a "2FA Mule" last weekend.
|
| It's a stock android phone with no google account and no apps
| installed except for "SMS Forwarder"[1].
|
| It is configured to forward all SMS to an email address via
| encrypted SMTP. This means that I can receive these 2FA codes
| anywhere I have Internet access - such as an airplane or newly
| arrived in a foreign country where my SIM card does not work.
|
| The "2FA Mule" itself is plugged in at my office in a corner.
|
| I'm not employing this for anything sensitive but it's
| interesting to consider that I can use SMS based 2FA while
| divorcing it from my day to day SIM identity ...
|
| [1]
| https://play.google.com/store/apps/details?id=com.frzinapps....
| breakingcups wrote:
| So the email address is not 2FA secured?
| rsync wrote:
| It's my own mail server. I just tail the mail spool ...
| danlugo92 wrote:
| Could be his email address uses OTP or UFA, which would make
| it secure.
|
| If anything SMSs are much more dangerous than OTP and
| services should eschew them.
|
| Sadly some of them still force you to have SMS.
| qntty wrote:
| Do you pay for a separate phone line for the mule?
| Symbiote wrote:
| In many countries, a pre-paid phone costs almost nothing to
| keep active.
|
| I keep a UK number for some 2FA systems, it costs about
| PS0.10 per year. I just have to send an SMS every 6 months to
| keep the line active.
| [deleted]
| danlugo92 wrote:
| Nice.
|
| Will actually go this route in the future.
| nijave wrote:
| Google Voice works for many services which is protectable with
| 2FA (hardware tokens) and accessible most anywhere in the world
| --you're at the mercy of Google, though
|
| That should help against SIM swap attacks
| dheera wrote:
| Nice. I do something similar but forward it to Slack.
|
| I also have it auto-answer 2FA calls and automatically hit the
| # key.
|
| Yeah, call it not real 2FA, but it's really companies that
| choose to not use U2F are at fault.
| rsync wrote:
| "I also have it auto-answer 2FA calls and automatically hit
| the # key."
|
| One year at defcon - maybe 20 years ago - the speaker told an
| anecdote about a user who had set up a webcam and put their
| RSA token under it.
|
| And we all laughed ... "haha what a dummy ... I can't believe
| users are so stupid" ...
|
| But _secretly_ I thought it was genius.
| dheera wrote:
| Oh I've done that too before. If they only give me one RSA
| token and no backup, then that's what i do.
| cortesoft wrote:
| U2F is great, but these companies want to be able to provide
| 2FA for people who won't/can't have a dedicated hardware
| device for 2FA.
| dheera wrote:
| Yeah but (a) by not supporting U2F they suck (b) I don't
| want them to use 2FA as a magic excuse to get my phone
| number
| madars wrote:
| > I want to start by pointing out I use two-factor authentication
| just about everywhere and Facebook is not an exception.
|
| I wish he'd mention what kind of 2FA. The reason you _really_
| should use U2F/WebAuthn is because it does origin binding which,
| unlike entering a TOTP, a code from your hardware
| token/authenticator app on your phone/SMS/etc is not phishable,
| i.e. you can't enter it by accident on
| accounts.google.com.totallylegit.ru and then have them enter it
| on real accounts.google.com. This is so because the U2F/WebAuthn
| security key signs a request, sent by your browser, which embeds
| the requesting page's domain, so a signature on attacker.com will
| not pass victim.com's verification checks, whereas a code from
| your authentication app is trivially copied.
| Scaevolus wrote:
| Beating 2FA is almost always SMS hijacking, but sometimes it's
| social engineering where the attacker has figured out just the
| right script to tell support ("oh, I dropped my phone and it
| won't turn on...") to get it disabled.
|
| edit: correction, beating 2FA _without phishing_ -- like in the
| post where he lost his account while asleep.
| only_as_i_fall wrote:
| How does an sms hijacking attack typically work? I know sms
| isn't secure, but how does one go from having a password to
| bypassing the sms confirmation? Is it as easy as having the
| number and carrier?
| cinntaile wrote:
| Don't they just hijack your number with the help of the
| telecom company's helpdesk?
| ImuMotive wrote:
| It happened to me. Cellular carriers, in my case T-Mobile,
| didn't require any confirmation to port a number to a new
| phone/sim.
|
| Eventually some required the last 4 of your social security
| number to port a number, which we all know at this point
| are pretty much public anyway.
