[HN Gopher] Facebook hacker beat my 2FA, bricked my Oculus, and ...
___________________________________________________________________
Facebook hacker beat my 2FA, bricked my Oculus, and hit the company
credit card
Author : tosh
Score : 922 points
Date : 2021-08-20 18:57 UTC (1 days ago)
(HTM) web link (codewriteplay.com)
(TXT) w3m dump (codewriteplay.com)
| EMM_386 wrote:
| > Would I kick off the arbitration process to get that shut down?
| I'm actively exploring the possibility.
|
| DO IT. Please, do it.
|
| While it's a damning write-up, words won't change anything.
| Lawsuits might.
| tomhallett wrote:
| I had someone contact me on Facebook marketplace, we agreed upon
| a time/price and then they asked for my phone number (which I
| sadly gave them). Then they said "I'm going to text you a code,
| so I can verify you are legit". The text I got was from Google
| Voice's 2FA.....
| optymizer wrote:
| How would someone use that code to hack into my GV account?
| Wouldn't they also need to know my password or have access to
| my e-mail account to login or to reset your password?
| TomVDB wrote:
| They don't.
|
| They want to link a new GV account to a real phone number
| that is not theirs, so that they can use the GV number for
| other scams.
|
| It only works when your phone number doesn't already have a
| GV linked to it.
| fastball wrote:
| Seems easier to just buy a SIM card for cash, no?
| bagels wrote:
| Wouldn't the victim have to send the code back to the
| scammer for it all to work?
| avidiax wrote:
| Hey! I want to buy your used Ikea furniture!
|
| Just a quick safety precaution to make sure: I'm going to
| text you a code, can you just send it back to me to
| confirm?
|
| Thanks!
| teraflop wrote:
| Because OP specifically mentioned Google Voice, my guess is
| that it was a phone number "ownership" code, rather than a
| 2FA code per se.
|
| The attacker was probably trying to create a _new_ Google
| Voice account forwarding to OP 's phone number. They could
| then use the new GV account as its own "legitimate" phone
| number in order to engage in other scams.
|
| (Alternatively, OP's password might have already been
| compromised, and this was the last stage of a targeted attack
| by someone trying to get into their account.)
| Jolter wrote:
| I don't use GV, but presumably if they can make Google send
| you an auth SMS then they have already input your password.
| I'm guessing it was leaked in some big password leak, and not
| phished at an earlier time.
| TomVDB wrote:
| This is very common scam. AFAIK it's a way to create a new
| Google Voice account (linked to your phone number) with the
| goal of using that account for other scams so that they can't
| be tracked.
|
| I fell for it, but since I already had a Google Voice account
| linked to that phone number, it didn't work for the scammer.
| But he didn't realize what it didn't work.
|
| I quickly realized that something wasn't right (and Googled the
| mechanics of the scam) and then was able to waste his time for
| another 30min.
|
| The reason I fell for it was because they use a text message
| from Google in some African language, so I didn't immediately
| realize what was going on. Still dumb to not pay more
| attention...
|
| But it taught me to not list my phone number in the open on
| Craigslist.
| WolfRazu wrote:
| That foreign language thing is genius. I've never heard of
| that before.
| FrameworkFred wrote:
| oh dang...good to know
| wil421 wrote:
| This happened to my mother in law but luckily she was wise to
| the scam. She said the reply was almost immediately.
| davidbiehl wrote:
| this happened to me the other day for an item i was selling. at
| the first mention of a "code", i told them first come first
| served and i have other people interested. that ended the
| conversation.
| shkkmo wrote:
| The last time I posted something on craigslist for sale, the
| majority of responses were trying to get me to send them 2fa
| codes.
| voakbasda wrote:
| I get these texts periodically. I feed them fake codes and
| waste as much of their time as possible.
|
| When they figure it out, I receive threats ranging from
| reporting me to the authorities all the way up to killing me
| and raping my family.
|
| I then point out exactly how their scam works, and that they
| are either criminals directly or working for them as patsies.
| At this point, they usually stop responding.
|
| If they don't, then I take the chance to vent some of my own
| vitriol at them. It's usually therapeutic, but it's always fun.
|
| I have accumulated a lot of hobbies over the years, and I count
| this among them.
| skinkestek wrote:
| I used to get some tech support scams but I think either that
| scam is dwindling or I've got blacklisted somehow.
|
| Those "3rd line specialists" can get really angry when they
| realize the unsecure but rich old man they are talking to is
| far beyond them in tech and have been having fun and
| recording them ;-)
| cmattoon wrote:
| I can't tell you how many obviously-fake profiles and scammers I
| report, and see other people commenting about reporting, only for
| them to still be around days, weeks, sometimes even months later.
|
| All of these were obvious scammers directing traffic to a single
| profile - some forex guru or whatever. Shilling get-rich-quick
| schemes doesn't meet Facebook's definition of "spam", apparently.
|
| https://imgur.com/a/xihRPwE
|
| What a garbage app.
| exikyut wrote:
| I love the rhetoric:
|
| > _You anonymously reported ..._
|
| > _You *anonymously* reported ..._
|
| > _*You* *anonymously* reported..._
|
| "Greetings, human. We have masked your identity from...
| ourse[?]lve*1.000.000*s."
| petee wrote:
| Ironically you have to be careful doing this, as their systems
| can ban you for too many reports, if they aren't all flagged as
| 'legitimate' scammers. The last time I filed a report I had
| this new warning show up at the bottom prior to submission
| neonate wrote:
| https://archive.is/jZQNs
| deeviant wrote:
| My Spidey-Sense is telling me that the person in the article
| _may_ not be telling the whole truth.
| albertgoeswoof wrote:
| Fascinating blog post. However I don't know why it took him so
| long to reach out to Facebook support, everyone knows that to get
| your account unlocked you just need to write a viral blog post
| about your experience and use your existing popularity to ensure
| someone at Facebook reads it, realises you're not one of their
| typical peasant end users and unlocks your account for you.
| sombremesa wrote:
| Can confirm, wife had a similar issue and tried to buy an
| oculus to get in touch with a human - said person could not
| help at all. Ended up having to use her network to get in touch
| with a Facebook employee who got it handled immediately.
| Applejinx wrote:
| The interesting question is whether this process still
| functions if you're identified as a person of interest to
| Facebook.
| [deleted]
| jeffbee wrote:
| I don't think Facebook 2FA is terribly secure. They definitely
| err on the side of usability. I was using TOTP on Instagram and I
| forgot to backup my Google Authenticator before wiping my iPhone.
| But I was then able to just go the the settings on a logged-in
| device and disable 2FA without 2FA. And it wasn't like I had
| logged into that device recently, either. I only had to 2FA
| Instagram once, years ago.
| zmmmmm wrote:
| I wonder if having 2FA made it worse ... I can see the review
| process taking the enablement of 2FA as proof he really did the
| abuse and discounting the possibility that his account was
| hacked.
| exikyut wrote:
| Oh meep.
|
| I was going to make the following point to the parent comment
| then read this reply and realized the situation is even
| worse:
|
| 1. (According to parent comment) 2FA can be disabled without
| 2FA
|
| 2. Having 2FA makes you look studious/thorough/decisive
|
| Presumably the tech support is indeed told to pay attention
| to 2FA.
|
| Presumably the entire management/instruction chain there
| isn't aware of the fact it can be turned off without 2FA
| confirmation, which effectively neuters it.
|
| So you have the worst of all the worlds. Niiice.
| exikyut wrote:
| (See reply to sibling comment)
| ElijahLynn wrote:
| IDEA: Build a service that identifies all the Single Sign On
| accounts tied to your Facebook/Google/GitHub/Twitter accounts for
| you and gives you a nice list and instructions on how to separate
| out the accounts with links if possible.
| exikyut wrote:
| That's an interesting concept.
|
| Thinking about it for a bit, I'm sadly hesitant that it might
| need to be built as a browser extension or mobile app, rather
| than a website, because none of these services provide
| programmatically-accessible (even read-only) feeds of what
| you're looking for, so you'd need to scrape everything. This
| brings up two issues: 1) the headache of IP ratelimiting
| (and/or flat-out IP bans from trigger-happy systems optimized
| for fighting fraud/bots hosted on cloud infrastructure). IIUC
| there are proxy services that you can outsource the workaround
| problem to, but this is awkward to get behind in the face of
| 2), which is that users would need to input their actual
| usernames and passwords so that the service could request the
| account page with the details on it in order to scrape the
| data.
|
| Given that these are broadly web services poked at via HTTPS,
| you could potentially get everything you needed from a browser
| extension (as long as the service doesn't require you to set
| any HTTP headers that extensions aren't allowed to touch).
|
| The second possibility is using an app. Writing a thin layer
| that lets you craft custom HTTPS/whatever requests from a
| WebView would probably be the most straightforward approach.
|
| The main issue with both the extension and app approaches is
| that they code-dump both the idea and methodology of "here is
| how to do X" into the hands of the IQ-99 skiddie group
| (especially with an extension). So now you have _more_ people
| running around scraping pages and whatnot and trying to figure
| out how to weaponize everything. Probably won 't go anywhere
| (in terms of producing actual attacks), but the noise may
| potentially make your life harder.
|
| The least-complex solution seems to just be a giant boring list
| of links, for example:
|
| - https://myaccount.google.com/permissions
|
| - https://twitter.com/settings/connected_apps,
| https://twitter.com/settings/connected_accounts
|
| - https://github.com/settings/apps/authorizations,
| https://github.com/settings/applications,
| https://github.com/settings/installations,
| https://github.com/settings/apps,
| https://github.com/settings/developers,
| https://github.com/settings/tokens
|
| Hmm, that's kind of all over the place for some things. A
| single aggregate view that combines everything could definitely
| be very interesting...
| garyfirestorm wrote:
| I don't understand how the hacker bypassed 2FA? Did OP
| accidentally entered his keys somewhere? Or did the hacker
| convince FB support to disable 2FA? How can we all avoid OP's
| fate. Lot of comments go in-depth on yubi keys and whatnot. But
| if FB support disabled 2FA what good is a U2F, fido2 and whatnot?
| efficax wrote:
| If it's malware that steals cookies, no 2fa is necessary, just
| set up your cookies and log in like it's a live session
| mtnGoat wrote:
| i love how they say it cant be reversed in the warning. that is
| an absolute falsehood. its worded in a way that leads you to
| believe its final and not possible to undo, which is entirely
| false.
|
| source: recently had to help someone get a developer account out
| of this position, account was reinstated. just gotta know the
| right people i guess?
|
| this is the biggest example of all, to me, why big tech needs
| regulating... if you are going to take away access to things i
| paid for(or worse yet, my families livelihood depends on), you
| dang well better be willing to explain very explicitly why and
| provide me with a real person to appeal to. not some automated
| system(im looking at you too Google and Apple!)
| jedimastert wrote:
| Yeah, "can't" and "won't" are very different words
| 02020202 wrote:
| you guys still use facebook?
| zmmmmm wrote:
| I really think for the Oculus side of this, they should be on the
| hook for refunding a significant portion of the cost of the
| user's Oculus library when they ban the account.
|
| This would put the cost of a ban to Facebook for real users in
| the order of hundreds of dollars which is more than enough to
| have a support person do a realistic evaluation of the situation.
| It also reflects the non-recoverable portion of the cost to most
| users - you can sell the headset, but you can't transfer the
| value of the library to anybody. That is a straight up and very
| significant financial loss.
|
| While other aspects of the ban policy are obviously still very
| problematic, the fact that an arbitrary ban that is caused by
| actions outside the user's control can result in hundreds of
| dollars of losses sits at a whole different level and _should_ be
| legally problematic for Facebook.
| aussieguy1234 wrote:
| This is not a bad idea as long as Facebook is on the hook for
| the refunds, not the app developers.
| quickthrower2 wrote:
| Well it's have to be both like any normal refund. Hopefully
| the % of refunds is small as it would be on way ebay or
| Amazon sales.
| betwixthewires wrote:
| Why?
| PostThisTooFast wrote:
| This is why you should never buy devices that have to be
| tethered to a company's servers.
|
| Logitech Harmony remote users just learned this the hard way
| too. It means you can be ripped off at any moment. People need
| to stop voting for this offensive BS.
|
| Speaking of offensive: Two posts closer together than an hour
| and 10 minutes is "too fast" for this bullshit forum. Talk
| about offensive: They let you type out a question, comment, or
| reply and THEN say, NO, YOU CAN'T POST.
|
| First of all, fuck you HN. Second, FUCK YOU MORE for
| deliberately WASTING PEOPLE'S TIME by letting them invoke the
| comment function when you know you're not going to let them
| post. Unbelievable.
| grishka wrote:
| > It also reflects the non-recoverable portion of the cost to
| most users
|
| And then people wonder why I'm never buying anything digital.
| That's the reason. Buying digital makes your continued access
| to the thing dependent on your account being not banned and the
| servers being up. In other words, even if you "own" it, you're
| still at the mercy of the seller. But if you bought something
| on a physical medium (or torrented), no one could take it away
| from you.
