[HN Gopher] How to lose a fortune with one bad click
___________________________________________________________________
How to lose a fortune with one bad click
Author : todsacerdoti
Score : 319 points
Date : 2024-12-18 13:21 UTC (3 days ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| namaria wrote:
| I wonder if there's any one legitimate instance of a company
| calling you about compromised accounts and requiring your action.
| It seems to me that anyone reaching out and lighting a fire under
| your ass can be assumed to me a malicious actor.
|
| Any notification asking you to confirm your identity that is not
| initiated by your actions should be immediately dismissed with a
| "no" and that should be all there is to such things, no?
| rcxdude wrote:
| Banks are pretty good at doing an impression of phishing scams,
| unfortunately. Almost every red flag for a scammer has also
| been done by a bank, legitimately.
| athenot wrote:
| This.
|
| Also healthcare providers, though they seem to have finally
| wised up. They would call me from poorly configured phone
| systems (so unrecognizable caller id) and the first thing
| they would ask is to confirm full name and date of birth.
|
| Patterns like this do a great deal of damage in desensitizing
| folks and making them accept dangerous patterns that get
| exploited by scams.
| hollerith wrote:
| Even if you recognized it, the number shown by Caller ID is
| easy for the caller to spoof -- or at least it was a few
| years ago (the last time I paid attention).
| athenot wrote:
| Thankfully that part has vastly improved with
| STIR/SHAKEN, combined with number reputation management.
| ipython wrote:
| The problem with that, at least on my experience with
| iPhone, is you can only get the authentication signal
| _after_ you've already hung up. The only thing I see is a
| small checkmark next to the "location" of the call in my
| recent call log. I can't find any indication of a stir
| /shaken status in the active call screen.
|
| So asking people to take the step to confirm the call is
| legitimate won't work- they can't tell until they've
| already terminated the call. It's useless for purpose
| imo.
| vel0city wrote:
| On my Pixel some calls just get auto-rejected. Others
| will get through but be marked with a red caution symbol
| for the picture and say "Scam Likely". Then finally
| sometimes the call will come through with just the number
| but still have that red caution symbol.
|
| I imagine it is doing something with STIR/SHAKEN along
| with how many other times similar calls have been flagged
| as spam calls.
| ipython wrote:
| My carrier has a similar "scam likely" feature but afaik
| that is not directly tied to stir/shaken. I've also
| signed up to have calls rejected and can see them in the
| carrier app.
|
| I have reported at least a thousand different scam calls
| over the past two years and so my blocked number list is
| so large it freezes the phone for a minute or so while it
| loads. Still the scammers persist...
| ryao wrote:
| I remember when I used Ting, I could specify what would
| appear as caller id. If I had wanted to abuse this, I
| could easily have had it display whatever number I wanted
| instead of my name. Since a number of phones would
| display the caller id instead of the number when caller
| id was available, nobody would know that the number was
| not real. I am not sure if this has changed at all.
| nottorp wrote:
| Banks maybe, but Google? Google only has "AI" support and
| that doesn't call us yet. So it's safe to assume that any
| call from Google is fake.
| SoftTalker wrote:
| Yeah Google will never call you about your free gmail
| account, just as Microsoft will never call you about a
| virus on your home computer.
| adrianmsmith wrote:
| There was a comment on Hacker News, which alas I can no
| longer locate, where a guy said he'd been called by his bank
| and the bank wanted him to answer various security questions.
| He said he was happy to do so, but firstly needed the bank to
| verify who they were, or to call the bank back on a telephone
| number on their website. The bank refused, so he refused to
| give them any details. The bank then blocked his bank
| account, meaning he couldn't pay his university tuition on
| time, meaning his student visa was no longer valid as he was
| no longer "studying", meaning he had to leave the country.
| namaria wrote:
| A bank blocked an account because they called someone and
| that person didn't provide them with personal data? That
| sounds unlikely.
| ryao wrote:
| I am not surprised. I know of a bank that disabled a
| credit card following a single missed payment for the
| crime of failing to answer a phone call.
| ElevenLathe wrote:
| This is one of the reasons I use a local credit union
| with a handful of branches only in my region. I can
| always re-establish trust by just walking into a branch
| to do business, and likewise they can always just ask me
| to walk in with my driver's license if they need to
| verify that I'm really me.
| michaelt wrote:
| A reasonable decision in your case, no doubt.
|
| But the mentions of "his student visa was no longer valid
| [...] meaning he had to leave the country" make me think
| walking to a local bank branch might not have been an
| easy option in the post adrianmsmith recalls.
| ElevenLathe wrote:
| Absolutely agree! I only brought it up because it seems
| like, in our quest for efficiency, we are rapidly heading
| for a world where we try to delegate trust to outside
| entities (like tech companies, megabanks, or far-off
| government departments in Washington, D.C.) but,
| fundamentally, what makes financial transactions work
| (with anything other than physical currency), is actual
| real trust between parties. This is how the great banking
| houses of Europe began, it's how remittance networks
| still work in much of the global south, and its how the
| Jimmy Stewart-style small town bank once functioned.
| National banks with lots of local branches are an
| approximation of this, but the "branches" keep getting
| less and less bank-like: there is no "president" at the
| BoA branch inside Kroger, just somebody with a pulse who
| can technically pass a background check far enough to get
| bonded. Finally, many of the big banks are just closing
| these far-flung branches altogether. Bank of America &co.
| may get many advantages from their enormous scale, but
| they may be undermining their own foundations in the name
| of cost savings by trying to cheap out on "customer
| service" as if banking were just another kind of
| retailing and trust wasn't central to their entire
| business.
|
| They probably know this and don't care because it won't
| happen this quarter or likely even this fiscal year, so
| it doesn't matter to anyone in charge. But it does matter
| to ordinary people trying to conduct their lives without
| being irreversibly de-personed by a flakey customer
| service bot.
| adrianmsmith wrote:
| Banks do have obligations under AML and KYC laws to get
| information from their customers. I mean I know a single
| phone call sounds extreme, but I could believe it.