|
| T-Mobile now lets you set an arbitrary pin, which my
| parents promptly set to their DOB :facepalm:
|
| I haven't looked more into it, but as far as I know, sim
| swap/port attacks were hilariously simple to execute which
| is why I only use SMS verification when it's the only
| option.
| [deleted]
| Wowfunhappy wrote:
| You might want to edit out what your parents set their
| pin to! (You can email hn@ycombinator.com if you're past
| the edit window.)
| scrose wrote:
| I accidentally 'hijacked' a number by typoing one number in
| my online request. I only found out after my wife pointed
| out my number was different after porting. It took a couple
| hours with the telco's support agents, and practically no
| verification steps, to actually get my correct number back.
| Very sad state of affairs here.
| cinntaile wrote:
| Google is better than all other alternatives in that regard.
| They have a feature called Advanced Protection where you add
| your 2FA U2F keys and if you lose them your account is gone.
| No social engineering possible.
|
| https://landing.google.com/advancedprotection/
| pinum wrote:
| "If you lose your key and are still signed in on one of
| your devices, visit account.google.com to add or replace a
| key. Otherwise, submit a request to recover your account.
| Google may take a few days to verify that it's you and
| restore your access."
|
| I trust that it would be (potentially much) harder than
| normal, but it still seems to be possible.
| cinntaile wrote:
| I was under the impression you were screwed in that case,
| thanks for pointing out that I was wrong. It's lot less
| secure than I thought.
| withinboredom wrote:
| IIRC, Google will stop the "several day process" if you
| log in at any time.
| someguydave wrote:
| Still sounds like a significant barrier to most phishing
| attacks.
| josephcsible wrote:
| > if you lose them your account is gone
|
| IMO, this is way too extreme for almost everybody. There
| needs to be some sort of happy medium so that a person
| who's lost everything they own (e.g., house fire) can get
| their account back somehow still. Two ideas I had:
|
| 1. When you set up your account, provide your legal name,
| date of birth, and a photo. If you need to reset 2FA, go
| somewhere in person with a government-issued photo ID
| (which we already have procedures to replace) that all of
| the details of match.
|
| 2. When you set up your account, provide 5 trusted
| contacts. If you need to reset 2FA, get 3 of them to agree.
| jaywalk wrote:
| If you choose to opt-in to Advanced Protection, you can
| keep a backup hardware token somewhere outside of your
| house.
| josephcsible wrote:
| My concern with that is that if something happened to the
| off-site token (e.g., ESD damage, or even just random
| failure over time), I may not realize until I needed it.
| greggyb wrote:
| If you would like to take advantage of such an option,
| you are also opting in to taking on an operational
| burden. That burden is exactly maintaining a set of
| backup keys and testing them on a regular basis.
| lotsofpulp wrote:
| >If you need to reset 2FA, go somewhere in person with a
| government-issued photo ID (which we already have
| procedures to replace) that all of the details of match.
|
| Very few people are going to want to pay for this labor
| if the perception of risk of using a free account is as
| low as it is now.
| josephcsible wrote:
| What about giving people a choice like this to pay for
| the labor? Either pay $1 per month for your account, and
| then this service is free for you whenever you need it,
| or have a free account, but then this service costs you
| $1000 if you ever need it.
| lotsofpulp wrote:
| That would be nice, but I imagine there's a perception
| problem with that.
|
| Simply offering the option would bring the risk to the
| forefront of people's minds, and once you start
| exchanging money, lots of other thoughts and liabilities
| begin to enter.
|
| If it is kept free, then the conversation ends there.
| [deleted]
| hn_throwaway_99 wrote:
| Oddly enough, Google's Advanced Protection _is_ the gold
| standard in my opinion, yet Firebase Auth, an Auth-as-a-
| Service product from Google, only supports SMS as a second
| factor, which is baffling to me.
| hn_throwaway_99 wrote:
| > Beating 2FA is almost always SMS hijacking
|
| That's most definitely not true, as someone who works in this
| space. Plain old phishing is much more common, where the
| hacker tricks a user into entering their code into a
| malicious website.
|
| To echo OP, this is why it's important to support non-
| phishable types of 2FA.