| exporectomy wrote:
| Just think of it as like paying to see a movie. I bought a
| $10 app once, used it for what it was for, and now several
| phones later, I don't know or care what's happened to it. I
| got my value out of it and don't need to hoard every
| possession I "buy".
|
| Remember people who used to have a huge collection of video
| tapes or CDs? They hardly used them for anything except
| decoration of their living room. Hoarding old crap that you
| never use isn't the best use of money.
|
| Physical things can readily be taken away in divorces and
| debt recovery or less common things like police seizure if
| you're suspected of a crime. The world's richest man had half
| his wealth taken like that. Property rights aren't as secure
| as you think.
| jnovek wrote:
| You know, many people find collecting things to be a
| pleasant and relaxing hobby. Perhaps, for some people,
| having a large collection of tapes or CDs, displaying the
| collection is part of the point.
|
| People gather enjoyment from different types of things. Not
| everyone aspires towards minimalism.
| boolemancer wrote:
| > The world's richest man had half his wealth taken like
| that.
|
| If you're talking about Bezos, all of their wealth was made
| after they got married. The news can say it's "his wealth"
| but it always belonged to both of them. It's not "taking
| half his wealth," it's splitting their co-owned assets.
| [deleted]
| syshum wrote:
| So much wrong here
|
| lets start with this
|
| >The world's richest man had half his wealth taken like
| that
|
| I assume you are talking Bezo's divorce, you might want to
| actually look into that if you believe that. he did not
| have half his wealth taken, far far far from it.
|
| >Physical things can readily be taken away in divorces and
| debt recovery
|
| That is not being "taken away" in the sense you are talking
| about in context, for debt recovery it is being "taken
| away" because you did not actually own it, the lender did,
| you do not own it until you have paid it off. I own my car,
| that means I have no debt on my car...
|
| Divorce is not "taking away" it is splitting assets owned
| by multiple parties. Sure the process can been seen as
| unfair, however legally the assets is owned by both people,
| the courts then choose who the new owner of the asset is.
|
| That is a far cry from what we are talking about in this
| context.
|
| >Just think of it as like paying to see a movie.
|
| But it is not, That would be like a Netflix Subscription,
| where I pay to access content, not pay to own the content.
| Ownership and Renting is different.
|
| If they want to rent content there are methods to do that,
| however most people will not pay the prices they charge for
| a rental that is why they need to guise it as a "purchase"
| not a rental
|
| >Remember people who used to have a huge collection of
| video tapes or CDs?
|
| I used mine, then I ripped them (legally) to enjoy them on
| other technology... Sad you just used them for decoration.
| Probably should have spent money on something else you
| found enjoyable
| drdeca wrote:
| Wow, I really disagree with this. Or, with the implication
| / point?
|
| Sure, if one buys a newspaper, chances are that one won't
| hold on to it for long. But it is important that one can.
| If one wants to cut out a story from it and hold onto it,
| perhaps in a scrapbook, one can do so.
|
| It is also important for archival and preservation
| purposes.
| drdeca wrote:
| This depends on how it works.
|
| It is perfectly possible for games to be sold digitally
| online with no drm, such that you could easily (without
| requiring uncommon technical know-how) copy it to a flash
| drive and run it on a computer with no internet connection.
|
| Of course, games sold this way are extremely easy to pirate,
| because it is, essentially, pre-cracked. But one can
| distribute a product like this, and on occasion people do.
| harph wrote:
| All games on gog.com are sold like this.
| SevenSigs wrote:
| > they should be on the hook for refunding a significant
| portion of the cost of the user's Oculus library
|
| If the purchases were < 6 months ago, I would do credit card
| charge backs...
| RIMR wrote:
| Or have ban groups. Ban someone from having a Facebook profile,
| buying ads, sending Messages, or having an Instagram profile
| based on their behavior on those respective sections of the
| site. Maybe disable a person's multiplayer capabilities if they
| have a reputation for harassment.
|
| But let them keep their hardware running, and access their game
| library.
|
| Seems good for business, tbh. You might not want neo-nazis
| posting whatever they want on their profiles, but who cares if
| they're buying video games?
| zmmmmm wrote:
| Yes, Facebook really doesn't have a convincing argument why
| they will not just disable the social interaction features
| when the ban is made on that basis. They will say that they
| want to build social features into all their software as
| integral and therefore it is not possible but it doesn't pass
| muster to me .... it simply isn't that hard to make it
| conditionally available within apps and if it is that hard
| then it is Facebook's fault for engineering it that way.
| jtvjan wrote:
| Perhaps they're trying to avoid a situation where banned
| people get a better experience because they don't have to
| deal with the social features.
| judge2020 wrote:
| This is another good part of steam - even if your account is
| banned from the entire community for site-wide spam, you don't
| lose access to your game library.
| judge2020 wrote:
| Edit: looks like, of course, they can ban you and lose access
| to your games, however it requires threatening legal action
| against Valve.
|
| https://www.oneangrygamer.net/2020/06/steam-user-loses-
| game-...
|
| Looks like this user received this message[0] after being
| banned from the community and only because he mentioned
| russian law did Steam suspend his account.
|
| > Going to support and blalblab again my rights and the
| russian law, they slapped me with a perma community ban and 1
| month ban to contact the support.
|
| 0: https://i.imgur.com/uciPvDC.png
| quickthrower2 wrote:
| Why are we buying this account-linked physical shit. Just
| pretend the headsets are not a viable product to purchase if
| they can be remotely bricked by a company you have no leverage
| over. Get a competitor product or go without.
| zuppy wrote:
| because we're, or at least I am, inherently lazy. i would
| rather pay a markup on a playstation digital download that
| would allow me to not move from the couch. i'm a pretty
| active person outside the couch. the bad news is that they
| know this :)
| taneq wrote:
| Pretend? They're NOT a viable purchase due to this garbage.
| moolcool wrote:
| Do you use a smartphone?
| fulafel wrote:
| You can use a smartphone without linking to a faang
| account. Though it still has a device ID which it uses to
| talk to some infra if you keep the stock firmware.
| grishka wrote:
| You can disable Google services on Android. There's
| literally a button to do that if you know where to look.
| quickthrower2 wrote:
| Yeah smartphones are unfortunate since with COVID now you
| have to have one to check in in my country, but the second
| test is reputation. I've not heard of apple or android
| bricking a phone like this but FB/Google account bans and
| limitations are common.
|
| I guess we can't be purist anymore but being pragmatic is
| still possible and you can divert funds away from FB this
| way to a company that cares about the headsets they sell
| and the user experience
| betwixthewires wrote:
| My smartphone cannot be remotely turned into an overpriced
| wheel chock by someone in a call center.
| throwaway2048 wrote:
| Apple at least can absolutely do this, that's what the
| purpose of reporting a device stolen is.
| betwixthewires wrote:
| OK but that's a very different story, one is stolen and
| at the request of the owner, the other is for some
| ethereal vague hard to pin down rule that was broken with
| no way to resolve it. My use of my property that I own
| should not be contingent on some behavioral rule on some
| website that could change at any time. Don't give money
| to companies that can remotely brick your property
| without your explicit request.
| josephg wrote:
| Apple also has phone numbers you can call with a human at
| the other end who can help resolve stuff like this.
| loeg wrote:
| > refunding a significant portion of the cost of the user's
| Oculus library when they ban the account
|
| This incentivizes abusive behavior by users who want refunds,
| and cheapens the cost of abusive behavior. This mechanism was
| discussed in relation to OnlyFans somewhat recently -- creators
| that wanted to ban abusive "fans" had to refund them.
| (Unfortunately, I don't have a link handy.)
|
| The problem here is that Facebook couldn't tell OP had been
| impersonated by an abuser -- as you say, "actions outside the
| user's control."
| adrr wrote:
| They should decouple Facebook and Oculus from each other.
| They could share the login but should be separate services. I
| am sure he violated FB terms but did he violate Oculus terms?
| gentleman11 wrote:
| > This incentivizes abusive behavior by users who want
| refunds, and cheapens the cost of abusive behavior.
|
| The status who incentivizes abusive behaviour from the
| company, and cheapens the cost of mistreating users
| codeyperson wrote:
| As long as they don't get the full amount back then piracy
| will be the path of least resistance for that kind of abuse.
| dkdk8283 wrote:
| That's ok with me - FB has enough money.
| creato wrote:
| The problem being described is not FB losing money, it's
| grifters and scammers gaining money.
| ruined wrote:
| That's ok with me - grifters and scammers don't have
| enough money.
| int_19h wrote:
| That's preferable to non-grifters and non-scammers losing
| money.
| nitwit005 wrote:
| There's not really an "abuse" reason to stop people from
| playing single player games though. What malicious thing
| would they do with them?
| novok wrote:
| They don't have fine grained banning because the abuse
| system was made for a user base that pays them no money, so
| it's a blunt instrument optimized towards cost savings.
| Steam I've heard is more fine grained, and might just do
| online gaming bans or communication bans.
| fshbbdssbbgdd wrote:
| Most games I've played on my Oculus have been paid, the
| same as Stream.
| zuppy wrote:
| i belive (s)he's talking about facebook, who's system has
| been built for its free users. oculus is just something
| that they have added later on, without taking time and
| money to adapt it for the (small number of) paying users.
| temp10298385 wrote:
| Any system that wants to identify a pattern will have false
| positives and negatives.
|
| In this case we can't accurately identify cases where a user
| has legitimate cause for refund without false positives
| letting through a few abusive users.
|
| The decision to be made is whether we skew the system to be
| in favor of the corporation or the consumer.
|
| In this age where we no longer own the software we run I find
| it strange when people advocate for less protection of the
| digital goods they use.
| tgsovlerkhgsel wrote:
| An easy way out would be to ban the account from everything
| except accessing the purchases.
| zuppy wrote:
| this is not enough, you will still end up with a piece of
| hardware that you paid for and can not fully use.
|
| it's their decision to introduce this account, when there
| is really no need for it, let it be their problem to fully
| refund everything when this affects you. the solution is
| simple: quit forcing people to use the account nobody asked
| for.
| rossjudson wrote:
| This is pretty much the simplest path. "You posted bad
| stuff on Facebook, so you can't post stuff on Facebook. Or
| like, or whatever. Have a nice day."
| zmmmmm wrote:
| yes ... that's what I hope and expect would be the outcome
| if this was enforced on Facebook. They will try to claim
| that the social features are essential to the platform and
| therefore cannot be disabled but it would not hold up based
| on current Oculus ecosystem.
| edgyquant wrote:
| Even if it did their options should be to either
|
| 1. Allow the user to play it's purchases, just without
| social features.
|
| 2. Refund the user
|
| If this was the law they'd figure it out I promise you
| that.
| zmmmmm wrote:
| Ok, so the scenario is I buy a headset, create a fake
| account, load up on games, then abuse the account to get all
| of it refunded so as to effectively have free use of the
| games for the period of time.
|
| But I still had to buy a headset, put in a real credit card,
| pass Facebooks initial "real identity" checks etc. With real
| human review and some basic policies to prevent repeat abuse
| this doesn't seem like something that would really open a
| wide level of abuse. Perhaps sporadic situations where the
| headset breaks the user decides its the easiest way to get
| all their purchases refunded.
| yomly wrote:
| FWIW Amazon has had to deal with and figured would bear the
| costs of refund
| Haga wrote:
| There are platforms we're real credit cards are traded just
| for this sort of abuse?
| hnick wrote:
| It doesn't have to be planned abuse. Another possibility is
| "I don't use this much anymore and there's no second hand
| market for my game purchases so I think I'll just get my
| library refunded." You were going to lose value anyway on
| not using it, now you get something back.
| syshum wrote:
| Then they need to stop claiming to "sell" you something
| when clearly they are renting it
|
| Of course no one in their right mind would pay the retail
| prices for a "rental" so screws the business model, but
| honestly, they need to pick one, either they are selling
| products or renting them
|
| This mixed model where they try to have the best of both
| has got to stop, if you ban my account you need to refund
| me, done want to refund on ban well do not sell me
| things, rent them to me under a service
| kadoban wrote:
| "there's no second hand market for my game purchases" is
| an integral part of that reasoning. Why don't we just fix
| that too.
| londons_explore wrote:
| Even if there were a 2nd hand market, prices would likely
| be lower than the brand new price paid days after
| release.
|
| It's that brand new price Facebook would be refunding
| after a ban.
|
| So the same perverse incentive exists even with a 2nd
| hand market.
| kadoban wrote:
| Doesn't seem likely that they'd be refunding the full
| price to me.
| hnick wrote:
| It would still be simpler to go bulk rather than selling
| piecemeal. But yes, fixing it would be nice regardless.
| [deleted]
| LegitShady wrote:
| stop giving facebook money
| Shorel wrote:
| Is Firefox multi-account container for Facebook enough to prevent
| this cookie stealing hack?
| unyttigfjelltol wrote:
| So in this story Facebook was responsible for $50 of charges, a
| business disruption and a huge and ongoing hassle. And Facebook
| refuses so much as to pick up the phone to discuss it. In the old
| days the equivalent would have been one of those roach motel
| businesses rated 'F' on the Better Business Bureau, buckets
| arrayed on the floor to catch rain leaking through the roof. And
| yet in _this_ day it 's one of the most profitable businesses in
| the world. Weird.