|
| My bank (in the EU) wrote to me a while back (post, no
| copy to email, no sms, no phone call, etc.) saying if I
| didn't provide info on certain recent transactions (my
| salary) they'd block my account in two weeks. Thankfully
| I wasn't on vacation and saw the letter and answered and
| it was all OK.
| namaria wrote:
| Having information about you (that you provide when
| opening the account) is entirely different from calling
| you out of the blue after you already have an active
| account for long enough that you trust and depend on it
| for your migration status. Refusing then is in no way
| breaching AML/KYC requirements. They would ask them to
| validate the identity on the call, not to gather
| regulatory data on their client. If they didn't have any
| info and were to "call as ask" how would they know it's
| the right person and data anyway?
|
| How is a bank not validating one phone call grounds for
| freezing funds?
| rcxdude wrote:
| I've definitely experienced the first half of the story:
| banks really will do dumb things like this and then be
| surprised when someone is upset by it (anti-fraud
| protection tends to be the worst: a text-message from a
| random unaffiliated number with another unaffiliated
| number to call, where you must then provide account
| details in order to get your card unblocked, and trying
| to call the official number and go through the phone tree
| does in fact, eventually, tell you that it was
| legitimate, but only after hours of being batted between
| departments).
| namaria wrote:
| That's not the half I have trouble believing.
| throwway120385 wrote:
| I understand the desire to be skeptical, but maybe you
| should give individuals the benefit of the doubt and the
| giant multinational corporation the skepticism.
| namaria wrote:
| I'm being skeptical about something someone wrote online
| about something the read online. Don't make this about
| ethics.
| ryao wrote:
| I have had my telephone company ask me to give them a code
| sent to my device. It is presumably to prove to the company
| that the representative is talking to me so that bad actors
| low in the company cannot start randomly messing with
| people's accounts. It is the equivalent of the bad click
| here. The only real defense is to know the difference between
| a mechanism meant to authorize someone a the company and a
| mechanism to authorize you. Confuse the latter for the former
| like the victim did here and bad things will happen.
| braveyellowtoad wrote:
| Interesting. Was that after you called them or they called
| you?
| ryao wrote:
| It was when I called them.
| yorer wrote:
| Ideally yes no one would fall for that. But these type of
| attacks doesn't just rely on solely ignorance. They introduced
| urgency, the fight or flight situation. Plus the first guy in
| the article got caught up in bad timing where his mental
| condition aren't right with his kid crying, his wife yelling
| etc.
| MathMonkeyMan wrote:
| Yes, but you have to know that.
|
| I got a call from "Bank of America," and they smoothly talked
| me into giving them my debit card PIN. The trick was they had
| gotten into my online banking beforehand. "We've detected
| possibly fraudulent activity on your account." Then they read
| me real transactions from my actual account. "To be safe, let's
| lock down the account. For this we need more information for
| authentication, though." Probably started from a phishing thing
| that I fell for online without noticing. It was pretty clever
| of them. Not so easy to steal from a checking account without
| leaving a trail, unless you have the PIN. Then the main risk is
| to whomever was on camera at the ATM withdrawing as much cash
| as possible before the account was automatically locked down.
|
| The next day, I got a call from "Bank of America" telling me
| that I'd been had. Fortunately they just credited the money
| back into my account. About $5000.
|
| The main difference is that the first call wanted me to give
| them information, while the second call advised only "go into a
| bank branch in person."
|
| The article's advice is correct. If someone asks you for info,
| tell them you'll call them back. It is almost certainly a scam.
| Calling back the possibly spoofed number at worst wastes a
| little time being on hold, and at best saves you or the bank a
| lot of money.
| Majromax wrote:
| > Calling back the possibly spoofed number
|
| Don't call back the number possibly being spoofed (i.e. using
| your Caller ID as the source of the callback number). Call an
| independently-listed number for the company, such as the
| phone number on the back of a credit or debit card. Using an
| independent number prevents any failures where the Caller ID
| correctly reports an attacker-controlled but plausible-
| sounding number.
|
| For extra paranoia and safety, perform the callback from a
| separate phone line. That would avoid at least some of the
| more-targeted attacks involving a compromise of the victim's
| phone connection, which could potentially allow the attacker
| to redirect outgoing calls.
| 01HNNWZ0MV43FF wrote:
| "Hang up, look up, call back"
| crote wrote:
| > The main difference is that the first call wanted me to
| give them information, while the second call advised only "go
| into a bank branch in person."
|
| Unfortunately physical branches are expensive to maintain, so
| a lot of banks have been closing them down. There are even
| plenty of banks with _zero_ physical branches now. All
| contact is via phone or email, so there is no scam-proof way
| for them to contact you.
| pavel_lishin wrote:
| They don't have to have a scam-proof way to contact me.
| They just need to give me a way to contact _them_.
|
| That way, any phone call or email to me can be immediately
| ended with me saying "Thanks, I'll call the number on the
| back of my card," and hanging up.
| vel0city wrote:
| Exactly this. Send me a call or text message that maybe I
| should go look at my account. If I log in through my
| normal trusted process and everything looks OK, then I
| can assume it's not legit.
|
| Most banks seem to have some kind of internal message
| center within the application that is just for bank to
| client communications. _That 's_ the place to
| authoritatively tell me something needs to happen and
| what potential next steps would be.
| plagiarist wrote:
| Here's a thing that is enraging, though: when a bank has SMS
| 2FA (insecure if you're being targeted but better than
| nothing) and they keep having you enter that into third-party
| websites. I mean going to a legitimate business, making a
| purchase with a credit card, and then the bank wants 2FA to
| validate a purchase instead of a login? Fuck off, I'll use a
| different card, then.
|
| If it weren't for bullshit FICO calculations I would drop
| that account entirely.
| crtasm wrote:
| How were they able to use an ATM without having your card?
|
| I recommend not calling back the incoming number even if you
| think it's real and spoofed, always look it up on the bank's
| website.
| MathMonkeyMan wrote:
| My understanding is that they had a programmable card. This
| might have been just before chips became widespread in
| America. Or, maybe there's still a way to withdraw with
| only the information visible on the card.
| vel0city wrote:
| Depends on the time frame and the ATMs being used.
|
| I don't think all ATMs require chipped cards yet, and its
| still common to have a debit card issued with a magstripe.
