[HN Gopher] Owners of 1-Time Passcode Theft Service Plead Guilty
___________________________________________________________________
Owners of 1-Time Passcode Theft Service Plead Guilty
Author : todsacerdoti
Score : 81 points
Date : 2024-09-02 16:56 UTC (6 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| 8n4vidtmkvmk wrote:
| They should go after all of their customers too.
| 101008 wrote:
| As the other comment said, they should go after all their
| customers too. I can't believe they are thefts out there paying
| other thefts for theft-services...
|
| Unrelated, but at the start of the year, a lot of Payoneer
| customers from Argentina lost their savings in the platform* due
| to someone having access to the OTP codes. Payoneer said it
| wasn't on their side the error, and evidence suggested that it
| was an error in Movistar, because all the victims were customers
| of that particular telco. As far as I know, Payoneer didn't
| return the money and Movistar was never charged or anything
| (rumours say it was a Movistar employee who sold SMS with the
| OTP).
|
| And if you ask why a lot of Argentina people use Payoneer and
| keep their savings there, it's a bit long to explain but
| basically is their way to get paid in USD outside the country
| without paying taxes (fair and unfair ones) and without getting
| their payments converted automatically to ARS pesos using a bad
| rate.
| ensignavenger wrote:
| If Payoneer was using sms based auth codes, then it was clearly
| Payoneers error for doing something so incredibly stupid.
| bn-l wrote:
| I think it's security by popularity: You can't be blamed if
| it's "industry standard". Meanwhile it's 10x less hassle than
| trying to get people to use an authenticator. Passkeys aren't
| perfect privacy wise (and everything google touches is
| suspect), but they are easy.
| chrisweekly wrote:
| > "You can't be blamed if it's "industry standard".
|
| Thankfully, that's not true. Class action lawsuits can and
| do successfully target widespread industry malpractice. My
| first job out of college was as a paralegal, helping over
| 90 million American plaintiffs sue nearly every major life
| insurance company in the country for the previously common
| "standard behavior" of insurance agents convincing
| policyholders to periodically "roll over" their accounts,
| to the sole benefit of the agents and their employers. The
| settlement payout for each participant was typically meager
| -- but the malpractice was stopped.
| miki123211 wrote:
| Not only that, but mandatory authenticators would also
| create a support (and security) nightmare the moment you
| stepped out of the upper-middle-class, privileged tech
| worker world.
|
| They work great if you assume that everybody has a
| smartphone (as opposed to a feature phone), that they don't
| have their phones stolen every other month, that they know
| how to set up an authenticator app, that they'll remember
| to reconfigure everything properly when migrating to a new
| phone and won't immediately throw the old one away and so
| on.
|
| This problem is made even worse by the notoriously bad UX
| of most authenticator apps, notably the lack of automatic
| iCloud / Google Drive backup functionality and their
| inability to automatically show the code on screen whenever
| it's needed.
|
| The nice thing about SMS is that you can outsource most of
| the support burden to carriers, which have to handle it
| anyway. Carriers have the advantage that they usually speak
| the user's language, have an office relatively nearby, and
| can verify your government ID in person if need be.
| AStonesThrow wrote:
| > If Payoneer was using sms based auth codes, then it was
| clearly Payoneers error for doing something so incredibly
| stupid.
|
| It's sort of ironic that the Krebs article indicates that
| these dudes were specifically targeting the "most secure" OTP
| methods we know: authentication apps, rather than SMS or
| email codes.
|
| They were simply using social engineering and human trust to
| bypass the industry's best technical practices.
|
| SMS and email are side-channel communications, so the
| attacker would need to intercept them, and hopefully suppress
| the legitimate receipt as well. I'd get kind of worried if my
| bank sent me an unsolicited code. But a consumer may be more
| credulous when their "bank" calls in to request one from
| them...
| deepsun wrote:
| Bank Of America accepts _only_ SMS codes, nothing else.
| jalk wrote:
| That is not correct. You can use a "USB security key" -
| e.g. YubiKey See https://www.bankofamerica.com/security-
| center/online-mobile-...
| dgoldstein0 wrote:
| there's a whole underground economy. I recall hearing a story
| of how one guy was busted who used to build an exploit kit and
| sell it to people for a cut of their earnings.
|
| And then there's crazier shit like
| https://krebsonsecurity.com/2024/03/blackcat-ransomware-grou...