| shortstuffsushi wrote:
| This is largely my thought too. This exact story we've seen
| repeated how many times now? What is the outcome? It seems the
| users are left in the lurch, having lost access to their
| accounts and any associated resources without any recourse, and
| that's that. The end. What will it take to have them create
| some mechanism for recovery?
| lotsofpulp wrote:
| >What will it take to have them create some mechanism for
| recovery?
|
| People valuing it sufficiently to choose an alternative (and
| most likely paying for an alternative) over the benefits of
| free access to an established network.
| captainmuon wrote:
| There are many motels, but Facebook has a monopoly on facebook
| accounts. If you could make a facebook account somewhere else,
| you could "take your business elsewhere".
|
| Last I checked, FB actively banned using their APIs to build a
| competing product. I wish the government would make it
| _mandatory_ to offer federation if you had, say, more than a
| million customers. But alas, governments rarely do what 's
| convenient for customers.
| squeaky-clean wrote:
| I had an economist friend of mine suggest this a few years
| ago in a conversation (I don't think it was a novel idea of
| his, it's just the first time I heard it). At the time I
| thought it was ridiculous and disagreed. But I've really
| started to come around to liking the idea over time.
| tqi wrote:
| How would you prevent a Cambridge analytica style data
| "breach"?
| captainmuon wrote:
| You make explicit that all data that people enter, they
| enter for purposes of sharing. At the same time, you ban
| creating profiles with data that has not been explicitly
| shared. IMO:
|
| - Make a telefone-book style listing, or searching for "all
| metalheads < 25 near Chicago" where people entered that
| into their profiles -> OK
|
| - Tracking users on your site -> OK
|
| - Tracking users on third party sites, and then aggregating
| this data, so you can see "people who searched for baby
| carrages" or "people who bought diapers with their credit
| card" -> not OK
|
| - Having some kind of database where people could
| _concievably_ look up what user tqi purchased, searched,
| what their political affiliation is (when not made public)
| - > not OK (unless you have extreme auditibility, four-eye
| principle, and so on)
| Accujack wrote:
| I'm thinking Facebook should be subject to an anti-trust
| investigation and breakup.
| kapp_in_life wrote:
| That's pretty silly. Should I be able to use Amazon APIs to
| host reviews for my competing ecommerce site? Or be able to
| proxy user search requests to google and then intersperse my
| own advertisements in the results for my web search service?
| strgcmc wrote:
| I'm not the person you're responding to, but I would say
| unequivocally and unironically, yes! The end result is more
| competition, lower prices, and more options for the end
| consumer. Sure the raw idea of this mechanism is a little
| naive and could be refined, but the outcomes you paint
| sound totally reasonable to me... think of this as a
| creative way to apply a new kind of tax to the criminally
| undertaxed big tech behemoths like Amazon and Google.
| warkdarrior wrote:
| If you come up with a cool service on top of Amazon's
| API, should Amazon be allowed to use your APIs to scrape
| your service data and use it in their offering?
| squeaky-clean wrote:
| If you get above <threshold> users, sure why not? It
| doesn't have to be free, maybe some sort of auditing
| service could determine a "fair" price. But it would be
| open without the possibility of shutting it down in the
| future unless maybe Amazon themselves ditches that API
| internally.
| kapp_in_life wrote:
| You are allowed to do that(as far as I understand
| scraping legality), but google/amazon/facebook are also
| well within their rights to blacklist your IPs, or
| implement other methods to prevent scraping of their
| IP(intellectual property in this case).
| [deleted]
| fieldcny wrote:
| If it's so I can access my own data then yes is should be
| able to.
|
| Google isn't remotely comparable, and I believe Amazon has
| APIs for their store fronts / merchants (still can't access
| reviews you leave)
| captainmuon wrote:
| Amazon is infrastructure at this point. Everybody should
| have access to it. Jeff Bezos won capitalism, give him a
| medal and let him explore space.
|
| Why do we treat government services and certain large
| private services separately? Why are government
| publications public domain, private publications not? Why
| does free speach apply to the government, but not to
| corporations? Why can't we treat amazon like a utility?
|
| I believe the difference is because in the past people
| _fought_ for these concessions from the state. They decided
| for example it would be sensible that the government should
| not restrict free speach. And before, they decided not to
| take feudalism as a given but to democratically elect their
| government. I know I 'm being a bit dramatic, but there's
| no reason people couldn't get together and demand these
| kind of concessions from powerful corporations, too. Access
| to Amazon's product API is really the _least_ example of
| what would change.
| kleer001 wrote:
| > governments rarely do what's convenient for customers
|
| or what's in the long term best interest of their citizens
| let alone the rest of the world. Silly humans.
| stjohnswarts wrote:
| Facebook likes to cut down on costs by using an AI excuse to
| say "hey we help customers" but they don't really. If they
| hired enough humans to handle all the complaints/reports they
| get then their profit would plummet off the edge of a cliff. If
| this is the future of AI customer service give me those
| underpaid offshore services any day. At least the being
| laughing at me on the other end is still a human.
| potatolicious wrote:
| > And Facebook refuses so much as to pick up the phone to
| discuss it.
|
| It's part of the business model - each FB user generates so
| little revenue for the company that you can't afford to offer
| anything resembling "real" support channels. The company is
| massively profitable by sheer scale - by making a small amount
| of money per year off of a vast number of users.
|
| This applies to Google as well - or really any ad-based
| engagement-centric business. Your individual users aren't worth
| enough to have human-intensive labor assigned to them, hence
| heavily automated support channels and little to no ability to
| ever have something processed by a human.
|
| One of many reasons I pay Google to host my email rather than
| use a free Gmail - when you are generating a non-negligible
| revenue stream suddenly companies' willingness to answer emails
| and pick up phones increases.
|
| When it comes to FB there's often the pithy "when you're not
| paying for a service you're not the customer, you're the
| product" - which is a simplistic take. In this case though at
| the very least this is true: "when you're not paying for a
| service your support needs are dead weight".
| mavhc wrote:
| Facebook revenue per US/Canada user per year ~$160
| lookalike74 wrote:
| I got Google One just for the telephone customer service
| option. They weren't very helpful for my needs in particular,
| but I think most people would appreciate the phone option for
| the $2+ a month it cost.
| int_19h wrote:
| This is exactly why the anti-trust sledgehammer is
| desperately overdue for them.
| novok wrote:
| The guy is an ad buyer although, so they are still missing
| support for their traditional revenue streams for small
| customers. Even comcast gives you customer support if you
| only buy things for $20/month from them ;)
| xondono wrote:
| > One of many reasons I pay Google to host my email rather
| than use a free Gmail - when you are generating a non-
| negligible revenue stream suddenly companies' willingness to
| answer emails and pick up phones increases.
|
| If you think that does any difference, I hope you good luck.
| Google is unreachable for support, even if you are a paying
| user.
| IntelMiner wrote:
| As the Terraria developer showed with Google Stadia, even
| if you're actively developing software for their brand new
| products you'll be ignored
| squeaky-clean wrote:
| I managed to get in touch with a Google engineer once for
| help with some Adwords API stuff (our company is a large
| adwords agency).
|
| ...They accidentally CC'd in a public mailing list into our
| discussion and leaked enough information that someone would
| be able to use the automated support system to change the
| company AdWords password. There was basically no way of
| contacting anyone further, the engineer couldn't contact
| anyone that could help us. We ended up making a new adwords
| account.
| cowturds wrote:
| I might as well been the _engineer_ that reached out
| toward you. But in the end, I was let go as support is
| not earned any metric into performance.
| milkytron wrote:
| In this case though, the customer did buy a product, the
| Oculus Quest.
| BbzzbB wrote:
| ~$30/user (on 3.5B users), not exactly small if you ask me.
| If you do a DCF on a $30/y coupon, even assuming it doesn't
| grow, you'll find that Facebook's (family of products)
| individual users are quite valuable.
| jokoon wrote:
| I think they are at a point where they would rather side with a
| scammer since they generate more money from this situation.
|
| I guess they have data that shows this particular kind of user
| will almost never buy ads ever again, so at least let a scammer
| do it.
|
| You're right, this is weird, but if you look at the profit
| model, it makes sense, and there are no laws that would really
| protect the user.
| jokethrowaway wrote:
| Those transactions are likely to be reversed thanks to the
| practically unlimited chargebacks practice which is rampant
| in our banking system.
| nijave wrote:
| Sure but then the question is "Should we leave an account
| with history of compromise in place that will lead to
| chargebacks or should we just permanently disable it"
| OneLeggedCat wrote:
| Exactly. From the article, "Personally, I think it's very
| telling that Facebook acts so swiftly to block out the
| original user who can stop an ad scam, and so slowly to stop
| a scam ad that they can still bill for."
| pjc50 wrote:
| Leaving aside the fact that they are profitable _because_ of
| the zero cost service, like Ryanair, we should consider how
| many businesses only have the standard they do because of
| consumer action through the media.
| cs2733 wrote:
| Companies like Facebook are as big as Nation States.
|
| Any positives that come out of this for the author are just a
| Facebook PR move. If they did care about users, their support
| system wouldn't be so anti-user.
| kbenson wrote:
| It's trite at this point that someone will respond that the
| users aren't the customers, they're the product, but it's
| trite because it's often correct, and deserves to be said, so
| I guess I'll be the one to say it this time.
|
| The sad thing is that this person actually _is_ a customer
| because they bought a product and pay for things on it, but
| Facebook still doesn 't realize that, or more likely these
| customers are such a small amount of their revenue they just
| don't care (and don't think it matters for growth of this
| area or don't care about that growth).
| novok wrote:
| The guy is a customer in the traditional FB way (pays for
| ads) and the new oculus way (buys oculus games & hardware).
|
| FB is super annoying when you want to separate the business
| from any form of a personal account. Eventually you need to
| have some sort of personal FB account linked to a business
| to manage some key ad buy things AFAIK, at the small
| business scale at the very least.
| shkkmo wrote:
| The problem is that "if you aren't a customer you are the
| product" is that frequently you are still a product even if
| you are a customer.
| ballenf wrote:
| > this person actually is a customer
|
| That's the reason the "you're not the customer" line is
| just a distraction.
|
| It totally misses the point that Facebook doesn't have
| customers any more than any other first world power has.
| Facebook has treaties with governments and follow laws when
| it's less costly than breaking them.
|
| FTC actions are like one country taking another to the WTO
| -- not something to ignore, but not really threatening
| either.
| kbenson wrote:
| > That's the reason the "you're not the customer" line is
| just a distraction.
|
| I don't think it is. If Facebook wasn't coming from a
| place such as that, then we wouldn't necessarily see them
| act like this. It's not just about size.
|
| > Facebook has treaties with governments and follow laws
| when it's less costly than breaking them.
|
| So do most large companies, but they don't all act the
| same to their customers. Apple may be guilty of other
| ways of mistreating their customers, but to my knowledge
| they're mostly innocent of this specific brand of it, and
| anything you want to attribute to Facebook's size that
| you can't attribute to any of the other tech big 5[1]
| should be examined for whether that's really the relevant
| underlying cause.
|
| 1: https://www.fastcompany.com/90651160/facebook-is-now-
| the-fif...
| jokoon wrote:
| Facebook seems to be "too big to fail", at a point where their
| game theory is "the scammer is generating profits for us, so
| letting some of our users get scammed is something we can let
| happen".
|
| It's pretty scary. I think they're really willing to let facebook
| die off and just keep instagram and whatsapp, I think that's
| their strategy.
|
| Even facebook dating is buggy and not worthy of a giant like
| facebook. Maybe it's the how GAFA will start to decline.
| fitzroy wrote:
| What is the point of setting up a hardware or Google
| Authenticator-type 2FA solution when most companies will fallback
| to SMS? Is there a way to prevent the SMS fallback (last I
| checked it was 'No' for most sites except maybe Google if I
| remember, and then you still had to go in and manually delete
| it)?
|
| Does a master list exist of companies that don't use SMS, or
| allow the user to exclude it? Otherwise it seems like most 2FA is
| just opening up a much easier attack vector (social engineering a
| phone number port) vs guessing a long, random, unique password. A
| password manager with browser plugin (or iCloud Keychain) mostly
| solves the phishing issue if you stop a second to think on the
| rare occasions when you need to manually copy/paste because of a
| weird subdomain or partner domain.
|
| I've been 'about to' set up 2FA for over a decade now, but it
| always seems like a bad idea.
|
| Edit: Also, who's to say customer service agents won't/don't
| fallback to sending an SMS reset code even if the account
| supposedly requires a dongle or app for 2FA.
| nijave wrote:
| It seems like the places that rely on SMS generally don't have
| hardware 2FA. Or, most websites that allow configuring multiple
| 2FA methods support disabling SMS
|
| The ones that let you configure a single MFA method or single
| with backup are usually where I run into issues, personally
|
| For instance, on Github, I have 2x U2F tokens and paper
| recovery codes but there's not even a phone number configured
| on the account
| mr_toad wrote:
| > What is the point of setting up a hardware or Google
| Authenticator-type 2FA solution when most companies will
| fallback to SMS?
