[HN Gopher] How to lose a fortune with one bad click
___________________________________________________________________
How to lose a fortune with one bad click
Author : todsacerdoti
Score : 215 points
Date : 2024-12-18 13:21 UTC (2 days ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| namaria wrote:
| I wonder if there's any one legitimate instance of a company
| calling you about compromised accounts and requiring your action.
| It seems to me that anyone reaching out and lighting a fire under
| your ass can be assumed to me a malicious actor.
|
| Any notification asking you to confirm your identity that is not
| initiated by your actions should be immediately dismissed with a
| "no" and that should be all there is to such things, no?
| rcxdude wrote:
| Banks are pretty good at doing an impression of phishing scams,
| unfortunately. Almost every red flag for a scammer has also
| been done by a bank, legitimately.
| athenot wrote:
| This.
|
| Also healthcare providers, though they seem to have finally
| wised up. They would call me from poorly configured phone
| systems (so unrecognizable caller id) and the first thing
| they would ask is to confirm full name and date of birth.
|
| Patterns like this do a great deal of damage in desensitizing
| folks and making them accept dangerous patterns that get
| exploited by scams.
| hollerith wrote:
| Even if you recognized it, the number shown by Caller ID is
| easy for the caller to spoof -- or at least it was a few
| years ago (the last time I paid attention).
| athenot wrote:
| Thankfully that part has vastly improved with
| STIR/SHAKEN, combined with number reputation management.
| ipython wrote:
| The problem with that, at least on my experience with
| iPhone, is you can only get the authentication signal
| _after_ you've already hung up. The only thing I see is a
| small checkmark next to the "location" of the call in my
| recent call log. I can't find any indication of a stir
| /shaken status in the active call screen.
|
| So asking people to take the step to confirm the call is
| legitimate won't work- they can't tell until they've
| already terminated the call. It's useless for purpose
| imo.
| vel0city wrote:
| On my Pixel some calls just get auto-rejected. Others
| will get through but be marked with a red caution symbol
| for the picture and say "Scam Likely". Then finally
| sometimes the call will come through with just the number
| but still have that red caution symbol.
|
| I imagine it is doing something with STIR/SHAKEN along
| with how many other times similar calls have been flagged
| as spam calls.
| ipython wrote:
| My carrier has a similar "scam likely" feature but afaik
| that is not directly tied to stir/shaken. I've also
| signed up to have calls rejected and can see them in the
| carrier app.
|
| I have reported at least a thousand different scam calls
| over the past two years and so my blocked number list is
| so large it freezes the phone for a minute or so while it
| loads. Still the scammers persist...
| ryao wrote:
| I remember when I used Ting, I could specify what would
| appear as caller id. If I had wanted to abuse this, I
| could easily have had it display whatever number I wanted
| instead of my name. Since a number of phones would
| display the caller id instead of the number when caller
| id was available, nobody would know that the number was
| not real. I am not sure if this has changed at all.
| nottorp wrote:
| Banks maybe, but Google? Google only has "AI" support and
| that doesn't call us yet. So it's safe to assume that any
| call from Google is fake.
| adrianmsmith wrote:
| There was a comment on Hacker News, which alas I can no
| longer locate, where a guy said he'd been called by his bank
| and the bank wanted him to answer various security questions.
| He said he was happy to do so, but firstly needed the bank to
| verify who they were, or to call the bank back on a telephone
| number on their website. The bank refused, so he refused to
| give them any details. The bank then blocked his bank
| account, meaning he couldn't pay his university tuition on
| time, meaning his student visa was no longer valid as he was
| no longer "studying", meaning he had to leave the country.
| namaria wrote:
| A bank blocked an account because they called someone and
| that person didn't provide them with personal data? That
| sounds unlikely.
| ryao wrote:
| I am not surprised. I know of a bank that disabled a
| credit card following a single missed payment for the
| crime of failing to answer a phone call.
| ElevenLathe wrote:
| This is one of the reasons I use a local credit union
| with a handful of branches only in my region. I can
| always re-establish trust by just walking into a branch
| to do business, and likewise they can always just ask me
| to walk in with my driver's license if they need to
| verify that I'm really me.
| michaelt wrote:
| A reasonable decision in your case, no doubt.
|
| But the mentions of "his student visa was no longer valid
| [...] meaning he had to leave the country" make me think
| walking to a local bank branch might not have been an
| easy option in the post adrianmsmith recalls.
| ElevenLathe wrote:
| Absolutely agree! I only brought it up because it seems
| like, in our quest for efficiency, we are rapidly heading
| for a world where we try to delegate trust to outside
| entities (like tech companies, megabanks, or far-off
| government departments in Washington, D.C.) but,
| fundamentally, what makes financial transactions work
| (with anything other than physical currency), is actual
| real trust between parties. This is how the great banking
| houses of Europe began, it's how remittance networks
| still work in much of the global south, and its how the
| Jimmy Stewart-style small town bank once functioned.
| National banks with lots of local branches are an
| approximation of this, but the "branches" keep getting
| less and less bank-like: there is no "president" at the
| BoA branch inside Kroger, just somebody with a pulse who
| can technically pass a background check far enough to get
| bonded. Finally, many of the big banks are just closing
| these far-flung branches altogether. Bank of America &co.
| may get many advantages from their enormous scale, but
| they may be undermining their own foundations in the name
| of cost savings by trying to cheap out on "customer
| service" as if banking were just another kind of
| retailing and trust wasn't central to their entire
| business.
|
| They probably know this and don't care because it won't
| happen this quarter or likely even this fiscal year, so
| it doesn't matter to anyone in charge. But it does matter
| to ordinary people trying to conduct their lives without
| being irreversibly de-personed by a flakey customer
| service bot.
| adrianmsmith wrote:
| Banks do have obligations under AML and KYC laws to get
| information from their customers. I mean I know a single
| phone call sounds extreme, but I could believe it.
|
| My bank (in the EU) wrote to me a while back (post, no
| copy to email, no sms, no phone call, etc.) saying if I
| didn't provide info on certain recent transactions (my
| salary) they'd block my account in two weeks. Thankfully
| I wasn't on vacation and saw the letter and answered and
| it was all OK.
| rcxdude wrote:
| I've definitely experienced the first half of the story:
| banks really will do dumb things like this and then be
| surprised when someone is upset by it (anti-fraud
| protection tends to be the worst: a text-message from a
| random unaffiliated number with another unaffiliated
| number to call, where you must then provide account
| details in order to get your card unblocked, and trying
| to call the official number and go through the phone tree
| does in fact, eventually, tell you that it was
| legitimate, but only after hours of being batted between
| departments).
| throwway120385 wrote:
| I understand the desire to be skeptical, but maybe you
| should give individuals the benefit of the doubt and the
| giant multinational corporation the skepticism.
| ryao wrote:
| I have had my telephone company ask me to give them a code
| sent to my device. It is presumably to prove to the company
| that the representative is talking to me so that bad actors
| low in the company cannot start randomly messing with
| people's accounts. It is the equivalent of the bad click
| here. The only real defense is to know the difference between
| a mechanism meant to authorize someone a the company and a
| mechanism to authorize you. Confuse the latter for the former
| like the victim did here and bad things will happen.
| yorer wrote:
| Ideally yes no one would fall for that. But these type of
| attacks doesn't just rely on solely ignorance. They introduced
| urgency, the fight or flight situation. Plus the first guy in
| the article got caught up in bad timing where his mental
| condition aren't right with his kid crying, his wife yelling
| etc.
| MathMonkeyMan wrote:
| Yes, but you have to know that.