| Flatcircle wrote:
| I wondered about this in regards to Crypto and NFT's in the
| digital wallet space. It seems like Metamask with a ledger
| wallet is stadard, but I have a theory that if you're not
| sophisticated and you get into Crypto/NFT's, it may be
| safer to just use Coinbase Wallet, as it is less popular
| target than matamask and you're able to leverage Coinbase's
| ongoing security updates. and if you're not sophisticated,
| you're just as likely to lose your stuff via user error
| with a hard wallet set up.
|
| Just don't click on giveaways and never enter your secret
| code
| baxtr wrote:
| Could you describe the types that are non-phishable?
| tialaramex wrote:
| WebAuthn (or its predecessor U2F but that's obsolete, so
| in green field deployments do WebAuthn) is the only
| practical non-phishable second factor for ordinary users
| on the web.
|
| You can do this two ways, one of which will make more
| sense for your web site:
|
| 1. PCs/ laptops/ etc. can use little USB hardware
| devices, from outfits like Yubico, the word to Google or
| type into your preferred hardware source is "FIDO"
| although if you have spare cash and like cool toys FIDO2
| is a more capable second generation of the technology.
|
| In this situation the FIDO authenticator is your second
| factor. Your web browser takes responsibility for telling
| this authenticator which web site you're looking at, and
| it's just a dumb machine, so from its point of view
| _obviously_ refunds-my-bank.example isn 't mybank.example
| because those strings are different. The FIDO
| authenticator just does whatever the browser tells it.
|
| This could be attacked by specialist malware, but it's
| tricky because the FIDO authenticator wants you to take
| physical action to trigger authentication, so the malware
| needs to not only tell the authenticator "Yeah, I'm
| totally er, Internet Explorer, and I need you to
| authenticate for mybank.example" but also persuade you to
| press the button or whatever to make it happen.
|
| Or I guess bad guys can be like "please FedEx your FIDO
| dongle to us" if people really are that dumb, but then no
| need for phishing, just call people "Hey, I'm the IRS,
| send me $5000 in unmarked bills, in a FedEx box marked er
| cat food for some reason that totally makes sense, to a
| residential address in a different state, yeah".
|
| 2. High end smartphones, the sort with a fingerprint
| reader, can do the same exact trick using that
| fingerprint reader (I think some iPhones do facial
| recognition instead?) to do WebAuthn instead for their
| onboard browser.
|
| In this case the smartphone is in charge of everything,
| it knows which web site this really is, it knows if
| that's really your fingerprint or not (the fingerprint
| never leaves your device) and it decides whether to send
| credentials.
|
| For machines it's much easier to do a secure transaction,
| but machines don't fall for a lot of phishing scams.
| jrockway wrote:
| > PCs/ laptops/ etc. can use little USB hardware devices,
| from outfits like Yubico
|
| This is actually built into most computers now -- Windows
| Hello, and Apple has something similar. Websites can
| check the attestation response to specifically block
| those, however. (Seems like Github allows it, and I've
| written code that allows it.)
|
| > I think some iPhones do facial recognition instead?
|
| Yup, they use whatever you use to unlock your phone. So
| if it's a FaceID phone, you can use FaceID to log in. You
| can also hold up your NFC Yubikey to the back of the
| phone and use that, even if you registered the key over
| USB on a PC! It's really, really good.
| laurent92 wrote:
| Can you hold your NFC Yubikey to the back of an iPhone? I
| thought Apple didn't do NFC, appart from ApplePay?
| xoa wrote:
| Your recollection was correct but is now a few years out
| of date. As is typical Apple they intro'd it (in 2017
| IIRC) as a 1st party dogfood item, started read only.
| Then in 2019 with iOS 13 allowing far more power
| including full range of two way authentication
| capability. Yubico blogged about it [0] after the
| announcement, and Apple's HIG on use of NFC [1] is also
| available. Also, Safari itself needed to have support
| added, but that too is now available.
|
| So old workarounds like using the lightning port are no
| longer necessary, though AFAIK are still supported. It's
| nice to have it there as well since to really be most
| effective every platform a user has needs to support
| hardware 2FA. If something still needs SMS or OTP or
| whatever that becomes the weakest link.
|
| ----
|
| 0: https://www.yubico.com/blog/yubico-ios-authentication-
| expand...
|
| 1: https://developer.apple.com/design/human-interface-
| guideline...
| nimih wrote:
| My NFC Yubikey works fine with my iPhone 8.