|
| Most people probably use it because it's more convenient and
| reliable than SMS, not because it's more secure.
| Y_Y wrote:
| 2FA (is supposed to) mean you have both factors, not one or the
| other. It's strictly more secure that either alone, even if SMS
| sucks.
| mod wrote:
| Yes, but in some cases it's "2 outta 3" (or worse)
| someguydave wrote:
| > What is the point of setting up a hardware or Google
| Authenticator-type 2FA solution when most companies will
| fallback to SMS?
|
| One possible point is that you could still log in somewhere
| that has internet but no cell service
| int_19h wrote:
| We have a better way of handling that these days:
|
| https://en.wikipedia.org/wiki/Generic_Access_Network
| someguydave wrote:
| That practically requires wifi. In some scenarios you might
| have wired internet only.
| beezischillin wrote:
| This is what I'm worried about, to be honest. Not necessarily
| getting hacked but just getting flagged, banned and burned with
| no recourse.
|
| This is why I commented on an article here some weeks ago that if
| they ever offered any paid user experience they'd be in trouble
| because they'd actually have to help their users with their
| issues.
|
| These tech companies should offer actual support the moment you
| spend money with them with some actual recourse to solve
| problems, especially if it's caused by them. It's insane to me
| that they can just go and run away with your money or burn your
| account at a moment's notice, even when it's just some automated
| filter going crazy. At the bare minimum something like Amazon has
| should be the standard the moment you operate a paid digital
| software repository or sell a digital service or ads. Losing your
| investment should not happen to you unless you're a really
| blatant abuser and if you're the one getting abused your bank or
| credit card provider should never be your only line of defense.
|
| I'm baffled that they have not been in any real conflict over
| this with any consumer protection agency for any of our
| governments.
| ElijahLynn wrote:
| I guess this is the model when the user is the product and not
| the customer. Flipping this, if this were a paying advertiser
| (customer) that got locked out, there probably is a valid path
| to contact someone.
|
| Looks like it is time to remove all my Single Sign On from
| Google, Facebook, GitHub etc. And have individual user/pass for
| all of them. I have the same fear as you and way more so after
| reading this article, just way too much risk now.
| jsnell wrote:
| Per the post, the author _is_ a paying Facebook advertiser.
| It seems like your theory isn 't very predictive.
| lrem wrote:
| GitHub seems competent and not that banhammery. I wonder if
| you get better account recovery support there, especially as
| a paying customer?
| neartheplain wrote:
| >This is why I commented on an article here some weeks ago that
| if they ever offered any paid user experience they'd be in
| trouble because they'd actually have to help their users with
| their issues.
|
| Facebook has offered a paid user experience to Oculus users for
| several years now, and so far no one has forced them to
| actually help users with these issues. Not the market, not
| regulators, and certainly not users. They will keep getting
| away with it simply because they can. What are you going to do
| about it?
| Haga wrote:
| Centralized eco systems and monocultures are extremely vulnerable
| to attacks in nature. May be worth a investment into mastodon or
| matrix to have the " fb that still works" the day the big one
| strikes and takes them out.
| jsnell wrote:
| Here's my guess at what happened:
|
| How was the account hijacked? Via cookie theft. The author
| installed malware, maybe some dodgy windows binaries or malicious
| browser extensions. No amount or type of 2FA on sign-in will
| protect you against the session cookie being stolen. (Now,
| additional 2FA on sensitive actions might).
|
| Why was the account was banned with such finality, with no chance
| of appeal? Probably for something outright illegal, like the
| hijacker uploading CSAM to the account. It's totally plausible
| that in an obvious enough case, the policy is e.g. to refer the
| case to law enforcement and keep the account disabled.
|
| Why did the attacker want to get the account permanently
| disabled? Maybe an account disable doesn't stop ad campaigns on
| FB. So the attacker sets up an ad campaign, and then gets the
| account banned so that the owner can't reverse it.
| StreamBright wrote:
| I thought session cookies are tied to a specific
| browser/is/ip/etc. combo
| jokethrowaway wrote:
| The attacker should have replicated the browser fingerprint and
| IP on top of stealing the cookie - or just flat out used his
| computer remotely while he was sleeping.
|
| I haven't used FB in a while but I remember login from other
| places were detected.
| jsnell wrote:
| If the session cookie was stolen, there's no new login to
| detect and send a security notification about.
| EMM_386 wrote:
| Can't they detect that the session cookie is coming from a
| different IP than the one it was originally issued to?
| qwertox wrote:
| A carrier-grade NAT could make you change IP address. TOR
| will do it. You would cause yourself more problems if you
| would start to bind a session to an IP address.
| nijave wrote:
| Yeah and turns out CGNAT is ubiquitous among U.S. mobile
| phone carriers (which is a huge market for Facebook)
|
| IPv6 privacy extensions are generally considered a
| feature
| tobyjsullivan wrote:
| Technically that's possible but there would be too many
| false-positives. People would be signed out every time
| they took their laptop home from a coffeeshop or
| connected over a mobile hotspot.
| wolpoli wrote:
| Yes. Facebook has implemented features to try to keep
| their users signed in, even if the user indicates that
| they want to sign out. Therefore, Facebook wouldn't want
| to sign people out if they go to a coffee shop.
| laumars wrote:
| They could use your local MAC or maybe detect the local
| radius of your IP (eg if you suddenly appear from a
| different continent then send a confirmation email).
| Sure, people using Tor might get burnt but those use
| cases are likely less common than those who are getting
| their session cookies hacked.
| [deleted]
| NiekvdMaas wrote:
| This 100%. I had the same thing happen to me (even though I
| have 2FA everywhere):
|
| https://github.com/Niek/Niek/blob/master/facebook-scam/READM...
| dillondoyle wrote:
| Unless it used the same IP / UA it seems unlikely? Every time I
| switch IPs I have to re auth to FB ads. Even on the exact same
| browser session.
| ricardo81 wrote:
| >cookie theft
|
| I think that's quite likely. I have a (somewhat throwaway) FB
| account, not much of a profile and mainly used for a local
| cause. Co-admining a page I'd clicked on a clickbaity headline
| posted to the page and several days later my account was
| disabled.
|
| The account recovery process was completely broken/circular but
| somehow the account revived itself after a week.
|
| The fact that my 'friend suggestions' were untainted by a
| friends list seemed to confirm the hack as all my suggestions
| were from people in an entirely new continent.
|
| Nd ads/CC attached to the account.
| Thorrez wrote:
| There's no way clicking on a headline would lead to your
| account being hijacked... Unless there's a browser 0-day
| which are extremely valuable and no one would waste that on
| your FB account. Or if clicking the link downloaded malware
| and you ran the malware.
|
| Did you ever use the password of the FB account anywhere
| else? You getting phished is also much more likely than a
| browser 0-day. Did you have a security key on the FB account?
| 0xy wrote:
| This isn't correct, it's not the only way. A Facebook
| vulnerability is less valuable than a browser 0-day and
| could similarly leak credentials.
|
| In fact, Facebook has had numerous authentication blunders
| in the past. [1] One of them was a zero-click mechanism
| very recently. [2]
|
| Facebook's security team is a joke, or worse -- they're
| muzzled by product teams and forced to do their bidding.
| [3]
|
| [1] https://threatpost.com/facebook-patches-oauth-
| authentication...
|
| [2] https://about.fb.com/news/2018/09/security-update/
|
| [3] https://appleinsider.com/articles/21/04/22/facebook-
| dangerou...
| ricardo81 wrote:
| It was a secure account as far as the password goes, no
| 2FA. Like I said it was a bit of a throwaway account.
| Password 15 chars long, random chars.
|
| No phishing.
|
| I concluded that there's perhaps a cross-origin issue on
| Facebook's side that allowed cookie hijacking. The
| clickbaity link was almost tailor made for our group
| "[something ominous happened] in [your part of town]".
| Looks like it was auto-shared by someone whose account had
| been compromised as they were local. Reasonably confident
| it was a session hijack, my password remained the same
| while account locked.
|
| The only other plausible thing wrt my account's case was
| that it was almost empty (i.e. no photo, no friends, not
| much to go by) and was somehow flagged but was given a
| misleading reason why it was.
| drummer wrote:
| That is correct; ads keep running while account is blocked.
| codewithcheese wrote:
| clearly shows where their priorities lie. they will shut down
| your social (media) life without recourse, but heaven forbid
| that has a negative impact on the ad spends
| firecall wrote:
| Yep!
|
| Happened to me!
|
| Account restricted from modifying ads. But yet the account
| kept going, spending money, and I couldn't stop them!
|
| Thankfully I had a second admin on the account and was able
| to get back in.
|
| Now I make multiple accounts to run Ads.
|
| If you search, it's a common problem!
|
| Whats infuriating is that FB want you to use your own FB
| account to run business accounts, and it's against T&Cs to
| make fake accounts.
|
| But yet you can be attached to a clients account and get Ad
| banned for something they do!
|
| Gah! The attitude of FB and Google is infuriating!
| bob229 wrote:
| Just delete fb already
| cwkoss wrote:
| Facebook's walled garden around oculus is really disappointing.
| Updates frequently broke mods, and the last time I tried to get
| it working again my Quest got bricked. Need to try factory
| resetting or something to see if I can get it working again, but
| it's left such a bad taste in my mouth I'm considering just
| selling it instead and buying a better VR system.
|
| The only people I've heard have positive experiences with the
| Quest either:
|
| - haven't had it for very long, or
|
| - use Virtual Desktop or sideloading to break out of the walled
| garden. And are willing to frequently repair the issues that
| arise after frequent breaking updates.
|
| I predict that gap in the fence will closed off and non-Oculus
| Store games will no longer work within the next two years and
| Quests will be junk. Please consider other options if you're
| thinking about buying oculus.
| c7DJTLrn wrote:
| I ditched my Rift as soon as the announcement was made that users
| would be forced to migrate to Facebook accounts. FB is
| practically radioactive, I'm not creating an account for them,
| let alone giving them a direct pipe to built in cameras and
| microphones in my VR headset.
| paulpauper wrote:
| Facebook sucks.what else is new.have not had a personal account
| in a decade after they terminated it. No regrets.i do however own
| the stock and remain very optimistic about the business but not
| for me. Sucks to invest to so much time in a platform that can
| take it all away from you without warning.
| mark_l_watson wrote:
| Just a question: could the author create a new Facebook account
| and never use it except to login with his Oculus? He would lose
| his game purchases, though. Once you use a Facebook account with
| Oculus, is the device not wipeable to factory status?
|
| This guy's story is why I try to split book and other media
| purchases between Amazon, Google, and Apple - so, if I lose any
| account I only lose about 1/3 of my purchases.
| SrslyJosh wrote:
| > I've gone from a position of caution about Oculus + Facebook to
| a position of "Run, don't look back."
|
| As if this wasn't an obvious problem.
|
| Relying on any of Facebook, Twitter, Instagram, TikTok, etc. for
| _anything_ is a risk. Doubly so if it involves your business or a
| product that won 't work without permission from $PLATFORM.
| drummer wrote:
| Aah yes, another day, another user fucked by fuckerberg. When are
| people going to learn?
| bawana wrote:
| did he ever say if he found out HOW his account specifically was
| compromised? There is a lot of discussion here about how SMS is a
| weak link. But I dont get it. The example of one respondent
| providedd is koiphish. This is just a MITM attack. Doesnt https
| protect against this? If a MITM DID worrk, does that mean someone
| forged/stole facebook's certificate?
| s5300 wrote:
| , poisoned our water supply, burned our crops and delivered a
| plague unto our houses!
|
| "He did?"
|
| No, but are we just gonna wait around until Zuckerberg does?
| tibbon wrote:
| For those who have worked at Facebook - why in the world are
| their policies like this?
|
| Why is customer support so... unfriendly and unhelpful? No
| escalations possible? No way to reach anyone?
| rvba wrote:
| "Customer support" is someone in third world paid 1 dollar per
| hour, who barely speaks English and does not care about
| anything - nobody reviews quality of their work, and even if
| quality is reviewed, they are fired, but nobody reviews "old
| cases".
|
| Probably some person randomly clicking "accept" and "deny".
|
| Other question is, why there is no escalation; even paid one.
| Although probably everyone would escalate.
| micromacrofoot wrote:
| ok so on the flip side... why should they? they've become
| enormously successful without customer support
| Sohcahtoa82 wrote:
| My guess is money.
|
| Facebook has such a MASSIVE user base. And people are getting
| accounts stolen a LOT, from either social engineering or
| password reuse.
|
| But there's also a ton of people knowingly breaking rules,
| getting banned, and then trying to cry that their account was
| hacked.