|
| I got a call from "Bank of America," and they smoothly talked
| me into giving them my debit card PIN. The trick was they had
| gotten into my online banking beforehand. "We've detected
| possibly fraudulent activity on your account." Then they read
| me real transactions from my actual account. "To be safe, let's
| lock down the account. For this we need more information for
| authentication, though." Probably started from a phishing thing
| that I fell for online without noticing. It was pretty clever
| of them. Not so easy to steal from a checking account without
| leaving a trail, unless you have the PIN. Then the main risk is
| to whomever was on camera at the ATM withdrawing as much cash
| as possible before the account was automatically locked down.
|
| The next day, I got a call from "Bank of America" telling me
| that I'd been had. Fortunately they just credited the money
| back into my account. About $5000.
|
| The main difference is that the first call wanted me to give
| them information, while the second call advised only "go into a
| bank branch in person."
|
| The article's advice is correct. If someone asks you for info,
| tell them you'll call them back. It is almost certainly a scam.
| Calling back the possibly spoofed number at worst wastes a
| little time being on hold, and at best saves you or the bank a
| lot of money.
| Majromax wrote:
| > Calling back the possibly spoofed number
|
| Don't call back the number possibly being spoofed (i.e. using
| your Caller ID as the source of the callback number). Call an
| independently-listed number for the company, such as the
| phone number on the back of a credit or debit card. Using an
| independent number prevents any failures where the Caller ID
| correctly reports an attacker-controlled but plausible-
| sounding number.
|
| For extra paranoia and safety, perform the callback from a
| separate phone line. That would avoid at least some of the
| more-targeted attacks involving a compromise of the victim's
| phone connection, which could potentially allow the attacker
| to redirect outgoing calls.
| 01HNNWZ0MV43FF wrote:
| "Hang up, look up, call back"
| crote wrote:
| > The main difference is that the first call wanted me to
| give them information, while the second call advised only "go
| into a bank branch in person."
|
| Unfortunately physical branches are expensive to maintain, so
| a lot of banks have been closing them down. There are even
| plenty of banks with _zero_ physical branches now. All
| contact is via phone or email, so there is no scam-proof way
| for them to contact you.
| pavel_lishin wrote:
| They don't have to have a scam-proof way to contact me.
| They just need to give me a way to contact _them_.
|
| That way, any phone call or email to me can be immediately
| ended with me saying "Thanks, I'll call the number on the
| back of my card," and hanging up.
| vel0city wrote:
| Exactly this. Send me a call or text message that maybe I
| should go look at my account. If I log in through my
| normal trusted process and everything looks OK, then I
| can assume it's not legit.
|
| Most banks seem to have some kind of internal message
| center within the application that is just for bank to
| client communications. _That 's_ the place to
| authoritatively tell me something needs to happen and
| what potential next steps would be.
| plagiarist wrote:
| Here's a thing that is enraging, though: when a bank has SMS
| 2FA (insecure if you're being targeted but better than
| nothing) and they keep having you enter that into third-party
| websites. I mean going to a legitimate business, making a
| purchase with a credit card, and then the bank wants 2FA to
| validate a purchase instead of a login? Fuck off, I'll use a
| different card, then.
|
| If it weren't for bullshit FICO calculations I would drop
| that account entirely.
| crtasm wrote:
| How were they able to use an ATM without having your card?
|
| I recommend not calling back the incoming number even if you
| think it's real and spoofed, always look it up on the bank's
| website.
| MathMonkeyMan wrote:
| My understanding is that they had a programmable card. This
| might have been just before chips became widespread in
| America. Or, maybe there's still a way to withdraw with
| only the information visible on the card.
| vel0city wrote:
| Depends on the time frame and the ATMs being used.
|
| I don't think all ATMs require chipped cards yet, and its
| still common to have a debit card issued with a magstripe.
| If the GP used their debit card to pay for things it could
| have easily been duped. My bank issued me a new card for an
| account a few years ago; it still has a magstripe and I
| assume can still be used at magstripe-only ATMs.
|
| If it was even a few years ago, a lot of ATMs would have
| still worked with just a stripe. It's a bit more difficult
| to find these days, but old ATMs still running OS/2 WARP
| are still around and kicking.
|
| Its frustrating so many banks and what not are still
| issuing cards with magstripes. These days wipe the cards I
| use most with a magnet to try and mess up the magstripe. I
| don't want to ever use it. Generally speaking, if they
| can't take chipped cards, tap to pay, or cash I'm not doing
| business with them.
| jeroenhd wrote:
| Sometimes there are good reasons for a bank to call you. The
| infuriating part is that not every bank has a quickly
| accessible number to call back if you don't trust the caller.
| Caller ID may be useless, but me calling the official number
| for my bank is pretty hard to fake (unless my carrier is part
| of the scam).
|
| My bank has a button inside the app that will confirm that a
| real bank representative is calling you, or provides a button
| to call the bank's emergency line if they're not. It's a simple
| and effective way of preventing scams that I think more banks
| should implement.
| ryao wrote:
| A ss7 attack could make your carrier part of the scam without
| their knowledge, such that calling back the number will
| connect you to the scammer and not the bank.
| omoikane wrote:
| If some bank calls you about compromised accounts, the
| recommended action should be to hang up, find the official
| phone number for your bank, wait one minute[1], then call back.
|
| [1] You have to wait or call from a different phone, because
| the call might not terminate immediately, and the scammer might
| still be listening on the line.
|
| https://security.stackexchange.com/a/100342
| c22 wrote:
| _> Unbeknownst to him at the time, Google Authenticator by
| default also makes the same codes available in one's Google
| account online._
|
| This sounded absolutely crazy to me so I went to open
| Authenticator on my phone and lo and behold it offered me the
| option of linking to my account and "backing up my codes in the
| cloud" to which I declined.
|
| But I had never seen this behavior before, so is this new? It did
| not seem to be enabled by default in my case.
| acdha wrote:
| It is at least relatively new. Years ago I had to try the
| Google "hard landing" account recovery process because it
| wasn't happening, which is how I learned that they had that
| form going to an email address which had been deleted.
| Fortunately I had paper recovery codes in my safe.
| te0006 wrote:
| Google rolled out that hare-brained "improvement" in an
| update to Google Authenticator a few months ago, with the
| nice extra that for some users, when you dared unselecting
| the new cloud backup checkbox, the secrets stored in the app
| were instantly corrupted in some way, so you were locked out
| of your Google accounts immediately as a bonus <chef's kiss>.
| Happened to a family member, luckily they had a working
| emergency access method. We will never use Google
| Authenticator again.
|
| Recommended alternative: 2FAS
| (https://play.google.com/store/apps/details?id=com.twofasapp)
| which allows you to import the secrets from Google
| Authenticator via QR codes, and has a local backup feature
| (e.g. to a USB drive).
| bsder wrote:
| As a side question: How do I, as a novice, vet a 2FA?
|
| This has all the "looks nice", but I have no reason to
| trust this recommendation over any other social
| engineering.
| aftbit wrote:
| I used andOTP for years, until the author stopped working
| on it. While it still likely works fine, I've switched to
| Stratum, which likewise supports import from the Google
| Authenticator export QR codes as well as from andOTP,
| authy, and others.
| kibibyte wrote:
| I was one of the fools who installed the iOS 7 beta onto a
| phone that I depended on with Google Authenticator. The app
| had a compatibility issue with that beta release that
| caused it to disappear all my 2FA seeds except, very
| fortunately, for my Gmail. There was a bit of a ruckus
| about this here
| https://news.ycombinator.com/item?id=6112077.
|
| Since then, I always use at least two 2FA apps at the same
| time.
| deathanatos wrote:
| Ugh, yeah, _that_ update.