| aj3 wrote:
| And of course client side certificates. It's a pity they
| are rarely available as an option on public websites.
| fossuser wrote:
| Yubikey is one - it requires the user touch a hardware
| device which signs something locally that I think is
| never sent? I don't know enough of the implementation
| specifics, but it's supposed to guard against this kind
| of thing.
| laggyluke wrote:
| Yubikey is actually pretty "phishable", at least in the
| OTP mode. It will happily put the token into a phishing
| website (or literally anywhere else) as soon as you touch
| it.
|
| It's also good to know that Yubikey's OTP tokens don't
| expire based on time, but based on a hidden counter that
| gets incremented with every issued token.
|
| So if you've accidentally touched your Yubikey and leaked
| the token publicly, you just have to log out and then log
| back in using your Yubikey - that action will invalidate
| all tokens issued before this point.
| greggyb wrote:
| Yubikeys (or at least some models) can be configured with
| multiple different OTP implementations. Yubico's own OTP
| implementation behaves as you have described. It is not a
| guarantee that generating an OTP from a Yubikey means you
| have generated a Yubico OTP.
| 1024core wrote:
| What happens if the Yubikey goes bad? I use one for work,
| and the last 2 keys I had developed some hardware issues,
| and stopped responding, so I had to get a new one.
| rob-olmos wrote:
| The recommendation is to have at least one backup key.
|
| There's also a WebAuthn extension in the works to at
| least make it easier to maintain a backup key by not
| having to pull it out of the safe every time you register
| MFA with a new service:
|
| https://www.yubico.com/blog/yubico-proposes-webauthn-
| protoco...
| klodolph wrote:
| YubiKey uses U2F and FIDO2/WebAuthn. The YubiKey also
| does a lot of other things, depending on which YubiKey
| you have... but if you want 2FA on random websites, those
| are the most likely protocols (used for GitHub and the
| like).
|
| The basic U2F + FIDO2/WebAuthn is the least expensive
| model, around US$25. These days it works seamlessly on
| Chrome, Firefox, and Safari.
| dmoy wrote:
| So, popping up three comments, this explains which types
| of 2FA are not phisable:
|
| > I wish he'd mention what kind of 2FA. The reason you
| _really_ should use U2F/WebAuthn is because it does
| origin binding which, unlike entering a TOTP, a code from
| your hardware token/authenticator app on your
| phone/SMS/etc is not phishable, i.e. you can't enter it
| by accident on accounts.google.com.totallylegit.ru and
| then have them enter it on real accounts.google.com. This
| is so because the U2F/WebAuthn security key signs a
| request, sent by your browser, which embeds the
| requesting page's domain, so a signature on attacker.com
| will not pass victim.com's verification checks, whereas a
| code from your authentication app is trivially copied.
| anamexis wrote:
| The first comment in this thread describes why U2F is
| unphishable.
| UncleMeat wrote:
| Another poster has mentioned it, but I will add weight. This
| is super ultra mega wrong.
|
| Phishing SMS and TOTP codes is _way_ more common than SIM-
| swapping. Outrageously so. SIM-swapping does not scale. You
| need to call up a company each time you want to do it. Yes,
| it works. But you cannot sell a tool that just automates it.
| In comparison, there are many off-the-shelf phishing kits
| that fully automate SMS and TOTP 2FA theft.
| mushishi wrote:
| How is it possible that some kind of imaginative script can
| be enough to get SMS sim swapped? Why aren't the operators
| requiring a strong identification via a passport or something
| like that? Maybe I'm really dumb but that just boggles my
| mind, whether or not there exist other types of alternatives
| to 2FA.
| Destitute wrote:
| There's not much you can confirm over the phone, except the
| account PIN and sometimes security hint. But an attacker
| can pretend to have forgotten it and press that the matter
| is urgent. If the attacker knows enough about the person,
| they might be able to convince an agent to make the swap so
| the agent can:
|
| 1) Get on with their day to maybe hit a support request
| quota 2) Make sure this person doesn't give them a bad
| customer satisfaction score
| cinntaile wrote:
| You could require verifying your identity using your
| electronic ID if you want to simswap by calling the
| helpdesk.
| InitialLastName wrote:
| Wouldn't that be obvious to the victim the moment their phone
| didn't work? Or will the carrier leave the old SIM activated?