|
| Trying to differentiate between someone's account being taken
| over and abused versus someone just simply being abusive and
| lying about it to support costs a lot of time, and time is
| money. And with the scale of Facebook, that adds up to a LOT of
| money. You have to train a large staff to understand social
| engineering and be able to tell the difference between someone
| who actually can't figure out how to log in, versus a jealous
| ex who is trying to social engineer their way into someone
| else's account.
|
| It's a lot cheaper to just let the bans stick, even if it loses
| a few customers.
| dredmorbius wrote:
| 3 billion active users.
|
| If 0.1% have account issues in a year, that's 8,200 support
| tickets per day.
|
| If each of those takes 20 minutes to resolve, then you'd need
| 115 support techs ... for three shifts, or about 350 total.
|
| Oh, and covering several languages.
|
| I'm guessing my 0.1% issue rate is low by a factor of 10--100.
| Resolution time may also be generous. Increase all other values
| correspondingly.
| [deleted]
| croes wrote:
| 10 billions profit a year, seems like enough money for user
| support
| jedimastert wrote:
| Short answer: they lose less money from people getting
| frustrated than the massive cost of real support
| croes wrote:
| Maybe they would have more users with real support.
| dredmorbius wrote:
| It's literally cheaper for them to buy new services,
| aquire the low-cost users through those, and wash out the
| support-dependent ones.
|
| The Whatsapp purchase worked out to about $30/user,
| though proably factored in both further growth and the
| potential competitive risk.
| dredmorbius wrote:
| Facebook's ARPU is about $25/year.
| https://www.thegoodestate.com/facebook-arpu/
|
| An enterprise software company I was closely familiar with
| in the 1990s budgeted about $50/call for user support. Mind
| that was 20+ years ago, and it was enterprise, rather than
| end-user support. But odds are strong that _one_ service
| call per user eats up all, or multiples of, the actual
| worth of that user to Facebook. Cutting the account loose
| may well be the rational choice for the company.
|
| ARPU varies by region. Within the US it's closer to
| $110/yr, in Europe, $35/yr, Asia & Pacific, $10/yr. Expect
| that support offerings are going to be measured against
| that, though possibly with a consideration as well to
| future growth and economic development.
|
| At $25/call and servicing 1% of users/year, that's $750
| million in support alone. If the cost or rates are doubled
| ... the maths are pretty easy.
| dataviz1000 wrote:
| How to become a Facebook power user: go to
| https://www.facebook.com/deactivate and follow the instructions.
| nitwit005 wrote:
| Google makes a point in their ads for the chromebook that you
| need a Google account to login, which my brain immediately
| translates into "could be randomly bricked at any time".
|
| It's possible that's not true, but there's such an endless stream
| of these stories, that that's the attitude you have to take.
| jedimastert wrote:
| I think a Chromebook is a touch different, as there's nothing
| actually tied to the hardware itself (which, I suppose, is sort
| of the point).
|
| If your Google account is borked, nothing is unrecoverable from
| the computer and any other account can log into it.
|
| That being said, you _will_ be screwed in various other ways,
| mainly that all of the information you 'd lose because it was
| normally stored on the you've now lost because you got the ban
| hammer
| mdoms wrote:
| You told your wife to get some sleep at 11:30am?
| tedivm wrote:
| > my wife who works remotely overnight
| rsync wrote:
| In other news, I built and deployed a "2FA Mule" last weekend.
|
| It's a stock android phone with no google account and no apps
| installed except for "SMS Forwarder"[1].
|
| It is configured to forward all SMS to an email address via
| encrypted SMTP. This means that I can receive these 2FA codes
| anywhere I have Internet access - such as an airplane or newly
| arrived in a foreign country where my SIM card does not work.
|
| The "2FA Mule" itself is plugged in at my office in a corner.
|
| I'm not employing this for anything sensitive but it's
| interesting to consider that I can use SMS based 2FA while
| divorcing it from my day to day SIM identity ...
|
| [1]
| https://play.google.com/store/apps/details?id=com.frzinapps....
| breakingcups wrote:
| So the email address is not 2FA secured?
| rsync wrote:
| It's my own mail server. I just tail the mail spool ...
| neartheplain wrote:
| Is your account with the DNS registrar who controls your MX
| record 2FA-secured?
|
| >[...] via encrypted SMTP
|
| In addition to establishing a secure socket, does the mule
| validate the mail server's TLS certificate name?
| danlugo92 wrote:
| Could be his email address uses OTP or UFA, which would make
| it secure.
|
| If anything SMSs are much more dangerous than OTP and
| services should eschew them.
|
| Sadly some of them still force you to have SMS.
| qntty wrote:
| Do you pay for a separate phone line for the mule?
| Symbiote wrote:
| In many countries, a pre-paid phone costs almost nothing to
| keep active.
|
| I keep a UK number for some 2FA systems, it costs about
| PS0.10 per year. I just have to send an SMS every 6 months to
| keep the line active.
| [deleted]
| rsync wrote:
| Yes. I have a dedicated account with a verizon MVNO and this
| account has no other SIMs or accounts associated with it.
|
| However, depending on how I choose to use it I can point 2FA
| for numerous different services to this one SIM. I just don't
| want to point _multiple accounts at the same service_ to this
| SIM since that 's a clear, common identifier and correlates
| those two accounts better than probably anything else could
| ...
| danlugo92 wrote:
| Nice.
|
| Will actually go this route in the future.
| nijave wrote:
| Google Voice works for many services which is protectable with
| 2FA (hardware tokens) and accessible most anywhere in the world
| --you're at the mercy of Google, though
|
| That should help against SIM swap attacks
| joncrane wrote:
| Lately more and more of my accounts aren't accepting GV as a
| phone number linked with the account.
|
| Recent memory: 7-11 app and eBay both made me use a number
| that's associated with an actual SIM card.
| rsync wrote:
| It's hit or miss and that is why I am basing this on an
| honest-to-god mobile number on a SIM card. I don't want to
| deal with the finnicky number validation that is done ...
| dheera wrote:
| Nice. I do something similar but forward it to Slack.
|
| I also have it auto-answer 2FA calls and automatically hit the
| # key.
|
| Yeah, call it not real 2FA, but it's really companies that
| choose to not use U2F are at fault.
| rsync wrote:
| "I also have it auto-answer 2FA calls and automatically hit
| the # key."
|
| One year at defcon - maybe 20 years ago - the speaker told an
| anecdote about a user who had set up a webcam and put their
| RSA token under it.
|
| And we all laughed ... "haha what a dummy ... I can't believe
| users are so stupid" ...
|
| But _secretly_ I thought it was genius.
| banana_giraffe wrote:
| I've done exactly this. Well, my SO did it at my direction
| since I was in another country and had forgotten to take
| the token with me.
| dheera wrote:
| Oh I've done that too before. If they only give me one RSA
| token and no backup, then that's what i do.
| a1369209993 wrote:
| > set up a webcam and put their RSA token under it.
|
| That's only stupid if anyone other than you has access to
| your webcam.
| cortesoft wrote:
| U2F is great, but these companies want to be able to provide
| 2FA for people who won't/can't have a dedicated hardware
| device for 2FA.
| dheera wrote:
| Yeah but (a) by not supporting U2F they suck (b) I don't
| want them to use 2FA as a magic excuse to get my phone
| number
| phire wrote:
| That's... genius
|
| I'm going to have to steal that.
| madars wrote:
| > I want to start by pointing out I use two-factor authentication
| just about everywhere and Facebook is not an exception.
|
| I wish he'd mention what kind of 2FA. The reason you _really_
| should use U2F/WebAuthn is because it does origin binding which,
| unlike entering a TOTP, a code from your hardware
| token/authenticator app on your phone/SMS/etc is not phishable,
| i.e. you can't enter it by accident on
| accounts.google.com.totallylegit.ru and then have them enter it
| on real accounts.google.com. This is so because the U2F/WebAuthn
| security key signs a request, sent by your browser, which embeds
| the requesting page's domain, so a signature on attacker.com will
| not pass victim.com's verification checks, whereas a code from
| your authentication app is trivially copied.
| Scaevolus wrote:
| Beating 2FA is almost always SMS hijacking, but sometimes it's
| social engineering where the attacker has figured out just the
| right script to tell support ("oh, I dropped my phone and it
| won't turn on...") to get it disabled.
|
| edit: correction, beating 2FA _without phishing_ -- like in the
| post where he lost his account while asleep.
| only_as_i_fall wrote:
| How does an sms hijacking attack typically work? I know sms
| isn't secure, but how does one go from having a password to
| bypassing the sms confirmation? Is it as easy as having the
| number and carrier?
| cinntaile wrote:
| Don't they just hijack your number with the help of the
| telecom company's helpdesk?
| ImuMotive wrote:
| It happened to me. Cellular carriers, in my case T-Mobile,
| didn't require any confirmation to port a number to a new
| phone/sim.
|
| Eventually some required the last 4 of your social security
| number to port a number, which we all know at this point
| are pretty much public anyway.
|
| T-Mobile now lets you set an arbitrary pin, which my
| parents promptly set to their DOB :facepalm:
|
| I haven't looked more into it, but as far as I know, sim
| swap/port attacks were hilariously simple to execute which
| is why I only use SMS verification when it's the only
| option.
| [deleted]
| Wowfunhappy wrote:
| You might want to edit out what your parents set their
| pin to! (You can email hn@ycombinator.com if you're past
| the edit window.)
| ImuMotive wrote:
| Lol, I had made them change it as soon as they told me.
| [deleted]
| joshuaissac wrote:
| Maybe what is needed is regulation that makes the service
| provider liable (with no option to disclaim it) for all
| damages suffered by the victim if the provider gives away
| their phone number to an attacker.
| scrose wrote:
| I accidentally 'hijacked' a number by typoing one number in
| my online request. I only found out after my wife pointed
| out my number was different after porting. It took a couple
| hours with the telco's support agents, and practically no
| verification steps, to actually get my correct number back.
| Very sad state of affairs here.
| cinntaile wrote:
| Google is better than all other alternatives in that regard.
| They have a feature called Advanced Protection where you add
| your 2FA U2F keys and if you lose them your account is gone.
| No social engineering possible.
|
| https://landing.google.com/advancedprotection/
| pinum wrote:
| "If you lose your key and are still signed in on one of
| your devices, visit account.google.com to add or replace a
| key. Otherwise, submit a request to recover your account.
| Google may take a few days to verify that it's you and
| restore your access."
|
| I trust that it would be (potentially much) harder than
| normal, but it still seems to be possible.
| cinntaile wrote:
| I was under the impression you were screwed in that case,
| thanks for pointing out that I was wrong. It's lot less
| secure than I thought.
| withinboredom wrote:
| IIRC, Google will stop the "several day process" if you
| log in at any time.
| someguydave wrote:
| Still sounds like a significant barrier to most phishing
| attacks.
| cinntaile wrote:
| A little bit. It's mostly a time delay, since the
| alternatives to verify your identity seem to be a
| different emailaddress or a phone number and then you're
| back to square one imo. The phone number is still
| susceptible to social engineering and the alternative
| mail likely is too. Ideally I want something where keys
| gone = account gone. Now a dedicated scammer could still
| succeed and it sure doesn't provide any real safety for
| political groups which Google kind of claims it does by
| using testimonies from politically vulnerable people to
| "advertise" the Advanced Protection Program. This is a
| tricky situation though since your adversaries could get
| your keys and your password and then they control your
| account without any chance of getting it back, so it's
| definitely a double edged sword.
| someguydave wrote:
| I presume in this scenario you would have multiple keys
| _and_ multiple backup accounts, so fallback to a likewise
| secured account is reasonable.
| Marsymars wrote:
| > It's mostly a time delay, since the alternatives to
| verify your identity seem to be a different emailaddress
| or a phone number and then you're back to square one imo.
| The phone number is still susceptible to social
| engineering and the alternative mail likely is too.
| Ideally I want something where keys gone = account gone.
|
| I can think of options less extreme than keys gone =
| account gone that are still very secure.
|
| e.g. To enable "Extra Advanced Protection" you have to
| visit Google HQ in your region, where your DNA is
| sampled. If you ever need to recover your account, you
| have to visit Google HQ again for another DNA sample,
| after which you're provided with account access, in
| person.
| someguydave wrote:
| Just showing up in person by itself (with a stored
| photograph and maybe audio recording) is a pretty high
| barrier.
| darkwater wrote:
| > DNA sample
|
| and who's gonna pay for that? Seems pricey and doesn't
| scale exactly well.
| cinntaile wrote:
| Definitely also a good, but still very extreme option.
| This might actually be more secure, depending on the
| threats you have to take into account. It would be
| possible to retrieve the account after a (physical) hack.
| josephcsible wrote:
| > if you lose them your account is gone
|
| IMO, this is way too extreme for almost everybody. There
| needs to be some sort of happy medium so that a person
| who's lost everything they own (e.g., house fire) can get
| their account back somehow still. Two ideas I had:
|
| 1. When you set up your account, provide your legal name,
| date of birth, and a photo. If you need to reset 2FA, go
| somewhere in person with a government-issued photo ID
| (which we already have procedures to replace) that all of
| the details of match.
|
| 2. When you set up your account, provide 5 trusted
| contacts. If you need to reset 2FA, get 3 of them to agree.