|
| You didn't have to do anything, either, the update just
| instantly corrupted some 2FAs. How can an app not do a
| TOTP? It's literally just math.
|
| I had to recover a few MFAs from backup codes due to that.
| Charon77 wrote:
| Was about to say this but yeah.
|
| Big brains at google didn't understand the number '2' in 2FA
| mavhc wrote:
| Most people wouldn't realise they can't recover their TOTP
| codes. But the hacker would still need to know your password
| surely
| poincaredisk wrote:
| ...so you agree that this is missing the '2' in 2FA?
| buran77 wrote:
| For "something you have" to be true to its purpose it has
| to be something that has one and only one copy - so
| either only you have it, or you don't, but nothing in
| between. The second you have "cloud backup", or activate
| an additional device, or "transfer to a new device" then
| you turn the attack into "phishing with extra steps".
| kibwen wrote:
| You can support transferring to a new device without
| increasing the phishing risk, the transferral just needs
| to be done via a physical cable rather than via the
| cloud.
| buran77 wrote:
| I'll grant you that it's a _better_ option but by no
| means _good_ if you want to stand on the 2FA hill and put
| security first (only?). That "just" does a lot of heavy
| lifting.
|
| The only time I'd consider transferring a secret like
| this is secure is within an HSM cluster. But these are
| exceptionally hardened devices, operating in very secure
| environments, managed by professionals.
|
| Your TOTP seed on the other hand is stored on any of the
| thousands of types of phones, most of which can be (and
| are) outdated and about as secure as a sieve. These
| devices also have no standard protocol to transfer.
| Allowing the extraction via cable is still allowing the
| _extraction_ , the cable "helps" with the _transfer_.
| Once you have the option to extract, as I said, you add
| some extra steps to an attack. Many if not most attacks
| would maybe be thwarted but a motivated attacker (and a
| potential payoff in the millions is a hell of a
| motivator) will find ways to exfiltrate the copy of the
| keys from the device even without a cable.
|
| This is plain security vs. convenience. The backup to
| cloud exists because people lose/destroy the phones and
| with that their access to _everything_. The contactless
| transfer exists because there 's no interoperability
| between phones, they used different connectors, etc. No
| access to the phone is a more pressing risk than phishing
| for most people, hence the convenience over security.
| plagiarist wrote:
| I don't understand the existence of an HSM cluster. I
| thought HSM was meant to be a very "chain-of-custody"
| object, enabling scenarios like: cryptographically
| guarantee one can only publish firmware updates via the
| company processes.
| buran77 wrote:
| The HSM is more generic than that - a Hardware Security
| Module. It's just a hardware (usually, software...
| Hardware security modules exist...) device that securely
| stores your secret cryptographic material, like
| certificate private keys. The devices are _exceptionally_
| hardened both physically and the running software. In
| theory any attempts to attack them (physically open, or
| even turn them upside down to investigate them, or leave
| them unpowered for longer than some hours, attempt too
| many wrong passwords, etc.) results in the permanent
| deletion of all the cryptographic material inside. These
| can be server sized, or pocket sized, the concept is the
| same.
|
| Their point is to ensure the private keys cannot be
| extracted, not even by the owner. So when you need to
| sign that firmware update, or log into a system, or
| decrypt something, you don't use a certificate (private
| key) _file_ lying around that someone can just copy, you
| have the HSM safely handling that for you without the key
| ever leaving the HSM.
|
| You can already guess the point of a cluster now. With
| only one HSM there's a real risk that a maintenance
| activity, malfunction, accident, or malicious act will
| lead to temporary unavailability or permanently losing
| all the keys. So you have many more HSMs duplicating the
| functionality _and keys_. So by design there must be a
| way to extract a copy and sync it to the other HSMs in
| the cluster. But again, these are exceptionally hardened
| HW and SW so this in incomparably more secure than any
| other transfer mechanism you 'd run into day to day.
| plagiarist wrote:
| Ah, got it. So in the event someone managed to get
| access, they are limited to signing things in that moment
| on that infrastructure. I can see how that would reduce
| the blast radius of a hack.
| crote wrote:
| I think this is also the main drawback of physical
| U2F/FIDO2/Webauthn tokens: security-wise they are _by
| far_ the best 2FA option out there, but in practice it
| quickly becomes quite awkward to use because it assumes
| you only own a single token which you permanently carry
| around.
|
| Sure, when I make a new account I can easily enroll the
| token hanging on my keychain, but what about the backup
| token lying in my safe? Why can't I easily enroll _that_
| one as well? It 's inconvenient enough that I don't think
| I could really recommend it to the average user...
| vel0city wrote:
| I don't quite get this "I need to add every possible
| authenticator I have at account creation or I'm not doing
| it" kind of mentality I see a lot.
|
| When I make an account, if I have at least two
| authenticators around me, I'll set up the hardware
| authenticators or make sure it's got a decent recovery
| set up. As time goes on I'll add the rest of them when
| it's convenient. If I don't have at least two at account
| creation or I don't trust their recovery workflow, I
| guess I'll just wait to add them. No big deal.
|
| If I'm out and I make an account with $service but I only
| have my phone, I'll probably wait to add any
| authenticators. When I'm with my keys, I'll add my phone
| and my keyring authenticator to it. When I sit down at my
| desktop sometime in the next few days and I use $service
| I'll add my desktop and the token in my desk drawer to
| it. Next time I sit down with my laptop and use $service,
| I'll add that device too. Now I've got a ton of hardware
| authenticators to the account in question.
|
| It's not like I want to make an account to $service,
| gotta run home and have all my devices around so I can
| set this up only this one time!
| poincaredisk wrote:
| >When I make an account, if I have at least two
| authenticators around me
|
| If you do, you're in a tiny minority of users. Well, even
| if you have one you're in a tiny minority, but having two
| laying around is extremely unusual.
| vel0city wrote:
| Only because I bothered to buy a few. If they're making a
| new account they're probably on a device which can be an
| authenticator, i.e. a passkey. Is it rare for people to
| be far away from their keyring where they potentially
| have a car key and a house key and what not?
|
| Do most people with hardware authenticators not also have
| laptops, desktops, or phones? They just have an
| authenticator, no other computers?
|
| This person I replied to already has two hardware tokens.
| They probably also have a phone that can be used with
| passkeys, they probably also have a laptop which can be
| used with passkeys, they might also have a tablet or
| desktop which can be used with passkeys. That person
| probably has 3-6 authenticators, and is probably with two
| of them often if they carry keys regularly.
| crote wrote:
| Ideally this would destroy the initial copy too - but
| forcing physical access would indeed be a _great_ start.
| buran77 wrote:
| Even so, if you have a copy even for a fraction of a
| second then you can have two copies, or skip the
| deletion, or keep the temporary copy that was used during
| the transfer. Even the transfer process could fail and
| leave a temporary file behind with your secrets.
| radicality wrote:
| I quite like Apple's Advanced Data Protection, I set it
| up with two physical yubikeys recently. To login to
| iCloud/Apple on a new device that's not part of your
| trusted devices, you must use the hardware token.
| mavhc wrote:
| They'd have to know your password, and get you to click
| your 2FA accept button, that's 2 factors still
| karel-3d wrote:
| They added this recently, because lots of people complained
| to Google that they lose their tokens; Authy and others
| started to gain traction because they did synchronization.
| Google was pretty much forced.
|
| I know, 2FA loses the entire point when it's synchronized.
| But, well. People lose their stuff all the time!
| eadmund wrote:
| It's possible to synchronise secrets without sharing them
| with a third party: just encrypt them locally, transmit to
| third party, download to other device, decrypt.