| If the GP used their debit card to pay for things it could
| have easily been duped. My bank issued me a new card for an
| account a few years ago; it still has a magstripe and I
| assume can still be used at magstripe-only ATMs.
|
| If it was even a few years ago, a lot of ATMs would have
| still worked with just a stripe. It's a bit more difficult
| to find these days, but old ATMs still running OS/2 WARP
| are still around and kicking.
|
| Its frustrating so many banks and what not are still
| issuing cards with magstripes. These days wipe the cards I
| use most with a magnet to try and mess up the magstripe. I
| don't want to ever use it. Generally speaking, if they
| can't take chipped cards, tap to pay, or cash I'm not doing
| business with them.
| crtasm wrote:
| Yeah I get that the magstripe can be copied, but GP was
| referring to a phishing attack.
| vel0city wrote:
| They probably copied the magstripe, but couldn't do a
| straight at withdraw without stripe+pin.
|
| Far easier to track/reverse a debit transaction done as a
| credit card network than debit requiring PIN.
| jeroenhd wrote:
| Sometimes there are good reasons for a bank to call you. The
| infuriating part is that not every bank has a quickly
| accessible number to call back if you don't trust the caller.
| Caller ID may be useless, but me calling the official number
| for my bank is pretty hard to fake (unless my carrier is part
| of the scam).
|
| My bank has a button inside the app that will confirm that a
| real bank representative is calling you, or provides a button
| to call the bank's emergency line if they're not. It's a simple
| and effective way of preventing scams that I think more banks
| should implement.
| ryao wrote:
| A ss7 attack could make your carrier part of the scam without
| their knowledge, such that calling back the number will
| connect you to the scammer and not the bank.
| omoikane wrote:
| If some bank calls you about compromised accounts, the
| recommended action should be to hang up, find the official
| phone number for your bank, wait one minute[1], then call back.
|
| [1] You have to wait or call from a different phone, because
| the call might not terminate immediately, and the scammer might
| still be listening on the line.
|
| https://security.stackexchange.com/a/100342
| benhurmarcel wrote:
| I've had my bank call me because of dubious online purchases,
| asking if it was me. The call was legitimate and my card number
| had been skimmed.
| c22 wrote:
| _> Unbeknownst to him at the time, Google Authenticator by
| default also makes the same codes available in one's Google
| account online._
|
| This sounded absolutely crazy to me so I went to open
| Authenticator on my phone and lo and behold it offered me the
| option of linking to my account and "backing up my codes in the
| cloud" to which I declined.
|
| But I had never seen this behavior before, so is this new? It did
| not seem to be enabled by default in my case.
| acdha wrote:
| It is at least relatively new. Years ago I had to try the
| Google "hard landing" account recovery process because it
| wasn't happening, which is how I learned that they had that
| form going to an email address which had been deleted.
| Fortunately I had paper recovery codes in my safe.
| te0006 wrote:
| Google rolled out that hare-brained "improvement" in an
| update to Google Authenticator a few months ago, with the
| nice extra that for some users, when you dared unselecting
| the new cloud backup checkbox, the secrets stored in the app
| were instantly corrupted in some way, so you were locked out
| of your Google accounts immediately as a bonus <chef's kiss>.
| Happened to a family member, luckily they had a working
| emergency access method. We will never use Google
| Authenticator again.
|
| Recommended alternative: 2FAS
| (https://play.google.com/store/apps/details?id=com.twofasapp)
| which allows you to import the secrets from Google
| Authenticator via QR codes, and has a local backup feature
| (e.g. to a USB drive).
| bsder wrote:
| As a side question: How do I, as a novice, vet a 2FA?
|
| This has all the "looks nice", but I have no reason to
| trust this recommendation over any other social
| engineering.
| te0006 wrote:
| My first impulse after ruling out Google Authenticator
| was to simply switch to Microsoft's Authenticator app
| (which I already had to use for a work-related thing
| anyway), thinking "of course MS would not make the same
| stupid mistake". Turns out they would, and they did. So
| alternatives from smaller vendors were the only option.
| In evaluating them, I focused on popular open-source
| solutions that had the features I deemed important
| (notably, local backup), and looked into the history,
| provenance and reputation of their vendors. Nevertheless,
| some risk will always remain.
| aftbit wrote:
| I used andOTP for years, until the author stopped working
| on it. While it still likely works fine, I've switched to
| Stratum, which likewise supports import from the Google
| Authenticator export QR codes as well as from andOTP,
| authy, and others.
| kibibyte wrote:
| I was one of the fools who installed the iOS 7 beta onto a
| phone that I depended on with Google Authenticator. The app
| had a compatibility issue with that beta release that
| caused it to disappear all my 2FA seeds except, very
| fortunately, for my Gmail. There was a bit of a ruckus
| about this here
| https://news.ycombinator.com/item?id=6112077.
|
| Since then, I always use at least two 2FA apps at the same
| time.
| deathanatos wrote:
| Ugh, yeah, _that_ update.
|
| You didn't have to do anything, either, the update just
| instantly corrupted some 2FAs. How can an app not do a
| TOTP? It's literally just math.
|
| I had to recover a few MFAs from backup codes due to that.
| Charon77 wrote:
| Was about to say this but yeah.
|
| Big brains at google didn't understand the number '2' in 2FA
| mavhc wrote:
| Most people wouldn't realise they can't recover their TOTP
| codes. But the hacker would still need to know your password
| surely
| poincaredisk wrote:
| ...so you agree that this is missing the '2' in 2FA?
| buran77 wrote:
| For "something you have" to be true to its purpose it has
| to be something that has one and only one copy - so
| either only you have it, or you don't, but nothing in
| between. The second you have "cloud backup", or activate
| an additional device, or "transfer to a new device" then
| you turn the attack into "phishing with extra steps".
| kibwen wrote:
| You can support transferring to a new device without
| increasing the phishing risk, the transferral just needs
| to be done via a physical cable rather than via the
| cloud.
| buran77 wrote:
| I'll grant you that it's a _better_ option but by no
| means _good_ if you want to stand on the 2FA hill and put
| security first (only?). That "just" does a lot of heavy
| lifting.