| janalsncm wrote:
| The craziest one I've heard of was the app Anom which was
| supposed to be for criminals to communicate securely and
| secretly. Except it wasn't, it was actually controlled by the
| FBI. I'm part way through a book about it now and it's pretty
| incredible how the FBI took it over and essentially became
| world police.
| mananaysiempre wrote:
| > I can't believe they are thefts out there paying other thefts
| for theft-services...
|
| Why wouldn't there be? It's not like an economy needs anything
| more than a medium of exchange and a kind-of-functional
| guarantee of nonviolence to arise. If you have that, you don't
| need to arrange for a market, it will just happen, more or
| less. (Healthy or not is another question.)
|
| Anyway, yes, there's phishing for hire, bring-your-own-payload
| exploitation for hire, ransomware for hire, and of course DDoS
| for hire. Captcha solving for hire is legitimate enough to
| occasionally get posted on HN (and I don't think it shouldn't
| be). People's residential or mobile internet connections for
| hire, hijacked via free VPN browser extensions and mobile ad
| SDKs, are legitimate enough to be sold via advertising
| conglomerates (but I think they shouldn't be).
|
| A market isn't something you build, it's something you have to
| actively prevent.
| miki123211 wrote:
| another example of this phenomenon are "free" markets in
| prisons, where the currency is usually cigarettes.
|
| Other places where freedom is limited have similar
| characteristics, I remember that we had a sort of food market
| when I was a child at a boarding school.
| 0x3444ac53 wrote:
| Fun fact, I had a family member in prison and apparently
| they used postal stamps as currency
| wileydragonfly wrote:
| I tried to set up a bank account in Argentina, and I will admit
| it was to buy cheap digital PC and Xbox game licenses.
| Incredibly hard to do so as a foreigner.
| cynicalsecurity wrote:
| Three young peope of age 19, 21 and 22. I was wondering who would
| do something as stupid as this and think they can get away with
| it in UK.
| popcalc wrote:
| They forgot to give the MPs their slice
| michaelt wrote:
| A person could easily get the _impression_ the UK didn 't
| police crime online, simply because crimes like DDOS attacks,
| cryptolockers, cryptocurrency scams, identity theft, fake tech
| support callers and suchlike are all typically cross-border
| crimes where the police have basically no powers.
|
| The reality is the police are more than happy to act when the
| criminals involved can be identified, and are under their
| jurisdiction, and you can get the attention of the right
| department - that's just a very rare set of circumstances.
| fn-mote wrote:
| I was wondering if they were the fall guys for organized crime
| work.
|
| Their chat log (apparently) makes it clear they were
| independent operators, at least.
| philip1209 wrote:
| They probably thought it would be super niche and nobody would
| notice. Then, they got product-market fit and didn't want to
| walk away from the money.
| A4ET8a8uTh0 wrote:
| I am trying to think on how this could be mitigated and I am not
| sure there is a good way. Just before we even begin, using an
| unknown third party is a risk and companies have no problem using
| whatever providers. Just dropping OTP is not exactly ideal either
| so we are stuck between rock and a hard place.
| vaylian wrote:
| TOTP is a simple and nice solution, but it is susceptible to
| real-time phishing attacks.
|
| Webauthn is a more complex alternative and it is phishing-
| resistant, because each credential is tied to a domain, which
| means that a look-alike phishing website doesn't work. But you
| need to use a hardware token or a special service like Windows
| Hello or Apple's FaceID to manage your credentials.
| https://en.wikipedia.org/wiki/WebAuthn
| lxgr wrote:
| Several password managers support it at this point too,
| without any hardware requirements. Bitwarden's implementation
| works pretty well, for example.
| bigfatkitten wrote:
| But then of course you also lose one of the main security
| properties that made webauthn desirable in the first place.
|
| If you can copy the credentials to your own new device, an
| adversary can copy them to their device also.
| wongarsu wrote:
| That's true of SMS 2FA too, though, as well as many TOTP
| implementations. Being able to copy credentials to a new
| device is a major usability plus, consequently it is
| widely implemented.
|
| Physical webauthn tokens are obviously better, but
| software webauthn is the second best thing. Software TOTP
| is a good bit worse, and SMS OTP shouldn't even qualify
| as a secure method
___________________________________________________________________
(page generated 2024-09-02 23:00 UTC)