|
| This could be made easy for users by having each device
| share a public key with the third party (Google, in this
| case), then the authenticator app on one device could
| encrypt secrets for the other devices.
|
| This would be vulnerable to Google lying about what a
| device's public key is, of course, but enduring malice is
| less likely (and potentially more detectable) than one-time
| misbehaviour.
| michaelt wrote:
| _> It's possible to synchronise secrets without sharing
| them with a third party_
|
| Sadly the problem Google is actually trying to solve is
| providing security for the dumbest people you've ever
| met. Dumbasses are entitled to security too!
|
| I'm talking people who've lost access to their e-mail,
| and their phone number, and their 2FA all at once. Then
| they've also forgotten their password.
|
| No password manager, no backup phone, no yubikeys, no
| printed codes, no recovery contacts, nothing.
| rawgabbit wrote:
| You're describing the majority of my extended family.
| Some of whom are well educated and tech illiterate.
| aftbit wrote:
| I've had customers tell me that they cannot use email
| verification to meet a 2FA compliance requirement because
| it's not a second factor, but somehow SMS is. I always push
| back with "why not just good old TOTP" and the answer is
| that it's too easy for a customer to lose because it is
| only on their device. Like yeah... that's what makes it a
| real second factor.
| naniwaduni wrote:
| The active ingredient in 2FA as practically implemented for
| nearly everyone has never been the 2. It's mostly just not
| letting humans choose their entire password.
| marcosdumay wrote:
| It's because everybody wants to put everything in 2FA
| protocols, because people just can't use passwords...
|
| And the fact that one of those doesn't lead to the other
| passes way over their heads.
| criddell wrote:
| I use Authy and it does this too. I like that I can get the
| code on my phone or tablet. I also keep paper copies of the
| original QR codes in a safe place.
| jeroenhd wrote:
| The trick with Authy is to disable multi-device access unless
| you're in the process of adding another device, so hackers
| and scammers can't add their own devices to your account
| without your aid. If you leave the setting enabled, someone
| may get your TOTP secrets from Authy before you can stop
| them.
| tasuki wrote:
| No. That's not "the trick". As soon as it's in the cloud,
| it's over, it's gone, you've lost the game.
| criddell wrote:
| I've been using Authy for around ten years now, so I lost
| the game a decade ago and the consequences have been
| nothing and the benefits have been something. Not a bad
| loss IMHO.
| mannykannot wrote:
| If there is a trick to doing something securely, then that
| is already an automatic fail.
| Natfan wrote:
| You can just decode the QR code and use whatever secret is in
| there to generate the OTP codes. TOTP isn't that complicated,
| it's really just a second password that the system generates.
| nilamo wrote:
| While true, I haven't yet seen an authenticator app that
| let's you just dump the topt code yet...
| kibibyte wrote:
| 1Password can show the whole URI with the seed, and I
| have used it in the past to tediously restore seeds to my
| other 2FA apps.
| andyjohnson0 wrote:
| Just checked and Google authenticator seems to be synced to my
| account, which is a huge SPOF and not what I want. It's
| possible that I did this without realising, but does anyone
| know of a way to revert authenticator to local-only? I don't
| see anything obvious.
| mkbkn wrote:
| Better option is to not use Google's TOTP app. Use something
| else
| from-nibly wrote:
| You can't revert, they keys are sent, they have them. They
| can't un have them. You'll need to rotate your MFA.
| andyjohnson0 wrote:
| > You can't revert, they keys are sent, they have them.
| They can't un have them. You'll need to rotate your MFA.
|
| Not true. See https://news.ycombinator.com/item?id=42471459
| shkkmo wrote:
| You've missed the point entirely. The point is not that
| you can't recover the codes. The point is that if you are
| concerned about uploading codes due to the security
| implications (which most people on here are) then you
| need to do more than just disabling uploading, you also
| have to go rotate all the secrets that were uploaded.
| andyjohnson0 wrote:
| > does anyone know of a way to revert authenticator to local-
| only?
|
| To answer my own question: tap the profile pic (top right on
| Android) and choose the Use Without an Account option.
| Removes codes from cloud storage and any _other_ devices.
| Mentioned in TFA.
| rawgabbit wrote:
| I am literally mind f** by the wording "Use Authenticator
| without an Account". This is one of the most tortured and
| cryptic phrases I have seen. Government legalese is more
| straightforward than Google.
| michaelt wrote:
| _> It 's possible that I did this without realising_
|
| IIRC on my platform, when they added the feature they turned
| it on by default, as an auto-installed update.
|
| And if you're logged into the gmail app on the same device
| that also logs you into authenticator.
|
| You didn't do anything wrong.
| tasuki wrote:
| FWIW, I still remember recoiling in horror when I was asked
| whether I wanted to sync my Google Authenticator stuff.
| dmonitor wrote:
| I remember getting prompted for it on iOS when they added
| it. I still have it turned off.
| Tester4675 wrote:
| What's crazy to me is that Google would allow access to a
| foreign device from a single click. It would be easy for a
| person to accidentally click it, or for a kid playing on their
| parents advice to click it when it popped up. I really can't
| understand why they wouldn't send a code that would have to be
| entered instead; it would be far less prone to those kinds of
| problems.
| vel0city wrote:
| "foreign device" based on IP geolocation is pretty tricky and
| annoying.
|
| My home in Texas had an IP address which a lot of databases
| had as supposedly being in Montreal. It was like that for
| years. Gotta love so many sites trying to default to French.
| UltraSane wrote:
| As a network admin I have found that whitelisting only US
| address space for my companies IPs drastically reduces how
| many attacks we get.
| vel0city wrote:
| As a person who had to deal with clients, I have found
| whitelisting to only "US address space" lead to lots of
| clients being unable to access the services until they
| were whitelisted.
|
| As a person who had to deal with other associates, I also
| found whitelisting only US address space led to a number
| of people being unable to connect from their homes.
|
| As a person who had this happen to them, I had quite a
| lot of frustrations with services insisting they couldn't
| provide me service because Texas is in Canada apparently.
| UltraSane wrote:
| of course before implementing this I log all IPs and
| verify that we don't have any legitimate traffic coming
| from non-US IPs. and whitelisting a few IPs isn't a big
| deal. Of course a medium sized manufacturing company in
| the Midwest isn't going to have much need for people
| connecting to use outside the US.
|
| I'm actually working to get rid of any public IPs that
| isn't a VPN access point.
| jsnell wrote:
| How would a code help? The victim has already bought into the
| social engineering. If the person on the phone asks the user
| to read out a code, they will. If the person on the phone
| asks them to enter a code (i.e. the version of this kind of
| prompt where the user needs to enter a code on the phone
| matching the one showing on the login page), they will.
| shkkmo wrote:
| Every step you make someone who is being socially
| engineered jumo through, is an extra chance for them to
| realize what is happening, especially if those steps
| contain warnings.
| UltraSane wrote:
| Google only added this feature recently. I am really conflicted
| about this feature. Without it you need to either save every
| TOTP code when you first set up the account or manually disable
| 2FA on every account and then enable it again so you can enroll
| it on a new phone. I used it when migrating to my most recent
| cell phone but then disabled it. Of course you have to trust
| that Google actually deletes the codes from your account.
| TimTheTinker wrote:
| Generating and storing your passwords, OTPs, and passkeys in
| a fully E2EE system like 1Password is effectively a root of
| trust, although you also have to trust (a) the password
| manager company, (b) whatever third-party systems and devices
| they use to build and deliver their software, (c) the quality
| of their cryptosystem, and (d) whatever device you use to
| decrypt/access secrets in your vault.