|
| The only time I'd consider transferring a secret like
| this is secure is within an HSM cluster. But these are
| exceptionally hardened devices, operating in very secure
| environments, managed by professionals.
|
| Your TOTP seed on the other hand is stored on any of the
| thousands of types of phones, most of which can be (and
| are) outdated and about as secure as a sieve. These
| devices also have no standard protocol to transfer.
| Allowing the extraction via cable is still allowing the
| _extraction_ , the cable "helps" with the _transfer_.
| Once you have the option to extract, as I said, you add
| some extra steps to an attack. Many if not most attacks
| would maybe be thwarted but a motivated attacker (and a
| potential payoff in the millions is a hell of a
| motivator) will find ways to exfiltrate the copy of the
| keys from the device even without a cable.
|
| This is plain security vs. convenience. The backup to
| cloud exists because people lose/destroy the phones and
| with that their access to _everything_. The contactless
| transfer exists because there 's no interoperability
| between phones, they used different connectors, etc. No
| access to the phone is a more pressing risk than phishing
| for most people, hence the convenience over security.
| plagiarist wrote:
| I don't understand the existence of an HSM cluster. I
| thought HSM was meant to be a very "chain-of-custody"
| object, enabling scenarios like: cryptographically
| guarantee one can only publish firmware updates via the
| company processes.
| buran77 wrote:
| The HSM is more generic than that - a Hardware Security
| Module. It's just a hardware (usually, software...
| Hardware security modules exist...) device that securely
| stores your secret cryptographic material, like
| certificate private keys. The devices are _exceptionally_
| hardened both physically and the running software. In
| theory any attempts to attack them (physically open, or
| even turn them upside down to investigate them, or leave
| them unpowered for longer than some hours, attempt too
| many wrong passwords, etc.) results in the permanent
| deletion of all the cryptographic material inside. These
| can be server sized, or pocket sized, the concept is the
| same.
|
| Their point is to ensure the private keys cannot be
| extracted, not even by the owner. So when you need to
| sign that firmware update, or log into a system, or
| decrypt something, you don't use a certificate (private
| key) _file_ lying around that someone can just copy, you
| have the HSM safely handling that for you without the key
| ever leaving the HSM.
|
| You can already guess the point of a cluster now. With
| only one HSM there's a real risk that a maintenance
| activity, malfunction, accident, or malicious act will
| lead to temporary unavailability or permanently losing
| all the keys. So you have many more HSMs duplicating the
| functionality _and keys_. So by design there must be a
| way to extract a copy and sync it to the other HSMs in
| the cluster. But again, these are exceptionally hardened
| HW and SW so this in incomparably more secure than any
| other transfer mechanism you 'd run into day to day.
| plagiarist wrote:
| Ah, got it. So in the event someone managed to get
| access, they are limited to signing things in that moment
| on that infrastructure. I can see how that would reduce
| the blast radius of a hack.
| crote wrote:
| I think this is also the main drawback of physical
| U2F/FIDO2/Webauthn tokens: security-wise they are _by
| far_ the best 2FA option out there, but in practice it
| quickly becomes quite awkward to use because it assumes
| you only own a single token which you permanently carry
| around.
|
| Sure, when I make a new account I can easily enroll the
| token hanging on my keychain, but what about the backup
| token lying in my safe? Why can't I easily enroll _that_
| one as well? It 's inconvenient enough that I don't think
| I could really recommend it to the average user...
| vel0city wrote:
| I don't quite get this "I need to add every possible
| authenticator I have at account creation or I'm not doing
| it" kind of mentality I see a lot.
|
| When I make an account, if I have at least two
| authenticators around me, I'll set up the hardware
| authenticators or make sure it's got a decent recovery
| set up. As time goes on I'll add the rest of them when
| it's convenient. If I don't have at least two at account
| creation or I don't trust their recovery workflow, I
| guess I'll just wait to add them. No big deal.
|
| If I'm out and I make an account with $service but I only
| have my phone, I'll probably wait to add any
| authenticators. When I'm with my keys, I'll add my phone
| and my keyring authenticator to it. When I sit down at my
| desktop sometime in the next few days and I use $service
| I'll add my desktop and the token in my desk drawer to
| it. Next time I sit down with my laptop and use $service,
| I'll add that device too. Now I've got a ton of hardware
| authenticators to the account in question.
|
| It's not like I want to make an account to $service,
| gotta run home and have all my devices around so I can
| set this up only this one time!
| poincaredisk wrote:
| >When I make an account, if I have at least two
| authenticators around me
|
| If you do, you're in a tiny minority of users. Well, even
| if you have one you're in a tiny minority, but having two
| laying around is extremely unusual.
| vel0city wrote:
| Only because I bothered to buy a few. If they're making a
| new account they're probably on a device which can be an
| authenticator, i.e. a passkey. Is it rare for people to
| be far away from their keyring where they potentially
| have a car key and a house key and what not?
|
| Do most people with hardware authenticators not also have
| laptops, desktops, or phones? They just have an
| authenticator, no other computers?
|
| This person I replied to already has two hardware tokens.
| They probably also have a phone that can be used with
| passkeys, they probably also have a laptop which can be
| used with passkeys, they might also have a tablet or
| desktop which can be used with passkeys. That person
| probably has 3-6 authenticators, and is probably with two
| of them often if they carry keys regularly.
| crote wrote:
| Ideally this would destroy the initial copy too - but
| forcing physical access would indeed be a _great_ start.
| buran77 wrote:
| Even so, if you have a copy even for a fraction of a
| second then you can have two copies, or skip the
| deletion, or keep the temporary copy that was used during
| the transfer. Even the transfer process could fail and
| leave a temporary file behind with your secrets.
| radicality wrote:
| I quite like Apple's Advanced Data Protection, I set it
| up with two physical yubikeys recently. To login to
| iCloud/Apple on a new device that's not part of your
| trusted devices, you must use the hardware token.
| mavhc wrote:
| They'd have to know your password, and get you to click
| your 2FA accept button, that's 2 factors still
| karel-3d wrote:
| They added this recently, because lots of people complained
| to Google that they lose their tokens; Authy and others
| started to gain traction because they did synchronization.