| jaywalk wrote:
| If you choose to opt-in to Advanced Protection, you can
| keep a backup hardware token somewhere outside of your
| house.
| josephcsible wrote:
| My concern with that is that if something happened to the
| off-site token (e.g., ESD damage, or even just random
| failure over time), I may not realize until I needed it.
| greggyb wrote:
| If you would like to take advantage of such an option,
| you are also opting in to taking on an operational
| burden. That burden is exactly maintaining a set of
| backup keys and testing them on a regular basis.
| cinntaile wrote:
| I agree with this, it was my original expectation.
| Macha wrote:
| And that's why "everyone should just use yubikeys" is
| never going to happen.
| staticassertion wrote:
| Everyone already pays the same operational burden with
| their house keys, which are far more difficult to manage
| for the average person (as they leave the house
| constantly). It's worked fine for hundreds of years.
| Macha wrote:
| If you lose your house keys, you get a lock smith to
| break into your house for you - your house doesn't become
| unusable forever more.
|
| If you ever need to have this done, you'll realise how
| much house keys and door locks for many cases really only
| stop the opportunistic "pull the handle and see if it
| opens" attack. If your door has above average security
| they'll need to drill the lock, but the time I had to
| call one they could just push a tool through the letter
| box and break/move the bolt by applying leverage from the
| "indoor" side.
| staticassertion wrote:
| > If you lose your house keys, you get a lock smith to
| break into your house for you - your house doesn't become
| unusable forever more.
|
| Same with 2FA. Just like a Locksmith it's a "human in the
| loop" situation where you'll need to give identification
| etc.
|
| The rest of your post isn't relevant it's just about
| picking door locks.
| iggldiggl wrote:
| House keys don't just randomly break the way electronics
| sometimes do, though.
| staticassertion wrote:
| I would bet that door locks and keys break pretty often.
| I know I've had many door locks that you had to wiggle
| just right.
| lotsofpulp wrote:
| >If you need to reset 2FA, go somewhere in person with a
| government-issued photo ID (which we already have
| procedures to replace) that all of the details of match.
|
| Very few people are going to want to pay for this labor
| if the perception of risk of using a free account is as
| low as it is now.
| josephcsible wrote:
| What about giving people a choice like this to pay for
| the labor? Either pay $1 per month for your account, and
| then this service is free for you whenever you need it,
| or have a free account, but then this service costs you
| $1000 if you ever need it.
| lotsofpulp wrote:
| That would be nice, but I imagine there's a perception
| problem with that.
|
| Simply offering the option would bring the risk to the
| forefront of people's minds, and once you start
| exchanging money, lots of other thoughts and liabilities
| begin to enter.
|
| If it is kept free, then the conversation ends there.
| drivebycomment wrote:
| Advanced Protection does have the account recovery.
| https://landing.google.com/advancedprotection/faq/ It is
| just very slow as it's a human process. There's very
| little reason you shouldn't use Advanced Protection, if
| your account is important enough.
| sascha_sl wrote:
| Big caveat being you can no longer use the account to
| develop things with the Google API or use some third
| party clients (e.g. rclone).
| jhugo wrote:
| Which Google API do you mean? I use advanced protection
| and have developed various things with various Google
| APIs, I just use a service account with minimal
| privileges for each thing I'm developing, which is
| probably best practice anyway. Not sure about rclone but
| probably it would work fine with a service account too?
| sascha_sl wrote:
| It blocks any unverified OAuth app, including the ones
| you create yourself.
| jhugo wrote:
| It sounds like you're trying to use APIs with your
| personal account rather than using a service account
| though? Again, I use Advanced Protection and I've never
| encountered the problem you're describing.
| staticassertion wrote:
| I'd just use a dummy account for developing.
| mattkrause wrote:
| I've always thought the Post Office should offer
| something like Option #1.
| queuebert wrote:
| In another universe, the Post Office manages the email
| services, too. Sigh ...
| tinus_hn wrote:
| That way you end up with the same issues as we have now
| with SIM swapping: Post Office employees are not more
| reliable and not necessarily more careful with their
| credentials than people who can give you a new SIM card.
| mattkrause wrote:
| The post office does (did?) ID verification for first-
| time passport applications. I think that's about as good
| as you can reasonably expect since it gets you a bona
| fide, universally-accepted proof of ID that would work
| anywhere else.
|
| I would bet that the post office employees are a bit less
| susceptible to the "hurry up and hit your metrics"
| pressure than someone at the Verizon call center.
| [deleted]
| hn_throwaway_99 wrote:
| Oddly enough, Google's Advanced Protection _is_ the gold
| standard in my opinion, yet Firebase Auth, an Auth-as-a-
| Service product from Google, only supports SMS as a second
| factor, which is baffling to me.
| hn_throwaway_99 wrote:
| > Beating 2FA is almost always SMS hijacking
|
| That's most definitely not true, as someone who works in this
| space. Plain old phishing is much more common, where the
| hacker tricks a user into entering their code into a
| malicious website.
|
| To echo OP, this is why it's important to support non-
| phishable types of 2FA.
| Flatcircle wrote:
| I wondered about this in regards to Crypto and NFT's in the
| digital wallet space. It seems like Metamask with a ledger
| wallet is stadard, but I have a theory that if you're not
| sophisticated and you get into Crypto/NFT's, it may be
| safer to just use Coinbase Wallet, as it is less popular
| target than matamask and you're able to leverage Coinbase's
| ongoing security updates. and if you're not sophisticated,
| you're just as likely to lose your stuff via user error
| with a hard wallet set up.
|
| Just don't click on giveaways and never enter your secret
| code
| ruipgil wrote:
| How's it any relevant?
| baxtr wrote:
| Could you describe the types that are non-phishable?
| tialaramex wrote:
| WebAuthn (or its predecessor U2F but that's obsolete, so
| in green field deployments do WebAuthn) is the only
| practical non-phishable second factor for ordinary users
| on the web.
|
| You can do this two ways, one of which will make more
| sense for your web site:
|
| 1. PCs/ laptops/ etc. can use little USB hardware
| devices, from outfits like Yubico, the word to Google or
| type into your preferred hardware source is "FIDO"
| although if you have spare cash and like cool toys FIDO2
| is a more capable second generation of the technology.
|
| In this situation the FIDO authenticator is your second
| factor. Your web browser takes responsibility for telling
| this authenticator which web site you're looking at, and
| it's just a dumb machine, so from its point of view
| _obviously_ refunds-my-bank.example isn 't mybank.example
| because those strings are different. The FIDO
| authenticator just does whatever the browser tells it.
|
| This could be attacked by specialist malware, but it's
| tricky because the FIDO authenticator wants you to take
| physical action to trigger authentication, so the malware
| needs to not only tell the authenticator "Yeah, I'm
| totally er, Internet Explorer, and I need you to
| authenticate for mybank.example" but also persuade you to
| press the button or whatever to make it happen.
|
| Or I guess bad guys can be like "please FedEx your FIDO
| dongle to us" if people really are that dumb, but then no
| need for phishing, just call people "Hey, I'm the IRS,
| send me $5000 in unmarked bills, in a FedEx box marked er
| cat food for some reason that totally makes sense, to a
| residential address in a different state, yeah".
|
| 2. High end smartphones, the sort with a fingerprint
| reader, can do the same exact trick using that
| fingerprint reader (I think some iPhones do facial
| recognition instead?) to do WebAuthn instead for their
| onboard browser.
|
| In this case the smartphone is in charge of everything,
| it knows which web site this really is, it knows if
| that's really your fingerprint or not (the fingerprint
| never leaves your device) and it decides whether to send
| credentials.
|
| For machines it's much easier to do a secure transaction,
| but machines don't fall for a lot of phishing scams.
| jrockway wrote:
| > PCs/ laptops/ etc. can use little USB hardware devices,
| from outfits like Yubico
|
| This is actually built into most computers now -- Windows
| Hello, and Apple has something similar. Websites can
| check the attestation response to specifically block
| those, however. (Seems like Github allows it, and I've
| written code that allows it.)
|
| > I think some iPhones do facial recognition instead?
|
| Yup, they use whatever you use to unlock your phone. So
| if it's a FaceID phone, you can use FaceID to log in. You
| can also hold up your NFC Yubikey to the back of the
| phone and use that, even if you registered the key over
| USB on a PC! It's really, really good.
| munchbunny wrote:
| > Websites can check the attestation response to
| specifically block those, however. (Seems like Github
| allows it, and I've written code that allows it.)
|
| For the client side of things WebAuthn contains a
| standard option to block/allow "platform" authenticators,
| which I empirically know includes Windows Hello, and I'm
| not sure about Apple's or other equivalents. Of course
| you'd still want to verify the attestation on the server
| side.
| tialaramex wrote:
| > Of course you'd still want to verify the attestation on
| the server side.
|
| You almost certainly do not want to do this for a public
| web site. If you insist on attestation right thinking
| people will hit "No" and block the site.
|
| Think about it, what is attestation doing for you in this
| scenario? You're saying that you don't trust your users/
| customers to pick the authentication methods that work
| for them, and instead you're going to insist on methods
| you prefer. Do you also choose each user's passwords?
| "No, sorry, that resembles an English word, we have
| selected the password 48'J3X$q)M3NBfr_2 for you instead"
| ?
|
| In a corporate environment this could make sense. If you
| issue every employee a $100 FooCorp Security Key with
| their photo engraved on it, maybe you decide to require
| attestation that the keys used are FooCorp brand keys to
| prevent employees adding some off-brand Yubico product. I
| don't know whether that's a good idea, but it's no
| crazier than lots of corporate policies, however doing
| this for a public site makes no sense, please just skip
| attestation.
| franga2000 wrote:
| Yes! Any developer that forces the user to use a specific
| type of device needs to be smacked around a bit (or more
| accurately, the manager that told them to do it that
| way). Banks are notorious for this, since their stupid
| 2FA apps will do insane things like scan your app list
| for common root-only apps and non-vendor ROMs (even with
| no root). Some even have a vendor whitelist that obscure
| brands (like OnePlus used to be) aren't on and in both
| cases, their only response is "well just factory reset
| your phone" or "just buy a different device". I've
| switched banks twice because of this insanity.
|
| And there's no reason to do this! It's not like they're
| liable if I get my money stolen. If they prove 2FA was
| used and the security issue was on my device, not their
| app/server, it's my fault! As you said, if you're a
| custodian of something sensitive (an account, documents,
| money..), not the owner of it, it makes sense that the
| owner shouldd be able to dictate how you should protect
| it (like if you're accessing confidential company
| documents using 2FA). But in any other case, the service
| provider should never be allowed to force you to use a
| certain type of authentication device.
| djhworld wrote:
| It's built into Apple devices yeah (touch ID) but this is
| only supported in Chrome and Safari.
|
| Firefox does NOT support Touch ID for webauthn
| laurent92 wrote:
| Can you hold your NFC Yubikey to the back of an iPhone? I
| thought Apple didn't do NFC, appart from ApplePay?
| xoa wrote:
| Your recollection was correct but is now a few years out
| of date. As is typical Apple they intro'd it (in 2017
| IIRC) as a 1st party dogfood item, started read only.
| Then in 2019 with iOS 13 allowing far more power
| including full range of two way authentication
| capability. Yubico blogged about it [0] after the
| announcement, and Apple's HIG on use of NFC [1] is also
| available. Also, Safari itself needed to have support
| added, but that too is now available.
|
| So old workarounds like using the lightning port are no
| longer necessary, though AFAIK are still supported. It's
| nice to have it there as well since to really be most
| effective every platform a user has needs to support
| hardware 2FA. If something still needs SMS or OTP or
| whatever that becomes the weakest link.
|
| ----
|
| 0: https://www.yubico.com/blog/yubico-ios-authentication-
| expand...
|
| 1: https://developer.apple.com/design/human-interface-
| guideline...
| nimih wrote:
| My NFC Yubikey works fine with my iPhone 8.
| aj3 wrote:
| And of course client side certificates. It's a pity they
| are rarely available as an option on public websites.
| josephcsible wrote:
| The UX for client certificates is _horrific_ , especially
| if you choose the more secure approach of storing them on
| a smart card.
| u801e wrote:
| It certainly would make sense to improve the UX as
| opposed to coming up with different implementations.
|
| webauthn basically forces use of HTTP as the application
| level protocol, whereas a client side TLS certificate
| will work regardless of which application protocol is in
| use.
| tialaramex wrote:
| Client certificates, as the name might hint, certify your
| identity. But a big thrust of technologies like U2F and
| WebAuthn was not to do that, for privacy reasons.
|
| My FIDO authenticator has no idea who I am, no opinion
| who I am, so you can't use it to do identity correlation.
| It's only useful for the very specific problem we wanted
| to solve "Are you still you?" "Yes".
|
| In contrast a client certificate for u801e is enduring
| _proof_ you 're u801e and signatures the client cert
| makes during login will be durable proof that u801e
| logged in. PornHub can show Facebook and GitHub that the
| same user is using their site. So that's a privacy hole
| you can drive a truck through.