| __turbobrew__ wrote:
| There is a big gap in the greater security landscape here. I
| personally use hardware authenticators for this reason, but I
| have to manually enrol each security key for each account.
|
| Really what I would like is a root of trust which maybe is a
| cipher text which I can store in several physical locations,
| and then my security keys are derived from that root of trust.
| Then when I set up 2fa with a service it is using the root of
| trust and seeing that my security keys are is derived from that
| root of trust. This allows me to register the root of trust
| only once and then I can use any key derived from it.
| AgentME wrote:
| Some cryptocurrency hardware wallets such as Trezor's are
| usable exactly how you want: they support fido2/webauthn and
| derive their keys from the recovery seed phrase. You can
| write down the recovery seed phrase, initialize other
| hardware wallets with the same recovery seed later on, and
| they will present to a computer as the same fido2/webauthn
| token.
| Symbiote wrote:
| I'm shocked how often one of my ~50 colleagues asks me to reset
| their 2FA. It's every 6-8 weeks or so.
|
| Their personal accounts will be affected in the same way (lost
| phone, new phone etc).
| vouaobrasil wrote:
| I feel like attacks like this would be much harder if we had
| never adopted HTML emails. Then it would make more intuitive
| sense (for the user) for an institution to write:
|
| (1) Go to our website
|
| (2) Login and check your account
|
| Of course, leigitimate emails do that now, but because of the way
| we've been trained to "click" (such as "click to verify your
| email"), this conditioning carries over to phishing and other
| attacks, whereas that would be impossible with plain text. With
| plain text, the email verification would have to be "paste this
| code into a box".
| MathMonkeyMan wrote:
| Email clients would probably still parse URLs into links.
| People would click them. Then people would prefer links that
| didn't look like gobbledygook, so email clients would start
| supporting extensions like parsing of [markdown-style
| links](https://gobbledygook.com/ddkf878dfjlsfd). And then we
| would arrive at HTML.
| drcongo wrote:
| The red-flag he should have spotted was Google "Support".
| coldcode wrote:
| The idea that Google would spend money to help a non-business
| user for anything is beyond unlikely.
| Atotalnoob wrote:
| They don't even support businesses. We pay for whatever the
| highest tier of support is.
|
| We have been emailing our TAM (or whatever Google calls them)
| for weeks (and opening tickets)
|
| They keep giving us the same fucking documentation link.
|
| Literally useless.
|
| Another instance we were using code from their docs and they
| refused to help saying they don't look at code ever
| MichaelZuo wrote:
| The highest enterprise support tiers at Google cost
| millions of dollars per month... you probably mean the
| highest listed on their website for small to medium
| businesses.
| Atotalnoob wrote:
| No, it's in the millions.
| Dansvidania wrote:
| I mean, the email says it's from Google Forms. Is that not
| suspect enough?
| michaelt wrote:
| Unfortunately, when a person is getting support from a large
| corporation it's completely routine and normal for the
| follow-up e-mail to have random extra branding like "zendesk"
| or "atlassian" or "salesforce"
|
| It's a clever move by the scammers - I can see how people
| would fall for it.
| duckmysick wrote:
| My favorite bit:
|
| > More importantly, Tony recognized the voice of "Daniel from
| Google" when it was featured in an interview by Junseth, a
| podcaster who covers cryptocurrency scams. The same voice that
| had coaxed Tony out of his considerable cryptocurrency holdings
| just days earlier also had tried to phish Junseth, who played
| along for several minutes before revealing he knew it was a scam.
|
| > [...]
|
| > Daniel told Junseth he and his co-conspirators had just scored
| a $1.2 million theft that was still pending on the bitcoin
| investment platform SwanBitcoin. In response, Junseth tagged
| SwanBitcoin in a post about his podcast on Twitter/X, and the CEO
| of Swan quickly replied that they caught the $1.2 million
| transaction that morning.
|
| > Apparently, Daniel didn't appreciate having his voice broadcast
| to the world (or his $1.2 million bitcoin heist disrupted)
| because according to Junseth someone submitted a baseless
| copyright infringement claim about it to Soundcloud, which was
| hosting the recording.
|
| > The complaint alleged the recording included a copyrighted
| song, but that wasn't true: Junseth later posted a raw version of
| the recording to Telegram, and it clearly had no music in the
| background. Nevertheless, Soundcloud removed the audio file.
|
| DMCA enabling bad actors to cover their tracks was not on my
| bingo list.
| dessimus wrote:
| Are there examples of DMCA being used in a positive manner?
| andrewflnr wrote:
| You mean besides literally all the times when people upload
| raw copyrighted movies and music to YouTube? DMCA is boring
| and un-newsworthy when it's working properly. (Unless you're
| the type who thinks copyright is inherently wrong, but it
| would then be very silly to ask if DMCA was ever "used in a
| manner".)
| bdndndndbve wrote:
| I wonder if people who are "invested" in cryptocurrency are more
| susceptible to these kind of scams. There's a strong aspect of
| FOMO in getting people to buy imaginary internet money, and also
| in getting them to panic and fumble said internet money.
| nine_k wrote:
| While "Nigerian spam" scams profit off simple-minded gullible
| people, cryptocurrency scams profit off sophisticated gullible
| people.
| plagiarist wrote:
| I wonder if it is just harder to give away several million
| dollars of government currency without being able to recover
| it? This is only an interesting story because it is so much
| money and because they are able to narrow the suspects down to
| a small group.
|
| Cryptocurrencies are like speedrunning the discovery of why
| finance is regulated, though, that is certainly true.
| acdha wrote:
| I think you're saying the same thing from the other side:
| it's definitely true that it's harder to get or transfer
| large amounts of real money because the system has layers of
| protection due to past fraud, but those fraud protections
| also mean that most people can't get the kind of paper
| profits which lure people to cryptocurrencies. This gives
| scammers the appealing target of a self-selected group of
| financially unsophisticated people who have chosen a system
| designed to make large scale theft easy and safe.
| chimen wrote:
| One of the reasons I stay away from it is that, at least in
| recent years, every scam that I see taking place involves
| crypto. I have a lot of acquaintances and I can almost draw a
| line at this stage: the higher the "shadyness" of the person,
| the more they are invested or talking about crypto. I am yet,
| even tho I owned, to have had the need to use crypto in my
| daily/weekly/monthly/yearly life.
|
| It is very easy to destroy lives with it as we can see in this
| case, and, making it harder to do so will work against the vary
| nature of this tech. This is a tough nut to crack but I think
| the space will remain filled with predators constantly baiting
| prey into the system with the promise of a big reward.
| mrguyorama wrote:
| "You can't undo a transaction" is a core feature of crypto.
| This is hilarious, because in actual payment networks, it
| literally only benefits scammers.
|
| Every consumer ever has at one point or another wanted or
| needed to reverse a transaction. Chargebacks are a _FEATURE_
| of credit cards.
| BobaFloutist wrote:
| You know how in old crime fiction there was often an
| episode with "bearer's bonds" where up top they define
| bearers bonds as "this just belongs to whoever holds it, so
| be very careful" and you just _know_ they 're going to get
| stolen immediately?
|
| That's how I feel about crypto.
| rs999gti wrote:
| Traditional banks and the financial industry are generally sub-
| optimal, but at least if you are scammed, they will do their
| best to either recover your money or return you whole.
|
| To have this safety, money and finances have to be centralized,
| regulated, and governed, all of which crypto doesn't have and
| doesn't want.
| cesarb wrote:
| > they will do their best to either recover your money or
| return you whole.
|
| And if they don't, the courts can force them to do it _and_
| give you some extra money for the trouble.