| Google was pretty much forced.
|
| I know, 2FA loses the entire point when it's synchronized.
| But, well. People lose their stuff all the time!
| eadmund wrote:
| It's possible to synchronise secrets without sharing them
| with a third party: just encrypt them locally, transmit to
| third party, download to other device, decrypt.
|
| This could be made easy for users by having each device
| share a public key with the third party (Google, in this
| case), then the authenticator app on one device could
| encrypt secrets for the other devices.
|
| This would be vulnerable to Google lying about what a
| device's public key is, of course, but enduring malice is
| less likely (and potentially more detectable) than one-time
| misbehaviour.
| michaelt wrote:
| _> It's possible to synchronise secrets without sharing
| them with a third party_
|
| Sadly the problem Google is actually trying to solve is
| providing security for the dumbest people you've ever
| met. Dumbasses are entitled to security too!
|
| I'm talking people who've lost access to their e-mail,
| and their phone number, and their 2FA all at once. Then
| they've also forgotten their password.
|
| No password manager, no backup phone, no yubikeys, no
| printed codes, no recovery contacts, nothing.
| rawgabbit wrote:
| You're describing the majority of my extended family.
| Some of whom are well educated and tech illiterate.
| aftbit wrote:
| I've had customers tell me that they cannot use email
| verification to meet a 2FA compliance requirement because
| it's not a second factor, but somehow SMS is. I always push
| back with "why not just good old TOTP" and the answer is
| that it's too easy for a customer to lose because it is
| only on their device. Like yeah... that's what makes it a
| real second factor.
| naniwaduni wrote:
| The active ingredient in 2FA as practically implemented for
| nearly everyone has never been the 2. It's mostly just not
| letting humans choose their entire password.
| marcosdumay wrote:
| It's because everybody wants to put everything in 2FA
| protocols, because people just can't use passwords...
|
| And the fact that one of those doesn't lead to the other
| passes way over their heads.
| criddell wrote:
| I use Authy and it does this too. I like that I can get the
| code on my phone or tablet. I also keep paper copies of the
| original QR codes in a safe place.
| jeroenhd wrote:
| The trick with Authy is to disable multi-device access unless
| you're in the process of adding another device, so hackers
| and scammers can't add their own devices to your account
| without your aid. If you leave the setting enabled, someone
| may get your TOTP secrets from Authy before you can stop
| them.
| tasuki wrote:
| No. That's not "the trick". As soon as it's in the cloud,
| it's over, it's gone, you've lost the game.
| criddell wrote:
| I've been using Authy for around ten years now, so I lost
| the game a decade ago and the consequences have been
| nothing and the benefits have been something. Not a bad
| loss IMHO.
| mannykannot wrote:
| If there is a trick to doing something securely, then that
| is already an automatic fail.
| Natfan wrote:
| You can just decode the QR code and use whatever secret is in
| there to generate the OTP codes. TOTP isn't that complicated,
| it's really just a second password that the system generates.
| nilamo wrote:
| While true, I haven't yet seen an authenticator app that
| let's you just dump the topt code yet...
| kibibyte wrote:
| 1Password can show the whole URI with the seed, and I
| have used it in the past to tediously restore seeds to my
| other 2FA apps.
| andyjohnson0 wrote:
| Just checked and Google authenticator seems to be synced to my
| account, which is a huge SPOF and not what I want. It's
| possible that I did this without realising, but does anyone
| know of a way to revert authenticator to local-only? I don't
| see anything obvious.
| mkbkn wrote:
| Better option is to not use Google's TOTP app. Use something
| else
| from-nibly wrote:
| You can't revert, they keys are sent, they have them. They
| can't un have them. You'll need to rotate your MFA.
| andyjohnson0 wrote:
| > You can't revert, they keys are sent, they have them.
| They can't un have them. You'll need to rotate your MFA.
|
| Not true. See https://news.ycombinator.com/item?id=42471459
| shkkmo wrote:
| You've missed the point entirely. The point is not that
| you can't recover the codes. The point is that if you are
| concerned about uploading codes due to the security
| implications (which most people on here are) then you
| need to do more than just disabling uploading, you also
| have to go rotate all the secrets that were uploaded.
| andyjohnson0 wrote:
| I understood the point, thanks. But I'm concerned about
| the scenario in the article, where someone did a device
| recovery and got access to the cloud synced auth codes.
|
| I don't particularly like that my codes were apparently
| synced to Google's cloud without my being aware, or the
| ux that prevented me from noticing. But I'm pretty
| confident that, having disabled the cloud sync, Google no
| longer has my codes
|
| (And in fact I verified this by installing the
| authenticator on a tablet before turning off sync on my
| phone. The codes vanished from the tablet.)
|
| In principle, yes I should rotate all the secrets.
| Because google may have borked their data retention, or
| is just outright lying and keeping my secrets. In
| practice, though, for my personal account, I'm content
| that nothing has been compromised.
| shkkmo wrote:
| > But I'm pretty confident that, having disabled the
| cloud sync, Google no longer has my codes
|
| Based on just your intuition. Since you don't have access
| to the backend specs or code, assuming this isn't a
| responsible security practice. It is a shortcut you can
| choose to take personally but should never take with any
| professional credentials.
|
| I'm going to point out that you responded "Not true."
| instead of adding a caveat about how you personally
| choose to ignore security best practices for personal
| accounts.
| andyjohnson0 wrote:
| > I'm going to point out that you responded "Not true."
|
| I could have been clearer, but that was in response to
| the asserion of "you can't revert".
| andyjohnson0 wrote:
| > does anyone know of a way to revert authenticator to local-
| only?
|
| To answer my own question: tap the profile pic (top right on
| Android) and choose the Use Without an Account option.
| Removes codes from cloud storage and any _other_ devices.
| Mentioned in TFA.
| rawgabbit wrote:
| I am literally mind f** by the wording "Use Authenticator
| without an Account". This is one of the most tortured and
| cryptic phrases I have seen. Government legalese is more
| straightforward than Google.
| michaelt wrote:
| _> It 's possible that I did this without realising_
|
| IIRC on my platform, when they added the feature they turned
| it on by default, as an auto-installed update.