|
| There are numerous _practical_ problems with trying to
| leverage TLS client certificates for this work, but that
| 's a big privacy problem.
| u801e wrote:
| > In contrast a client certificate for u801e is enduring
| proof you're u801e and signatures the client cert makes
| during login will be durable proof that u801e logged in.
| PornHub can show Facebook and GitHub that the same user
| is using their site. So that's a privacy hole you can
| drive a truck through.
|
| Client certificates can certainly be separated based on
| different domains. So, there would be no way to really
| determine my identity across multiple websites if I sent
| each one a different CSR and they each gave me different
| client certificates. The browser should only send the
| client side TLS certificate that's relevant to the server
| it's trying to connect to via TLS.
|
| The main purpose of the client side TLS certificate is to
| verify the identity of the client on the server side,
| just as a server side TLS certificate signed by a trusted
| CA allows the client to verify the identity of the
| server. In the case of the client side TLS certificate,
| it doesn't have to be signed by an outside entity. There
| could be an internal CA the server uses to sign those
| CSRs and when the client connects, the server need only
| to verify that the client cert presented has a valid
| internal CA signature.
| ufmace wrote:
| There's no reason why it has to be horrific. I'd like to
| see someone make a decent attempt at making client TLS
| certs actually work well, including not using the same
| cert for multiple domains by default. Other problem is, I
| don't think many web server frameworks have support for
| them either.
| AlexCoventry wrote:
| > if you have spare cash and like cool toys FIDO2 is a
| more capable second generation of the technology.
|
| Why would you want passwordless authentication? Isn't the
| whole point of 2FA that you have to have something _and_
| you have to know something?
| tialaramex wrote:
| The cheapest available FIDO2 option is PIN-based so your
| PIN (actually any password, it doesn't need to be like a
| bank PIN) is the something you know, and the FIDO2
| authenticator is something you have, two factors. You
| don't need to pick a PIN to have conventional "second
| factor" working but if you want a usernameless
| authentication you can have that by choosing a PIN.
|
| What's different compared to having a web site password?
| The web site knows the password, but they don't know your
| PIN. This means suddenly relatively weak human memorable
| passwords are good enough, because bad guys can't break
| in and steal 40 million of them in seconds or leverage
| them across multiple sites, the PIN is useless without
| the authenticator.
|
| But other FIDO2 authenticators can do fingerprints,
| making it something you are (a person with that
| fingerprint) and something you have (the authenticator)
| so two factors again.
|
| Usernameless (rather than passwordless) is the
| differentiator. You can literally have the sign-in flow
| be a "Sign In" button and the user does the thing (finger
| on reader, types in PIN, or maybe looks at camera) and
| they're authenticated. No step where you type in an email
| address or a username. This has a privacy cost because it
| means the authenticator knows in some sense who you are,
| but it is super convenient if that's what you're all
| about - while being much more secure than today's
| username + password dance.
| stavros wrote:
| The FIDO2 key is usually protected by a PIN that wipes
| the key after a few wrong attempts, so it combines the
| two itself.
|
| Besides, there's nothing that dictates how secure the key
| should be. You could use your hardware cryptocurrency
| wallet for this, which is probably much more secure and
| convenient than the average Yubikey (you can duplicate it
| with the seed phrase).
| josephcsible wrote:
| Some people care more about convenience than security.
| And for everyone else, it doesn't have to be
| passwordless. You can use a regular password and a FIDO
| authenticator.
| notanzaiiswear wrote:
| I can't make sense of your explanation.
|
| In 1) I don't think my YubiKey knows anything about the
| sites I use it for? It just creates keys, so a phishing
| site could presumably still steal the key created by
| YubiKey and pass it on to the real site.
|
| 2) My fingerprints definitely don't know anything about
| web sites. So WebAuthn being unphishable has nothing to
| do with fingerprints. It is only incidental that some
| devices decide to unlock the functionality with
| fingerprints.
| Thorrez wrote:
| 1) The browser tells the Yubikey: "sign this: 'logging in
| to site.com at 12:34PM'". The yubikey signs it and gives
| the signature to the browser. The browser gets the
| signature and passes it on to the site. attacker.com will
| get a signature over 'logging in to attacker.com at
| 12:34PM'. That signature will not allow the attacker to
| log in to facebook.com .
|
| 2) Correct. In fact you don't even need a hardware token.
| You can do the whole thing in software. It could even
| theoretically be built right into your browser (but you
| would have the problem of logging in to the account on a
| different device or different browser). The fingerprint
| protects against physically stolen devices, and slightly
| against malware on your computer.
| tialaramex wrote:
| > The browser tells the Yubikey: "sign this: 'logging in
| to site.com at 12:34PM'"
|
| It's even a little bit cleverer than that. During
| enrollment (to say, Facebook.com) your Yubikey provides a
| random looking "identifier" to Facebook.com, and it
| promises that it can sign future logins _if_ Facebook.com
| shows it the same identifier. The identifier is bound to
| the DNS name!
|
| So a phishing site has a few choices, none of which help
| the bad guys even a tiny bit:
|
| * It claims to be Facebook.com, but it isn't, so the web
| browser just doesn't even show the UI for Security Keys.
| There's a behind the scenes Javascript error basically,
| "What? You aren't Facebook.com fool".
|
| * It admits its real DNS name, and makes up a random
| identifier. The browser gives the random identifier and
| the real DNS name to your Yubikey. But, it has never
| heard of this combination, so, _it blanks the entire
| authentication_ figuring this must be for a different
| Security Key plugged in on another port or something.
|
| * It gets that identifier code for your login from
| Facebook, and then admits its real name to your browser
| and provides the identifier taken from Facebook. This
| still doesn't match, and the Yubikey again assumes it
| must be for some other Security Key on your system.
|
| Behind the scenes this is actually done with AEAD
| cryptography, maybe with AES keys baked inside your
| Yubikey. The "identifier" is actually something like a
| private key (likely elliptic curve parameters) that has
| been encrypted using an onboard secret AES key in an AEAD
| mode, with the DNS name (well, a hash derived from it) as
| a factor.
|
| As a result, your Yubikey can't even decrypt the
| "identifier" correctly in order to log you in without the
| matching DNS name. This means goofs in the implementation
| fail safe - e.g. one brand of cheap Security Keys can
| fail to sign in once every 256 tries on average due to a
| logic bug. But they'd never sign in where they shouldn't
| because of mathematics, to do that they'd need to
| "accidentally" completely break the mathematical
| foundations of the cryptography!
| stavros wrote:
| I'm still waiting for password managers to add soft-
| WebAuthn support, so I can log in using my password
| manager (and no physical keys or passwords). That would
| make password managers ten times better.
|
| Then again, it doesn't _have_ to be the password manager
| that does this, but it 'd be nice if it were integrated.
| gingerlime wrote:
| yes exactly! Bitwarden supports TOTP nicely already. And
| I think you can authenticate _to_ it with FIDO2
| apparently. It would be awesome if it could do software-
| based WebAuthN but I don't think it does...
| stavros wrote:
| It doesn't, unfortunately. I've opened an issue on their
| forum but nothing yet. Not many websites support WebAuthn
| (let alone passwordless), so I guess password manager
| vendors aren't in a hurry to implement it.
| kerng wrote:
| At high level imagine it like this:
|
| The browser will only give access to the Yubikey token
| for a specific domain name - so if the attacker phishes
| for examle.org, rather then example.org, then there is
| just no tokens (signing keys) available the Yubikey could
| use and give to the browser.
|
| In the early days WebUSB in Chrome had bugs that allowed
| to bypass that same origin check but that has been fixed
| 3 years ago.
| fossuser wrote:
| Yubikey is one - it requires the user touch a hardware
| device which signs something locally that I think is
| never sent? I don't know enough of the implementation
| specifics, but it's supposed to guard against this kind
| of thing.
| laggyluke wrote:
| Yubikey is actually pretty "phishable", at least in the
| OTP mode. It will happily put the token into a phishing
| website (or literally anywhere else) as soon as you touch
| it.
|
| It's also good to know that Yubikey's OTP tokens don't
| expire based on time, but based on a hidden counter that
| gets incremented with every issued token.
|
| So if you've accidentally touched your Yubikey and leaked
| the token publicly, you just have to log out and then log
| back in using your Yubikey - that action will invalidate
| all tokens issued before this point.
| greggyb wrote:
| Yubikeys (or at least some models) can be configured with
| multiple different OTP implementations. Yubico's own OTP
| implementation behaves as you have described. It is not a
| guarantee that generating an OTP from a Yubikey means you
| have generated a Yubico OTP.
| 1024core wrote:
| What happens if the Yubikey goes bad? I use one for work,
| and the last 2 keys I had developed some hardware issues,
| and stopped responding, so I had to get a new one.
| rob-olmos wrote:
| The recommendation is to have at least one backup key.
|
| There's also a WebAuthn extension in the works to at
| least make it easier to maintain a backup key by not
| having to pull it out of the safe every time you register
| MFA with a new service:
|
| https://www.yubico.com/blog/yubico-proposes-webauthn-
| protoco...
| shawnz wrote:
| I really wish I could find a password manager which
| supports WebAuthn, and can also be unlocked with
| WebAuthn, so that only one secret needs to be replaced in
| such a situation.
| klodolph wrote:
| YubiKey uses U2F and FIDO2/WebAuthn. The YubiKey also
| does a lot of other things, depending on which YubiKey
| you have... but if you want 2FA on random websites, those
| are the most likely protocols (used for GitHub and the
| like).
|
| The basic U2F + FIDO2/WebAuthn is the least expensive
| model, around US$25. These days it works seamlessly on
| Chrome, Firefox, and Safari.
| dmoy wrote:
| So, popping up three comments, this explains which types
| of 2FA are not phisable:
|
| > I wish he'd mention what kind of 2FA. The reason you
| _really_ should use U2F/WebAuthn is because it does
| origin binding which, unlike entering a TOTP, a code from
| your hardware token/authenticator app on your
| phone/SMS/etc is not phishable, i.e. you can't enter it
| by accident on accounts.google.com.totallylegit.ru and
| then have them enter it on real accounts.google.com. This
| is so because the U2F/WebAuthn security key signs a
| request, sent by your browser, which embeds the
| requesting page's domain, so a signature on attacker.com
| will not pass victim.com's verification checks, whereas a
| code from your authentication app is trivially copied.
| anamexis wrote:
| The first comment in this thread describes why U2F is
| unphishable.
| UncleMeat wrote:
| Another poster has mentioned it, but I will add weight. This
| is super ultra mega wrong.
|
| Phishing SMS and TOTP codes is _way_ more common than SIM-
| swapping. Outrageously so. SIM-swapping does not scale. You
| need to call up a company each time you want to do it. Yes,
| it works. But you cannot sell a tool that just automates it.
| In comparison, there are many off-the-shelf phishing kits
| that fully automate SMS and TOTP 2FA theft.
| mushishi wrote:
| How is it possible that some kind of imaginative script can
| be enough to get SMS sim swapped? Why aren't the operators
| requiring a strong identification via a passport or something
| like that? Maybe I'm really dumb but that just boggles my
| mind, whether or not there exist other types of alternatives
| to 2FA.
| jdavis703 wrote:
| They could require this. Most of the big operators have
| physical stores where they could do an ID check. There
| should be an advanced protection mode where SIM swaps and
| other sensitive operations require physical authentication.
| Destitute wrote:
| There's not much you can confirm over the phone, except the
| account PIN and sometimes security hint. But an attacker
| can pretend to have forgotten it and press that the matter
| is urgent. If the attacker knows enough about the person,
| they might be able to convince an agent to make the swap so
| the agent can:
|
| 1) Get on with their day to maybe hit a support request
| quota 2) Make sure this person doesn't give them a bad
| customer satisfaction score
| cinntaile wrote:
| You could require verifying your identity using your
| electronic ID if you want to simswap by calling the
| helpdesk.
| InitialLastName wrote:
| Wouldn't that be obvious to the victim the moment their phone
| didn't work? Or will the carrier leave the old SIM activated?
| withinboredom wrote:
| IIRC, in the US, sometimes just give the old sim some
| random phone number (to keep you paying the bill) and don't
| cancel the line. In the EU, I'm pretty sure they cancel the
| old line.
| wunderwuzzi23 wrote:
| Old school phishing is the most common MFA bypass.
|
| Here is a description how it works:
|
| https://github.com/wunderwuzzi23/KoiPhish
|
| Unless you use Yubikeys (webauthn) etc these phishing attacks
| just continue to work. I do consultancy in this space at
| times and about 95+% of folks who enter their password will
| also enter their MFA token.
| hackettma wrote:
| Followed the link and the read me is bit spare on details.
| For the less technical this still would require the phishee
| to manually enter credentials which then can be relayed to
| the attacker. Correct? The article mentions this happened
| while the author was asleep -- any thoughts on how that
| would work?
| tialaramex wrote:
| One thing that can happen is you get enduring credentials
| from the OTP sign-in, and they last despite other
| credentials simultaneously existing elsewhere.