| foxglacier wrote:
| No they won't. If you bank transfer money to a scammer, the
| bank won't refund you, nor can they recover it. If you give a
| scammer your bank access credentials, they also won't refund
| you because you broke the TOS.
| flooow wrote:
| It's obviously going to be much much more difficult to steal
| $450K from an actual bank account and get clean away - you're
| going to need a lot more proof of identity than a google login.
| From that POV, owning a lot of cryptocurrency is painting a
| target on your back.
| nytesky wrote:
| How do they identify their marks? A random firefighter seems
| like an odd target.
| PleasureBot wrote:
| Could just be people talking about crypto on social media
| directly saying that they own some. Would not be too hard
| to find accounts where you can clearly identify the person
| behind the twitter handle, facebook profile, instragram
| account or whatever talking about that online. We're only
| hearing about people who happened to lose a huge amount of
| money but lots of people probably fell for this scam and
| lost money on the scale of $100 or $1000.
| plagiarist wrote:
| > By default, Google Authenticator syncs all one-time codes with
| a Gmail user's account, meaning if someone gains access to your
| Google account, they can then access all of the one-time codes
| handed out by your Google Authenticator app.
|
| When business guys are involved in a security app. Many of us can
| easily imagine the "user story" that caused this.
| vel0city wrote:
| Just look at the probably hundreds or more comments here
| through the years of people bashing Google for having their
| authenticator app not sync TOTP secrets to the cloud. For the
| longest time it was pulling teeth to get the app to surrender
| the TOTP secrets saved inside.
|
| Google listened.
| the__alchemist wrote:
| The start of the article and comments thus far focus on the
| authenticator/Google account scam. I think a separate topic of
| note is taking a photo of the wallet recovery words [on an
| internet-connectable device]. This was, IMO, the primary mistake
| the user made. (And an easy one to make if you don't consider its
| consequences)
| andrewflnr wrote:
| What I want to know is if the attackers knew that the photo was
| there, and if so, how. Or were they just planning to get into
| the victim's gmail and exploit whatever they found?
| vel0city wrote:
| I had these people call me the other day. I got a text message
| alerting me of a potential Google account security issue they had
| blocked and they I should expect a call. I also got one of those
| emails and an automated phone call. The automated phone call had
| me dial 1 if I wanted a call back from support to help recover my
| account.
|
| I got a call from a very professional sounding woman assuring me
| she was with Google and they had discovered some potentially
| fraudulent activity with my Google account in Frankfurt. They
| said they had locked down my account to protect it but they would
| walk me through recovering it.
|
| I knew this was impossible, because the Google account in
| question doesn't have passwords. It has a couple of passkeys
| which are all physical hardware tokens in my home. But I wanted
| to see how pushy they would get.
|
| Turned into a half hour phone call with me playing dumb (was
| watching my kid's sports practice, nothing to do for a half hour
| but cheer him on). Eventually when I was done with it I let them
| know I was in the process of filing the report with the federal
| cybercrime department. Immediately hung up from that.
| baxtr wrote:
| Frankfurt of all places!
| ffsm8 wrote:
| Frankfurt is actually notorious in Germany for their issues
| with drugs. Going outta the train station you can see ppl
| passed out with literal needles in their arms, taking a shit
| in public view etc
|
| Doesn't really transfer to cyber crime, but it's definitely
| one of the more "criminal" places in Germany. Still super
| tame compared to actual slums etc though
| WalterBright wrote:
| The last time I was in Frankfurt was maybe 20 years ago. I
| suppose things have declined quite a bit since then.
| locallost wrote:
| Notorious on social media perhaps. I am yet to see someone
| in Frankfurt passed out with a needle in their arm. I've
| been to Frankfurt several times in the last years -- slept
| once in a hotel near the train station, spent a couple
| hours until 2-3am at and around the train station because
| of a missed train, spent a lot of time waiting for my next
| train connection etc.
| thebruce87m wrote:
| > I knew this was impossible, because...
|
| There's an easier tell. It's impossible because you can't to
| get Google to help you at all about any account issues, never
| mind them being as proactive as to call you.
|
| In other words if Google call you, it's not Google.
|
| It's slightly depressing that there are probably more fake
| Google support staff than real ones.
| AlienRobot wrote:
| If it weren't for the routine ex-Googler postmortem blog post
| shared on HN I'd think Google doesn't even have human
| employees.
|
| The greatest mystery of my life is what is a "Google Product
| Expert" on their community forums whom I assume:
|
| 1. isn't an employee speaking as the company.
|
| 2. is someone given the title by the company.
|
| 3. spends a lot of time answering questions despite not being
| paid for it.
|
| 4. can contact Google employees somehow.
|
| The only perks for this that Google lists is that you can
| join a secret club of Google Product Experts. It feels like
| gig economy applied to customer support.
| nox101 wrote:
| several huge companies do this. here's one
|
| https://discussions.apple.com
|
| so frustrating
| rawgabbit wrote:
| But if you have a problem and you need to show that you
| own appleid xxxx@xxx.com, can't you go to an Apple Store
| and they will help you? I believe the frustration with
| Google is that there is not an actual human the regular
| person can talk to.
| lotsofpulp wrote:
| Apple isn't a good example to use here because you can
| contact a human at Apple very easily:
|
| https://support.apple.com/contact
|
| They will even remote into your device and walk you
| through how to do something.
| bad_haircut72 wrote:
| They will reach put to try and help sell you more ad spend.
| If that was a scam its very good cause they set up my adwords
| campaign for me.
| thanksgiving wrote:
| I have a similar anecdote which isn't very relevant except
| it felt like googlers now care about how they can help make
| google more money. I would have never expected engineers at
| Google to care about how to make more money for google like
| doesn't the money just flow in...
| Nzen wrote:
| In case you would like a concrete example to ground the
| cynicism about corporate trade offs around customer support,
| I recommend watching Jill Bearup's 10 minute video [0] about
| this week's demonetization. For example, she has to deal with
| some form that she "can't submit", a customer service contact
| 12 time zones away (so email replies are 12 hours delayed),
| and an account manager who is non-responsive. In her court,
| are some unaffiliated google employees giving guidance, but
| only because they were already part of her youtube watching
| audience.
|
| [0] https://www.youtube.com/watch?v=6RZHajVV9PA
| maeil wrote:
| > For example, she has to deal with some form that she
| "can't submit", a customer service contact 12 time zones
| away (so email replies are 12 hours delayed),
|
| At that point I'd set up an LLM agent to reply for me. Big
| Tech are no longer the only ones who can pretend to be a
| human.
| HeyLaughingBoy wrote:
| I smell a product idea...
| avidiax wrote:
| I feel Google, Facebook, etc. all need to setup actual phone
| numbers and chat rooms, and make them rank highly on searches
| for "Google support phone number", "Google fraud department",
| "Google account recovery department", "Google Live Support
| Chat" etc.
|
| Then those numbers should simply play a message that this is
| the only official phone number, and no human will ever call
| from or answer this number, and the company does not offer
| customer support or appeals to account problems.
|
| They also need to make searching for fraud phone numbers
| return anti-fraud messaging rather than what it currently
| does. Seems like the entire 844-906 exchange is fraudulent
| [1].
|
| I had a family member that just got scammed because they
| panicked after their Facebook account got banned, basically
| exactly like [2].
|
| [1] https://www.google.com/search?q=844-906
|
| [2] https://www.npr.org/sections/alltechconsidered/2017/01/31
| /51...
| coliveira wrote:
| Somehow Google and other tech companies are not required to
| have a customer service that actually solves the legitimate
| problems customers have with their services. I wonder how
| they are allowed to do this not just in the US but across the
| world.