|
| And if you're logged into the gmail app on the same device
| that also logs you into authenticator.
|
| You didn't do anything wrong.
| tasuki wrote:
| FWIW, I still remember recoiling in horror when I was asked
| whether I wanted to sync my Google Authenticator stuff.
| dmonitor wrote:
| I remember getting prompted for it on iOS when they added
| it. I still have it turned off.
| Tester4675 wrote:
| What's crazy to me is that Google would allow access to a
| foreign device from a single click. It would be easy for a
| person to accidentally click it, or for a kid playing on their
| parents advice to click it when it popped up. I really can't
| understand why they wouldn't send a code that would have to be
| entered instead; it would be far less prone to those kinds of
| problems.
| vel0city wrote:
| "foreign device" based on IP geolocation is pretty tricky and
| annoying.
|
| My home in Texas had an IP address which a lot of databases
| had as supposedly being in Montreal. It was like that for
| years. Gotta love so many sites trying to default to French.
| UltraSane wrote:
| As a network admin I have found that whitelisting only US
| address space for my companies IPs drastically reduces how
| many attacks we get.
| vel0city wrote:
| As a person who had to deal with clients, I have found
| whitelisting to only "US address space" lead to lots of
| clients being unable to access the services until they
| were whitelisted.
|
| As a person who had to deal with other associates, I also
| found whitelisting only US address space led to a number
| of people being unable to connect from their homes.
|
| As a person who had this happen to them, I had quite a
| lot of frustrations with services insisting they couldn't
| provide me service because Texas is in Canada apparently.
| UltraSane wrote:
| of course before implementing this I log all IPs and
| verify that we don't have any legitimate traffic coming
| from non-US IPs. and whitelisting a few IPs isn't a big
| deal. Of course a medium sized manufacturing company in
| the Midwest isn't going to have much need for people
| connecting to use outside the US.
|
| I'm actually working to get rid of any public IPs that
| isn't a VPN access point.
| vel0city wrote:
| > any legitimate traffic coming from non-US IPs.
|
| If it's not actually reaching you to log in and what not,
| how do you know it's legit or not?
|
| How do you know it's US traffic or not in the end?
|
| I'm not saying it's not something anyone can reasonably
| do, but I've both been the gatekeeper required to
| implement/support such a policy and been someone burned
| by it. It shouldn't be assumed the block lists are
| actually that good.
| UltraSane wrote:
| This is an argument over the accuracy of georeferencing
| IP addresses and in my experience it is adequate for my
| needs.
| vel0city wrote:
| Je suppose que le Texas est au Quebec.
| jsnell wrote:
| How would a code help? The victim has already bought into the
| social engineering. If the person on the phone asks the user
| to read out a code, they will. If the person on the phone
| asks them to enter a code (i.e. the version of this kind of
| prompt where the user needs to enter a code on the phone
| matching the one showing on the login page), they will.
| shkkmo wrote:
| Every step you make someone who is being socially
| engineered jumo through, is an extra chance for them to
| realize what is happening, especially if those steps
| contain warnings.
| UltraSane wrote:
| Google only added this feature recently. I am really conflicted
| about this feature. Without it you need to either save every
| TOTP code when you first set up the account or manually disable
| 2FA on every account and then enable it again so you can enroll
| it on a new phone. I used it when migrating to my most recent
| cell phone but then disabled it. Of course you have to trust
| that Google actually deletes the codes from your account.
| TimTheTinker wrote:
| Generating and storing your passwords, OTPs, and passkeys in
| a fully E2EE system like 1Password is effectively a root of
| trust, although you also have to trust (a) the password
| manager company, (b) whatever third-party systems and devices
| they use to build and deliver their software, (c) the quality
| of their cryptosystem, and (d) whatever device you use to
| decrypt/access secrets in your vault.
| UltraSane wrote:
| I trust 1Password. They are very open about how they
| encrypt data and how the key is derived. I like how they
| store your encrypted data locally in a SQLite DB. My only
| real concern is with storing passkeys because they cannot
| be stored locally yet and you are granting 1Password
| control over your access to any site you need a passkey
| stored with them. They are working on a passkey exporting
| process. I would feel better if I could have the same
| Passkey stored by 1Password and Azure and Google.
| tempestn wrote:
| What is the advantage of passkeys compared to managing
| unique passwords with 1pw? Is there any tangible benefit
| to switching, besides that Google et al will stop
| hounding you to do so?
| UltraSane wrote:
| Passkeys are asymmetric keys so a hacked site cannot leak
| the hash or even the plaintext of a passkey. And the
| private key is never exported to insecure hardware. Funny
| how so many Linux gurus have been shitting on using
| passwords for SSH for decades in favor of using SSH keys
| and now that there is an actually effort to use what are
| essentially SSH keys tied to a specific domain they are
| rejecting it.
| emmelaich wrote:
| Same with me, I had setup MFA using Google Auth for an
| important account I use.
|
| Next day the phone broke, and I lost that account forever. I
| had not written the backup codes down anywhere.
| ufmace wrote:
| Yup. If you DON'T have this feature, you're depending on
| every user who has TOTP 2FA to actually save their backup
| codes somewhere they can retrieve ~years later or back up
| their TOTP some other way manually. Naturally, most users
| will fail to do this, so you'll have to deal with how to
| securely reset the accounts of people whose phones got lost
| or destroyed.
|
| But then if you DO have it, you have to deal with the
| situation in this story, where if you can compromise their
| one key account, you get all of their TOTP codes too.
| __turbobrew__ wrote:
| There is a big gap in the greater security landscape here. I
| personally use hardware authenticators for this reason, but I
| have to manually enrol each security key for each account.
|
| Really what I would like is a root of trust which maybe is a
| cipher text which I can store in several physical locations,
| and then my security keys are derived from that root of trust.
| Then when I set up 2fa with a service it is using the root of
| trust and seeing that my security keys are is derived from that
| root of trust. This allows me to register the root of trust
| only once and then I can use any key derived from it.