| withinboredom wrote:
| IIRC, in the US, sometimes just give the old sim some
| random phone number (to keep you paying the bill) and don't
| cancel the line. In the EU, I'm pretty sure they cancel the
| old line.
| wunderwuzzi23 wrote:
| Old school phishing is the most common MFA bypass.
|
| Here is a description how it works:
|
| https://github.com/wunderwuzzi23/KoiPhish
|
| Unless you use Yubikeys (webauthn) etc these phishing attacks
| just continue to work. I do consultancy in this space at
| times and about 95+% of folks who enter their password will
| also enter their MFA token.
| hackettma wrote:
| Followed the link and the read me is bit spare on details.
| For the less technical this still would require the phishee
| to manually enter credentials which then can be relayed to
| the attacker. Correct? The article mentions this happened
| while the author was asleep -- any thoughts on how that
| would work?
| FabHK wrote:
| I might be tempted to enter the TOTP, but my browser is
| unlikely to enter the password, and I definitely won't.
| ignoramous wrote:
| > _...has figured out just the right script to tell support (
| "oh, I dropped my phone and it won't turn on...") _
|
| Isn't this _vishing_? https://youtu.be/BEHl2lAuWCk
| xsmasher wrote:
| No; phishing / vishing is contacting the customer to get
| login details. Contacting support and getting them to
| circumvent security is social engineering.
| loloquwowndueo wrote:
| It's probably worth faking having lost your 2FA and asking
| for it to be reset. If you find out they are this careless
| with 2FA-protected accounts, you should probably not rely on
| it too much.
|
| I manage an authentication and identity provider and if
| someone gets locked out of 2FA and can't prove their identity
| via a previously-uploaded gpg key, they get locked out for
| good. I never honor requests to reset the device sent by
| email, no matter how much they beg or offer to prove identity
| by sending copies of official IDs - I don't care who they are
| _now_ , I care about them being the same person that set up
| the account and 2FA, which can only be proven via a valid 2FA
| device or a GPG signature.
| jokethrowaway wrote:
| It could be worth it to spend the 1.50$ on stripe to do
| identity verification with id documents for accounts of a
| certain size, so that they can present those documents
| again to regain access to their account.
|
| Re-enabling the account after a certain period of time
| without activity would also be a good measure (on top of
| the id verification).
| ceejayoz wrote:
| > It's probably worth faking having lost your 2FA and
| asking for it to be reset.
|
| I'm not sure I trust that I'd be as good an attacker as a
| professional, and there's not a great way to replicate
| "hang up, call again" approaches likely to work with a big
| org.
| samstave wrote:
| > _Beating 2FA is almost always SMS hijacking_
|
| How exactly does this get executed? I'm pretty technical, but
| I cant fathom exactly how this occurs;
|
| You hijack a cell tower, then have some system to listen to
| un-encrypted SMS traffic??
|
| Plz ELI5
| ev1 wrote:
| It's zero cost and zero effort to port someone's number
| out, or get a new SIM card issued for the existing account.
|
| I've worked with a bunch of streamers and YouTubers, and
| the threat model is such that people have shown up with
| professionally made printed fake IDs to attempt hijacking
| in an actual retail carrier store.
| FabHK wrote:
| In this case it seems the author was asleep, so it was probably
| not a phishing site passing on the legitimate TOTP.
| encryptluks2 wrote:
| What you're describing here isn't exclusive to hardware tokens
| and nothing preventing software from checking the domain using
| TOTP.
| madars wrote:
| How? TOTP does not embed the domain, as it is generated on a
| separate device which does not communicate with your browser,
| and does not know the target domain. TOTP is literally
| HMAC(shared-secret, time-interval) mapped to a short range
| (e.g. mod 10^6).
| encryptluks2 wrote:
| > it is generated on a separate device which does not
| communicate with your browser, and does not know the target
| domain.
|
| No, not always and many password manager solutions do
| integrate with your browser and know the domain for the
| password.
| madars wrote:
| Then that's not TOTP
| https://datatracker.ietf.org/doc/html/rfc6238 but
| something different. Do you know how it is called and
| which products support it? I'd love to read up about it!
| encryptluks2 wrote:
| Yes, it is TOTP:
|
| https://github.com/tadfisher/pass-otp
| valid_username wrote:
| Bitwarden has TOTP support in paid plan. And it works
| with browser extension which recognises domains.