| cj wrote:
| I pay for Google Workspace for my personal Gmail account.
| It's billed per user (with no minimums) so it's actually
| very cheap even for the "enterprise" version.
|
| The support is excellent. I can get a human on a live chat
| and request a screenshare and phone call session with a few
| clicks in under 10 minutes.
|
| But of course that's only available to me because I pay for
| the business version of Google albeit for personal use.
| lockyc wrote:
| Unless their salespeople are calling you
| ChrisMarshallNY wrote:
| _> I got a call from a very professional sounding woman_
|
| That's usually the tell, right there.
|
| Legit support operations tend to sound unprofessional as hell.
| Heavy accents, scratchy lines, scripts referencing the wrong
| OS, etc.
| mavamaarten wrote:
| Yeah, hah, it is funny that "Google offering phone support"
| is so unthinkable to me that it's a red flag for a scam.
| vel0city wrote:
| Yeah, that was also another big red flag for me.
|
| I do have paid services on other Google accounts and have
| dealt with their support before, but the account they were
| trying to break into was an ancient one I made as a
| teenager and don't use for much of anything anymore. If
| Google Support _were_ to call me about anything (
| _unfathomably_ unlikely, and never about a security issue
| like this), it wouldn 't be from a free account that has
| never given Google a dime.
|
| I have received calls from Google associates before. Almost
| always some account manager looking to find yet another
| product to sell me. Never proactively to any kind of
| account issue.
| WalterBright wrote:
| I've gotten real support calls where the audio was so bad it
| was hard to understand anything they said. And/Or the standby
| music fidelity was so awful it's like pounding a spike in my
| ears. (Or maybe that's intentional so I hang up and don't
| bother with them.)
|
| You'd think they'd have equipment newer than the 1960's.
| foobarchu wrote:
| Depends heavily on the company. Fidelity, for example, has
| super friendly, local sounding support employees. They will
| sometimes call you directly, too, for things like "checking
| in on your retirement goals". If someone called sounding
| professional, it would not be a tell that it isn't actually
| fidelity.
|
| Plus, most of the weird "customer support" scams I've gotten
| in the past are people with thick accents on a garbage
| connection.
| ChrisMarshallNY wrote:
| Yeah, it was a joke.
|
| However, these scammers tend to come across as the platonic
| ideal of a perfect support rep.
|
| My wife almost got taken by one, several years ago.
| ryao wrote:
| I have a simple defense against this. I use a special email
| account for financial information that only my email provider,
| myself and my financial institutions know to exist. Even if I tap
| yes instead of no by mistake on a prompt like this, my financial
| accounts are safe unless the attacker breaches my bank to find
| out the email account I use with them first.
| pavel_lishin wrote:
| > _my financial accounts are safe unless the attacker breaches
| my bank to find out the email account I use with them first._
|
| It's entirely possible that someone can accomplish this with a
| phone call to your financial institution's customer help line.
|
| "Oh gosh, I'm sorry, I forgot whether I used my email address
| or my wife's for this account - can you tell me what's on
| file?"
| ryao wrote:
| I wonder how that would work if they cannot prove my identity
| first by telling the representative a code sent to my phone
| number. I would expect the bank to tell the attacker to go
| into the local branch with identification.
| doublerabbit wrote:
| Social Engineering. You would expect the bank too but not
| so. These scummy people are good at manipulation.
|
| Humans are very exploitable.
|
| "Im ever so sorry; but I am unable to get to the bank right
| now, my mother was in an accident and I need to get to the
| hospital in 30 minutes. Is there any other way?" "No? Can
| you do it for me".
|
| Playing empathy over the phone gets you places as does
| wearing a workers Hi-Vis jacket to get in to back stage at
| festivals.
| Fokamul wrote:
| Holding $500k in hot wallet, this man is braindead...
| joezydeco wrote:
| Are these spammers just lucky or is there something that lets
| them sniff blood in the water and specifically target people
| holding large amounts of crypto?
| samatman wrote:
| It wasn't a hot wallet, he had taken a _photo of his seed_ and
| then _left it in Google photos_.
|
| So your conclusion is sound but your premise is invalid.
| Dansvidania wrote:
| I am maybe missing something obvious here, but isn't it
| suspicious that these attacks "affecting a small number of google
| users" happened to "hit" two people with significant
| cryptocurrency holdings?
| tantalor wrote:
| Maybe the attackers already knew through some other means that
| they had large crypto holdings, i.e., spear phishing.
| pjdesno wrote:
| It seems like the common thread here is that the thefts were of
| cryptocurrency, rather than real assets in a financial system
| with safeguards. You can still get robbed of those assets, but it
| leaves a far stronger paper trail to catch the perpetrators.
| Vegenoid wrote:
| It's the classic tradeoff of freedom vs. security. It's the
| biggest reason I can't foresee myself storing substantial
| amounts of cryptocurrency. I just want to hand my hard earned
| money to a financial institution and not have to think about it
| too much.
| potato3732842 wrote:
| The difference is that we haven't spent a century building up
| police organizations, bureaucracies, processes and
| international working relationships to track down crypto crime
| the way we have for "normal" financial crimes.
|
| You would track down this crypto in just about the same way
| you'd track down a fraudulently ordered wire transfer that was
| cashed out. Records would be requested, IP's and timestamps
| recorded, more records would be requested from other parties
| based on those, and so on and so on. The difference is that
| it's somebody's job to go after those. It's nobody's job to go
| after this.
| psychoslave wrote:
| How stressful it must be as an experience to go through.
|
| Having nothing to be robbed from is such an underrated means to
| live in serenity.
| donatj wrote:
| About a year ago I got an email from an actual Coinbase email
| address telling me that my account had been compromised. It
| included a case number.
|
| Trying to log in with my username and password did not work.
| Moments later I get a phone call, the caller id says that it is
| Coinbase. Guy on the phone with a thick German accent tells me
| he's calling about my account and gives me the case number from
| the email. I know damn well never to trust a phone call you did
| not initiate, so I'm kind of just stringing the dude along on the
| phone.
|
| I remember that I had set up a passkey, and try it. I get in with
| that and immediately run to the emergency "lock my account"
| button. I tell the guy on the phone that I have clicked it and
| after a bit of "uhmmm..."-ing and "hmmm..."-ing he just hangs up.
|
| I call Coinbase support and they verify some recent transactions
| and ask me to forward them the email, and that's that. I still
| have no idea what the actual attack was or how they changed or
| invalidated my password. Best I can tell they did not manage to
| actually get in to my account.
|
| I ended up changing my password to just about everything out of
| caution.
| cute_boi wrote:
| Last time I called boss money transfer, i called them and their
| real agents told me they must call me to verify. I was like,
| how would I know if it is boss money transfer or scammer. At
| the end I had to trust because voice was same.
| imp0cat wrote:
| how they changed or invalidated my password.
|
| Probably just too many invalid login attempts.
| cute_boi wrote:
| Never Trust a call you didn't initiate.
| deathanatos wrote:
| I wholehearted agree with your mantra. But I need banks and
| other businesses to learn this. Particularly banks.
|
| My bank has literally called me with what amounts to "ur being
| haxxor3d", and like ... who are you? _The representative
| literally would not tell me who he worked for._ I was 210% sure
| it was a scam, and hung up on him. Turned out, _it was legit._
| 1
|
| Companies need to make sure their own operations don't bear the
| trappings of fraud.
|
| 1(I don't regret hanging up, though. Calling back to a known,
| published-by-the-business-itself number is the right thing to
| do.)
| buttercraft wrote:
| "In Soundcloud's instance, part of declaring your innocence is
| you have to give them your home address and everything else, and
| it says right on there, 'this will be provided to the person
| making the copyright claim.'"