| AgentME wrote:
| Some cryptocurrency hardware wallets such as Trezor's are
| usable exactly how you want: they support fido2/webauthn and
| derive their keys from the recovery seed phrase. You can
| write down the recovery seed phrase, initialize other
| hardware wallets with the same recovery seed later on, and
| they will present to a computer as the same fido2/webauthn
| token.
| emmelaich wrote:
| If it's hardware it can break or be lost or stolen.
| Symbiote wrote:
| I'm shocked how often one of my ~50 colleagues asks me to reset
| their 2FA. It's every 6-8 weeks or so.
|
| Their personal accounts will be affected in the same way (lost
| phone, new phone etc).
| vouaobrasil wrote:
| I feel like attacks like this would be much harder if we had
| never adopted HTML emails. Then it would make more intuitive
| sense (for the user) for an institution to write:
|
| (1) Go to our website
|
| (2) Login and check your account
|
| Of course, leigitimate emails do that now, but because of the way
| we've been trained to "click" (such as "click to verify your
| email"), this conditioning carries over to phishing and other
| attacks, whereas that would be impossible with plain text. With
| plain text, the email verification would have to be "paste this
| code into a box".
| MathMonkeyMan wrote:
| Email clients would probably still parse URLs into links.
| People would click them. Then people would prefer links that
| didn't look like gobbledygook, so email clients would start
| supporting extensions like parsing of [markdown-style
| links](https://gobbledygook.com/ddkf878dfjlsfd). And then we
| would arrive at HTML.
| mdaniel wrote:
| > Then people would prefer links that didn't look like
| gobbledygook
|
| Well, I can say with relative confidence that _people_ prefer
| those links but _marketers_ prefer hxxps:
| //awsmail.me/b64trustmebro/8675309== that leads who fucking
| knows where
| drcongo wrote:
| The red-flag he should have spotted was Google "Support".
| coldcode wrote:
| The idea that Google would spend money to help a non-business
| user for anything is beyond unlikely.
| Atotalnoob wrote:
| They don't even support businesses. We pay for whatever the
| highest tier of support is.
|
| We have been emailing our TAM (or whatever Google calls them)
| for weeks (and opening tickets)
|
| They keep giving us the same fucking documentation link.
|
| Literally useless.
|
| Another instance we were using code from their docs and they
| refused to help saying they don't look at code ever
| MichaelZuo wrote:
| The highest enterprise support tiers at Google cost
| millions of dollars per month... you probably mean the
| highest listed on their website for small to medium
| businesses.
| Atotalnoob wrote:
| No, it's in the millions.
| MichaelZuo wrote:
| Then it's pretty suprising considering your company would
| have a direct line to multiple senior people at Mountain
| View...
| Dansvidania wrote:
| I mean, the email says it's from Google Forms. Is that not
| suspect enough?
| michaelt wrote:
| Unfortunately, when a person is getting support from a large
| corporation it's completely routine and normal for the
| follow-up e-mail to have random extra branding like "zendesk"
| or "atlassian" or "salesforce"
|
| It's a clever move by the scammers - I can see how people
| would fall for it.
| duckmysick wrote:
| My favorite bit:
|
| > More importantly, Tony recognized the voice of "Daniel from
| Google" when it was featured in an interview by Junseth, a
| podcaster who covers cryptocurrency scams. The same voice that
| had coaxed Tony out of his considerable cryptocurrency holdings
| just days earlier also had tried to phish Junseth, who played
| along for several minutes before revealing he knew it was a scam.
|
| > [...]
|
| > Daniel told Junseth he and his co-conspirators had just scored
| a $1.2 million theft that was still pending on the bitcoin
| investment platform SwanBitcoin. In response, Junseth tagged
| SwanBitcoin in a post about his podcast on Twitter/X, and the CEO
| of Swan quickly replied that they caught the $1.2 million
| transaction that morning.
|
| > Apparently, Daniel didn't appreciate having his voice broadcast
| to the world (or his $1.2 million bitcoin heist disrupted)
| because according to Junseth someone submitted a baseless
| copyright infringement claim about it to Soundcloud, which was
| hosting the recording.
|
| > The complaint alleged the recording included a copyrighted
| song, but that wasn't true: Junseth later posted a raw version of
| the recording to Telegram, and it clearly had no music in the
| background. Nevertheless, Soundcloud removed the audio file.
|
| DMCA enabling bad actors to cover their tracks was not on my
| bingo list.
| dessimus wrote:
| Are there examples of DMCA being used in a positive manner?
| andrewflnr wrote:
| You mean besides literally all the times when people upload
| raw copyrighted movies and music to YouTube? DMCA is boring
| and un-newsworthy when it's working properly. (Unless you're
| the type who thinks copyright is inherently wrong, but it
| would then be very silly to ask if DMCA was ever "used in a
| manner".)
| bdndndndbve wrote:
| I wonder if people who are "invested" in cryptocurrency are more
| susceptible to these kind of scams. There's a strong aspect of
| FOMO in getting people to buy imaginary internet money, and also
| in getting them to panic and fumble said internet money.
| nine_k wrote:
| While "Nigerian spam" scams profit off simple-minded gullible
| people, cryptocurrency scams profit off sophisticated gullible
| people.
| plagiarist wrote:
| I wonder if it is just harder to give away several million
| dollars of government currency without being able to recover
| it? This is only an interesting story because it is so much
| money and because they are able to narrow the suspects down to
| a small group.
|
| Cryptocurrencies are like speedrunning the discovery of why
| finance is regulated, though, that is certainly true.
| acdha wrote:
| I think you're saying the same thing from the other side:
| it's definitely true that it's harder to get or transfer
| large amounts of real money because the system has layers of
| protection due to past fraud, but those fraud protections
| also mean that most people can't get the kind of paper
| profits which lure people to cryptocurrencies. This gives
| scammers the appealing target of a self-selected group of
| financially unsophisticated people who have chosen a system
| designed to make large scale theft easy and safe.
| chimen wrote:
| One of the reasons I stay away from it is that, at least in
| recent years, every scam that I see taking place involves
| crypto. I have a lot of acquaintances and I can almost draw a
| line at this stage: the higher the "shadyness" of the person,
| the more they are invested or talking about crypto. I am yet,
| even tho I owned, to have had the need to use crypto in my
| daily/weekly/monthly/yearly life.