| theshadowknows wrote:
| For work things I often have to enter a code from one or
| another app that expires every few seconds. I've always
| wondered how exactly that works. Where might I go to find out
| about that? Is it as straight forward as googling "how two
| factor authentication works" or is there some other
| terminology?
| cs2733 wrote:
| They're called Timed One-Time Passwords or TOTP and they're
| one form of 2FA
| nine_k wrote:
| You mean TOTP?
|
| Imagine a hash function that generates a number from the
| number of minutes since epoch hashed additionally with some
| seed. You have it on the server, you have it on your, say,
| phone. When you enroll you share a seed for the generator.
| Since your time is synchronized, the server knows what
| value(s) to expect, and the phone knows which value to
| generate.
|
| The real scheme is a bit more involved:
| https://en.m.wikipedia.org/wiki/Time-based_One-
| Time_Password...
| quadrifoliate wrote:
| A simplified and inaccurate version:
|
| - You and I share a secret at my first login. Let's say our
| shared secret is "wibble".
|
| - For any subsequent successful login with my username and
| password, for the second factor I send you the last six
| digits of the SHA1-hash of ("wibble" XOR current timestamp)
|
| - You calculate the second factor yourself as well by doing
| the same operation (you have stored "wibble" for my username,
| and know the current timestamp), and verify those last six
| digits. If they are wrong, I am an attacker!
|
| An accurate version:
| https://datatracker.ietf.org/doc/html/rfc6238
| recursive wrote:
| How is that possible? Codes from authenticator apps I've seen
| are 6-digit decimal codes. I don't know much about how it
| works. But I can't see how this is immune from mitm. I pretend
| to $SERVICE and ask you for your authenticator code. If you
| fall for it, you'd give me the code, which I can use to
| impersonate you for the next 30 seconds.
| jeffbee wrote:
| That's why they said you should use U2F, not TOTP.
| recursive wrote:
| I'm not aware of the acronyms, but I was responding to
| this:
|
| "a code from your hardware token/authenticator app on your
| phone/SMS/etc is not phishable"
|
| That certainly seems like it's wrong, and doesn't include
| an acronym other than SMS.
|
| But apparently there's more depth to this space than I was
| aware of.
| krastanov wrote:
| You misread that statement and the excerpt you copied
| completely changes its meaning if you remove the
| surrounding. Read it as:
|
| "U2F/WebAuthn is secure because it does origin binding
| which is not phishable, unlike entering a TOTP or a code
| from your hardware token or authenticator app or SMS"
|
| Putting the original parenthetical in between the start
| and end of the main clause definitely makes it easy to
| misread. I just moved the parenthetical to the end of the
| sentence.
| ianburrell wrote:
| U2F/WebAuthn doesn't use six digit codes. You plug in USB
| key, press button on top of key, and browser does exchange
| with key and passes result to site.
|
| The exchange between browser and key includes the domain of
| the site. It only works on the same site where registered the
| key.
| madars wrote:
| Codes from those apps are typically TOTP: a deterministic
| output given a shared secret (e.g. from QR-code during the
| setup procedure) and current time interval, e.g. HMAC(shared-
| secret, time-interval) mod 10^6. This does not embed the
| domain. However, U2F is a completely different protocol that
| does: you'd typically insert a YubiKey in a USB port and tap
| a button on it when the browser sends "plz sign a request
| from login.bank.com" (+ other associated data) https://develo
| pers.yubico.com/U2F/Protocol_details/Overview....
|
| (Note that most YubiKeys also support non-U2F modes, most
| commonly HOTP (HMAC(shared-secret, counter); counter +=1))
| [deleted]
| quadrifoliate wrote:
| > I wish he'd mention what kind of 2FA...U2F/WebAuthn...origin
| binding...SMS
|
| It shouldn't matter, because it's irrelevant to the point of
| the article, which is that Facebook (at least as reported)
| leaves a hacking victim with little or no recourse to get their
| account, and sometimes livelihood back.
|
| An imperfect real-world analogy of your question is like asking
| about what precise brand of bear mace an assault victim was or
| was not carrying, and whether a better one would have helped.
| Perhaps it would have, but _that 's not the point_. If having
| hardware tokens is so important, Facebook should be making them
| mandatory at its scale.
| cowturds wrote:
| Facebook, 1 Hacker , way. Hah hah ha
___________________________________________________________________
(page generated 2021-08-20 23:00 UTC)