|
| Good job helping the scammers, SoundCloud. WTF
| packtreefly wrote:
| The glaring common denominator here is that the attacker has the
| ability to send an unprompted, unblockable request to the
| victim's phone. Pressing the safe-looking green button that shows
| up, even accidentally, is digital suicide.
|
| Google Prompt is supposed to be a safety feature. The account
| recovery process lets a hostile actor turn Google Prompt into a
| loaded gun, and Google puts it directly into the victim's hand,
| aimed straight at their own head.
|
| There's absolutely no way to shut off Google Prompt that doesn't
| involve removing every Google app from your mobile devices.
| VoodooJuJu wrote:
| _If you 're so rich, why aren't you so smart?_ is the burning
| question here.
|
| It's mind-boggling to me how crypto guys can be simultaneously
| savvy enough to be involved in crypto, to the tune of millions of
| dollars, but also retarded enough to fall for stuff like this.
| UltraSane wrote:
| That is one really nasty aspect of cryptocurrency. They make
| theft cryptographically irreversible. And you can watch the
| thieves spend your money!
| nytesky wrote:
| It does feel like the security protocols necessary to secure
| $100k to $Ms of crypto which transfers instantly and non-
| reversibly is a challenge for the average user.
|
| Even as a fairly tech enabled GenX, I have forgotten passwords
| and had to reset them (usually accounts I haven't used in a
| while), had files corrupted without a good backup, lost a Yubikey
| somewhere in the house (I think at least).
|
| From what I can tell I would need to have my crypto seed laser
| etched into titanium, and then treat that talisman as if it was
| made of pure platinum as far as securing and tracking it.
|
| Versus keeping my money in SIPC and FDIC protected accounts.
|
| I will say, the BTC appreciation is a big attraction of course,
| but long term I don't see how it becomes widely adopted with so
| much logistics risk, and appreciation... well who knows about
| that.
| ToucanLoucan wrote:
| I have no doubt that at least some especially in the early days
| envisioned crypto as a legitimate alternative to fiat currency.
| That being said, in it's mature state as a technology, it
| amounts to nothing more than a clone of the modern financial
| system with a different set of oligarchs, except that it has
| far fewer consumer protections, and the nature of it makes
| _implementing_ said protections in any way extremely difficult.
|
| That combined with the extreme volatility of value that is not
| only endemic to any coin with meaningful usage, but is
| generally a _goal_ of most coins, makes it only really useful
| as a speculative vehicle, and those same properties also make
| it uniquely bad in terms of a store of value to be used in
| commerce unless the seller also plans to speculate on the
| value.
|
| And, even if you're good with all of that: Yes, the tech itself
| is decentralized, but if you don't have at least some
| background in basic software development or scripting, you're
| almost certainly going to end up using some product or another
| to manage your wallets and transactions, and while the _wallet_
| is anonymous, the accounts _you connect the wallet to_ are
| often quite the opposite, and because of the structure of the
| chains, your entire transaction history is visible to everyone
| on the network, at all times. So it 's private by default, but
| basically any casual user is immediately and forever doxxable.
| ForHackernews wrote:
| > I will say, the BTC appreciation is a big attraction of
| course
|
| What are the other desirable features of BTC?
| henry2023 wrote:
| Non centralized proof of ownership is pretty cool.
| Analemma_ wrote:
| How is it non-centralized? Basically everybody actually
| using crypto uses exchanges.
| zaik wrote:
| You don't have to.
| bdangubic wrote:
| he said "basically everyone" which is true. I don't have
| to eat this large apple pie that is front me now but I'm
| about to :)
| lotu wrote:
| It's great for laundering money.
| berkes wrote:
| It is not.
|
| It's not anonymous, but pseudononymous. It's a public
| ledger, for everyone to copy and analyze. It's a public
| ledger that's mathematically proven to not have mistakes in
| it.
|
| Exchanges are highly regulated. KYC is rediculously tight.
|
| Sure, Bitcoin allows one to flee/fly to some criminals'
| paradise with their entire wealth stored in their brain (or
| on a napkin). And as long as they keep the money in crypto
| or black, it's unstoppable, really.
|
| But it's a terrible medium to turn black money into white
| money. One of the worst of all options, really. And that's
| what laundering is.
|
| Now, it's used for laundering. But that's more because its
| a great and easy store of value in itself. Not because a
| public, tracable ledger without any anonymity other than
| pseudonimity is a great system for laundering, because it's
| the exact opposite of that.
|
| And certainly, if you mix in monero, defi, otc-trades and
| -there they are- "corrupt bankers", crypto as a whole can
| turn black money into white, circumvent blockades, fund
| terrorism and whatnot. But hardly easier or simpler than
| paper-money, gold, and corrupt bankers already can.
| amelius wrote:
| It's great for transferring ransoms. Basically a criminal's
| dream coming true.
| ashleyn wrote:
| 1) if you don't exclusively have the private key (wallet), you
| don't own the crypto. if someone else gets the private key
| unwittingly, they now own the crypto
|
| 2) split cumulative funds into two wallets, a "hot" wallet and
| a "cold" wallet. keep the funds in the "hot" wallet to no more
| than for which total unintentional loss is tolerable. keep the
| private key to the "cold" wallet off any internet connected
| device except for the minimum duration required to transfer
| funds to the hot wallet.
|
| 3) print the recovery phrase for the cold wallet and store it
| in a physically secure location
|
| 4) if an ideally secure physical location is not possible,
| split risk across multiple "cold" wallets
| tdiff wrote:
| So the attacker has known in advance that the secret was stored
| in google photos? Is it a common way to store passwords, or is
| some piece missing here?
| dmonitor wrote:
| Likely a common way to store recovery codes. Similar to those
| bots that scrape github for API keys
| layman51 wrote:
| I had read of this attack back in September[1]. It seems very
| sophisticated because they spoof a phone number that at first
| glance is associated with Google, but is really just the
| "uncanny-valley" Google Assistant service that can check wait
| times or make reservations on your behalf.
|
| Does Google even offer live-person support if you're not their
| Workspace customer?
|
| Also, one other difference is that apparently the attackers may
| have been using Salesforce to send the emails. Maybe they were
| using a trial or developer edition? I believe those can send out
| emails too, but they are very limited. So this must be a very
| targeted kind of attack. The scary part is that the attacker's
| emails pass SPF, DKIM, and DMARC. There's a technical write-up I
| found about this aspect of the attack.[2]
|
| [1]: https://sammitrovic.com/infosec/gmail-account-takeover-
| super...
|
| [2]:
| https://docs.google.com/document/d/1xrJsRBcGj9x2mMvRoKLG4ANS...
| darknavi wrote:
| > Does Google even offer live-person support if you're not
| their Workspace customer?
|
| Not really. That's the giant red flag behind committing to a
| gmail, outlook, etc. account. If it gets messed up you're at
| the whim of "on-rail" support and if you need anything more all
| you can do is shout into social media and hope a stray employee
| feels bad for you.
| smoothgrammer wrote:
| Yes they do. If you subscribe to Google One.
|
| https://support.google.com/googleone/
| ht85 wrote:
| The wallet name was exodus, how fitting :D
| simonw wrote:
| The defining feature of crypto - decentralized, irreversible, no
| "higher power" you can go to in order to get your money back -
| turns out to be the thing that burns people ALL the time.
| mouse_ wrote:
| Lots of people still don't quite understand their debit card.
| No way they're going to learn how private keys work.
|
| Still might some sense as an institutional store of value
| though I guess.
___________________________________________________________________
(page generated 2024-12-20 23:00 UTC)