|
| I only use Facebook trapped inside Facebook Container in
| one Firefox on one computer. But my understanding is that
| it's possible to sign in to Facebook from say a phone and
| a laptop at the same time, so the bad guys could get you
| to give them working credentials one day and persist
| those until you're asleep before using them. If you went
| to Facebook's security settings "Where you're logged in"
| and it lists two logins, one in "Paris" while you are in
| New York, you might realise there's a problem and force
| them out. But most people likely never look at that, why
| would they?
| FabHK wrote:
| I might be tempted to enter the TOTP, but my browser is
| unlikely to enter the password, and I definitely won't.
| andybak wrote:
| I think the fact that password managers can spot
| incorrect urls better than users is useful. However I've
| become numbed to this warning flag by those services that
| seem to have endless different urls that are all
| legitimate. (Microsoft being a particular offender here).
|
| I can imaging some variant of
| outlook.microsoft.developer.really.yes.com catching me
| unawares one day.
| tialaramex wrote:
| Microsoft does seem to know how to do this correctly when
| they have to, as they offer WebAuthn and there is
| deliberately no way to tell WebAuthn "I know this is
| outlook.com but I need live.com credentials". So they
| will bounce you through the _right_ name to make it work.
| But you 're correct that for phishing this habit of
| making up new DNS names is a problem, ie it convinces the
| lay person they have no idea and should just fill in
| their password wherever it's requested.
| hulitu wrote:
| There is also the ad which runs on the same webpage and reads
| what you type or your clipboard.
| ignoramous wrote:
| > _...has figured out just the right script to tell support (
| "oh, I dropped my phone and it won't turn on...") _
|
| Isn't this _vishing_? https://youtu.be/BEHl2lAuWCk
| xsmasher wrote:
| No; phishing / vishing is contacting the customer to get
| login details. Contacting support and getting them to
| circumvent security is social engineering.
| loloquwowndueo wrote:
| It's probably worth faking having lost your 2FA and asking
| for it to be reset. If you find out they are this careless
| with 2FA-protected accounts, you should probably not rely on
| it too much.
|
| I manage an authentication and identity provider and if
| someone gets locked out of 2FA and can't prove their identity
| via a previously-uploaded gpg key, they get locked out for
| good. I never honor requests to reset the device sent by
| email, no matter how much they beg or offer to prove identity
| by sending copies of official IDs - I don't care who they are
| _now_ , I care about them being the same person that set up
| the account and 2FA, which can only be proven via a valid 2FA
| device or a GPG signature.
| jokethrowaway wrote:
| It could be worth it to spend the 1.50$ on stripe to do
| identity verification with id documents for accounts of a
| certain size, so that they can present those documents
| again to regain access to their account.
|
| Re-enabling the account after a certain period of time
| without activity would also be a good measure (on top of
| the id verification).
| xwolfi wrote:
| And then lose the documents in a big hack so that
| everyone with a forum access can use your passport copy.
| yes.
| scrollaway wrote:
| The whole point of using Stripe for it would be not to
| have the documents in question. Kind of like you don't
| hear about companies using stripe losing their customers'
| card numbers.
| ceejayoz wrote:
| > It's probably worth faking having lost your 2FA and
| asking for it to be reset.
|
| I'm not sure I trust that I'd be as good an attacker as a
| professional, and there's not a great way to replicate
| "hang up, call again" approaches likely to work with a big
| org.
| samstave wrote:
| > _Beating 2FA is almost always SMS hijacking_
|
| How exactly does this get executed? I'm pretty technical, but
| I cant fathom exactly how this occurs;
|
| You hijack a cell tower, then have some system to listen to
| un-encrypted SMS traffic??
|
| Plz ELI5
| josephcsible wrote:
| It's an attack on humans, not on technology. You trick
| their phone carrier's employees into thinking that you're
| them and that you lost your phone. Then you end up with a
| SIM card assigned to their phone number, so you receive all
| of their calls and texts instead of them.
| ev1 wrote:
| It's zero cost and zero effort to port someone's number
| out, or get a new SIM card issued for the existing account.
|
| I've worked with a bunch of streamers and YouTubers, and
| the threat model is such that people have shown up with
| professionally made printed fake IDs to attempt hijacking
| in an actual retail carrier store.
| FabHK wrote:
| In this case it seems the author was asleep, so it was probably
| not a phishing site passing on the legitimate TOTP.
| encryptluks2 wrote:
| What you're describing here isn't exclusive to hardware tokens
| and nothing preventing software from checking the domain using
| TOTP.
| madars wrote:
| How? TOTP does not embed the domain, as it is generated on a
| separate device which does not communicate with your browser,
| and does not know the target domain. TOTP is literally
| HMAC(shared-secret, time-interval) mapped to a short range
| (e.g. mod 10^6).
| lemoncucumber wrote:
| My password manager only fills passwords on the domain they
| belong to, and it's also my TOTP generator so the same
| applies there too.
| encryptluks2 wrote:
| > it is generated on a separate device which does not
| communicate with your browser, and does not know the target
| domain.
|
| No, not always and many password manager solutions do
| integrate with your browser and know the domain for the
| password.
| madars wrote:
| Then that's not TOTP
| https://datatracker.ietf.org/doc/html/rfc6238 but
| something different. Do you know how it is called and
| which products support it? I'd love to read up about it!
| encryptluks2 wrote:
| Yes, it is TOTP:
|
| https://github.com/tadfisher/pass-otp
| valid_username wrote:
| Bitwarden has TOTP support in paid plan. And it works
| with browser extension which recognises domains.
| AkshitGarg wrote:
| It certainly recognizes the domain, but thats more of a
| convenience feature than a security feature. Nothing is
| stopping you from putting your example.com code into
| legit-example.com manually. Sure the extension won't do
| it automatically, but if the user is convinced to put the
| password into the fake website, user could also put in
| the TOTP code
| theshadowknows wrote:
| For work things I often have to enter a code from one or
| another app that expires every few seconds. I've always
| wondered how exactly that works. Where might I go to find out
| about that? Is it as straight forward as googling "how two
| factor authentication works" or is there some other
| terminology?
| cs2733 wrote:
| They're called Timed One-Time Passwords or TOTP and they're
| one form of 2FA
| nine_k wrote:
| You mean TOTP?
|
| Imagine a hash function that generates a number from the
| number of minutes since epoch hashed additionally with some
| seed. You have it on the server, you have it on your, say,
| phone. When you enroll you share a seed for the generator.
| Since your time is synchronized, the server knows what
| value(s) to expect, and the phone knows which value to
| generate.
|
| The real scheme is a bit more involved:
| https://en.m.wikipedia.org/wiki/Time-based_One-
| Time_Password...
| quadrifoliate wrote:
| A simplified and inaccurate version:
|
| - You and I share a secret at my first login. Let's say our
| shared secret is "wibble".
|
| - For any subsequent successful login with my username and
| password, for the second factor I send you the last six
| digits of the SHA1-hash of ("wibble" XOR current timestamp)
|
| - You calculate the second factor yourself as well by doing
| the same operation (you have stored "wibble" for my username,
| and know the current timestamp), and verify those last six
| digits. If they are wrong, I am an attacker!
|
| An accurate version:
| https://datatracker.ietf.org/doc/html/rfc6238
| quelltext wrote:
| I always wondered, doesn't that require the clocks to be
| synchronized?
|
| Like, what happens if I set my phone to a different time?
|
| What if the server has lost connectivity to an NTP service
| and its clock is a few minutes off?
| mattkrause wrote:
| In practice, it's not the _exact_ timestamp, down to the
| millisecond--there 's a window of 30 seconds or so for
| each code. On top of that, some services will also accept
| one of the last (or next) few valid codes too. So it
| needs to be _roughly_ synchronized, but not impractically
| so.
|
| Some systems have some extra magic that allow the server
| to adjust for each device's clock skew; this was
| particularly important for hardware tokens that didn't
| have network connections. To imagine how that might work,
| suppose the server normally accepts responses that are
| valid at times t-2, t-1, t (the current time, per the
| server), t+1, and t+2. If a user consistently replies
| with the t-1 token, we know that her device is running
| slightly behind and we can instead authenticate against
| t-3, t-2, t-1, t, t+1.
| quadrifoliate wrote:
| In addition to this, it's worth mentioning that the two
| sides _can_ go out of sync, and if so, there are ways to
| fix that.
|
| The TOTP implementation for AWS logins is particularly
| prone to doing this for some reason, and you have to
| enter simultaneous TOTP codes to resync.
| recursive wrote:
| How is that possible? Codes from authenticator apps I've seen
| are 6-digit decimal codes. I don't know much about how it
| works. But I can't see how this is immune from mitm. I pretend
| to $SERVICE and ask you for your authenticator code. If you
| fall for it, you'd give me the code, which I can use to
| impersonate you for the next 30 seconds.
| jeffbee wrote:
| That's why they said you should use U2F, not TOTP.
| riedel wrote:
| I really wonder why typically the default policy is to
| convert a totp token to a longer lived token (keep browser
| authorized) defying the whole idea of totp. Used like this
| it seems like just two passwords or am I missing anything?
| Phishing seems really easy.
| recursive wrote:
| I'm not aware of the acronyms, but I was responding to
| this:
|
| "a code from your hardware token/authenticator app on your
| phone/SMS/etc is not phishable"
|
| That certainly seems like it's wrong, and doesn't include
| an acronym other than SMS.
|
| But apparently there's more depth to this space than I was
| aware of.
| krastanov wrote:
| You misread that statement and the excerpt you copied
| completely changes its meaning if you remove the
| surrounding. Read it as:
|
| "U2F/WebAuthn is secure because it does origin binding
| which is not phishable, unlike entering a TOTP or a code
| from your hardware token or authenticator app or SMS"
|
| Putting the original parenthetical in between the start
| and end of the main clause definitely makes it easy to
| misread. I just moved the parenthetical to the end of the
| sentence.
| ianburrell wrote:
| U2F/WebAuthn doesn't use six digit codes. You plug in USB
| key, press button on top of key, and browser does exchange
| with key and passes result to site.
|
| The exchange between browser and key includes the domain of
| the site. It only works on the same site where registered the
| key.
| madars wrote:
| Codes from those apps are typically TOTP: a deterministic
| output given a shared secret (e.g. from QR-code during the
| setup procedure) and current time interval, e.g. HMAC(shared-
| secret, time-interval) mod 10^6. This does not embed the
| domain. However, U2F is a completely different protocol that
| does: you'd typically insert a YubiKey in a USB port and tap
| a button on it when the browser sends "plz sign a request
| from login.bank.com" (+ other associated data) https://develo
| pers.yubico.com/U2F/Protocol_details/Overview....
|
| (Note that most YubiKeys also support non-U2F modes, most
| commonly HOTP (HMAC(shared-secret, counter); counter +=1))
| AkshitGarg wrote:
| > impersonate you for the next 30 seconds.
|
| AFAIK some websites allow you to use the previous TOTP code
| for convenience for some more seconds. That makes the total
| time to impersonate you to be 30 (or whatever was configured
| while issuing the TOTP secret) plus the grace period websites
| allow.
|
| Edit: formatting
| [deleted]
| quadrifoliate wrote:
| > I wish he'd mention what kind of 2FA...U2F/WebAuthn...origin
| binding...SMS
|
| It shouldn't matter, because it's irrelevant to the point of
| the article, which is that Facebook (at least as reported)
| leaves a hacking victim with little or no recourse to get their
| account, and sometimes livelihood back.
|
| An imperfect real-world analogy of your question is like asking
| about what precise brand of bear mace an assault victim was or
| was not carrying, and whether a better one would have helped.
| Perhaps it would have, but _that 's not the point_. If having
| hardware tokens is so important, Facebook should be making them
| mandatory at its scale.
| rustyminnow wrote:
| I for one would appreciate knowing what brands of bear mace
| are ineffective and worth avoiding.
| 101_101 wrote:
| LOL that's what you get for using a shitty company like that.
| owner called you a dumb fuck BTW.
| cowturds wrote:
| Facebook, 1 Hacker , way. Hah hah ha
| golover721 wrote:
| I honestly have never seen my login to Facebook expire. Even
| without enabling the remember me checkbox after logging in on iOS
| safari the login is valid forever unless I clear the cookies. I
| have never seen that level of brazen disregard for security with
| any other modern site.
| koreanguy wrote:
| lying piece of snake oil, he is a content writer think about that
| for a moment.
|
| Facebook spends billions on security, its impossible to hack
| Facebook, this guy is full of snake oil. his a techie and pretty
| sure he secured his accounts properly.
|
| i hate these fake as posts
| zippyy wrote:
| its a shame that a corp like microsoft has nerfed the oculus to
| require a facebook account. and on top of that use shitty 2fa
| PostThisTooFast wrote:
| Yes, Facebook is a bunch of assholes. This is obviously a grossly
| incompetent scenario at best, and a deliberate rip-off at worst.
|
| But the guy totally glosses over how they could have "beat his
| 2FA." That is a huge unanswered question.
___________________________________________________________________
(page generated 2021-08-21 23:01 UTC)