|
| It is very easy to destroy lives with it as we can see in this
| case, and, making it harder to do so will work against the vary
| nature of this tech. This is a tough nut to crack but I think
| the space will remain filled with predators constantly baiting
| prey into the system with the promise of a big reward.
| mrguyorama wrote:
| "You can't undo a transaction" is a core feature of crypto.
| This is hilarious, because in actual payment networks, it
| literally only benefits scammers.
|
| Every consumer ever has at one point or another wanted or
| needed to reverse a transaction. Chargebacks are a _FEATURE_
| of credit cards.
| BobaFloutist wrote:
| You know how in old crime fiction there was often an
| episode with "bearer's bonds" where up top they define
| bearers bonds as "this just belongs to whoever holds it, so
| be very careful" and you just _know_ they 're going to get
| stolen immediately?
|
| That's how I feel about crypto.
| yokem55 wrote:
| Reversibility is great for consumers who are sending money
| in exchange for products and services. It can be a
| nightmare for people who receive the money and are
| providing the products and services.
|
| And it isn't just businesses who carry this risk. If a
| business was depending on a large inflow to make payroll,
| and that inflow gets reversed, the people who are expecting
| payment for their labor also are subject to a payment
| reversal.
|
| There's definitely a lot of benefits to reversibility, but
| it has very real costs and tradeoffs.
| rs999gti wrote:
| Traditional banks and the financial industry are generally sub-
| optimal, but at least if you are scammed, they will do their
| best to either recover your money or return you whole.
|
| To have this safety, money and finances have to be centralized,
| regulated, and governed, all of which crypto doesn't have and
| doesn't want.
| cesarb wrote:
| > they will do their best to either recover your money or
| return you whole.
|
| And if they don't, the courts can force them to do it _and_
| give you some extra money for the trouble.
| foxglacier wrote:
| No they won't. If you bank transfer money to a scammer, the
| bank won't refund you, nor can they recover it. If you give a
| scammer your bank access credentials, they also won't refund
| you because you broke the TOS.
| Symbiote wrote:
| They may well block the transaction before it's made, for
| cases like this.
| frereubu wrote:
| Not true in the UK:
| https://www.bbc.co.uk/news/articles/cy94vz4zd7zo
| foxglacier wrote:
| Wow
| flooow wrote:
| It's obviously going to be much much more difficult to steal
| $450K from an actual bank account and get clean away - you're
| going to need a lot more proof of identity than a google login.
| From that POV, owning a lot of cryptocurrency is painting a
| target on your back.
| nytesky wrote:
| How do they identify their marks? A random firefighter seems
| like an odd target.
| PleasureBot wrote:
| Could just be people talking about crypto on social media
| directly saying that they own some. Would not be too hard
| to find accounts where you can clearly identify the person
| behind the twitter handle, facebook profile, instragram
| account or whatever talking about that online. We're only
| hearing about people who happened to lose a huge amount of
| money but lots of people probably fell for this scam and
| lost money on the scale of $100 or $1000.
| hn_user82179 wrote:
| that's a good point. People who follow crypto accounts on
| social media probably own some amount, so it's pretty
| easy to go from there.
| derangedHorse wrote:
| I found this video, titled 'To Catch a Scammer: How a real-
| life criminal steals your bitcoin' pretty informative. An
| employee is able to go into detail on how scammers find
| their marks: https://youtu.be/pskUt4ZjM4M
|
| The video linked in the article by Junseth also goes over
| some of this.
| Hilift wrote:
| 100%. It's been that way forever too. I've caught numerous
| people setting up mining crap, it's everywhere and anyone that
| shouldn't be trusted but is probably will be a vector.
| plagiarist wrote:
| > By default, Google Authenticator syncs all one-time codes with
| a Gmail user's account, meaning if someone gains access to your
| Google account, they can then access all of the one-time codes
| handed out by your Google Authenticator app.
|
| When business guys are involved in a security app. Many of us can
| easily imagine the "user story" that caused this.
| vel0city wrote:
| Just look at the probably hundreds or more comments here
| through the years of people bashing Google for having their
| authenticator app not sync TOTP secrets to the cloud. For the
| longest time it was pulling teeth to get the app to surrender
| the TOTP secrets saved inside.
|
| Google listened.
| the__alchemist wrote:
| The start of the article and comments thus far focus on the
| authenticator/Google account scam. I think a separate topic of
| note is taking a photo of the wallet recovery words [on an
| internet-connectable device]. This was, IMO, the primary mistake
| the user made. (And an easy one to make if you don't consider its
| consequences)
| andrewflnr wrote:
| What I want to know is if the attackers knew that the photo was
| there, and if so, how. Or were they just planning to get into
| the victim's gmail and exploit whatever they found?
| vel0city wrote:
| I had these people call me the other day. I got a text message
| alerting me of a potential Google account security issue they had
| blocked and they I should expect a call. I also got one of those
| emails and an automated phone call. The automated phone call had
| me dial 1 if I wanted a call back from support to help recover my
| account.
|
| I got a call from a very professional sounding woman assuring me
| she was with Google and they had discovered some potentially
| fraudulent activity with my Google account in Frankfurt. They
| said they had locked down my account to protect it but they would
| walk me through recovering it.
|
| I knew this was impossible, because the Google account in
| question doesn't have passwords. It has a couple of passkeys
| which are all physical hardware tokens in my home. But I wanted
| to see how pushy they would get.
|
| Turned into a half hour phone call with me playing dumb (was
| watching my kid's sports practice, nothing to do for a half hour
| but cheer him on). Eventually when I was done with it I let them
| know I was in the process of filing the report with the federal
| cybercrime department. Immediately hung up from that.
| baxtr wrote:
| Frankfurt of all places!
| ffsm8 wrote:
| Frankfurt is actually notorious in Germany for their issues
| with drugs. Going outta the train station you can see ppl
| passed out with literal needles in their arms, taking a shit
| in public view etc
|
| Doesn't really transfer to cyber crime, but it's definitely
| one of the more "criminal" places in Germany. Still super
| tame compared to actual slums etc though
| WalterBright wrote:
| The last time I was in Frankfurt was maybe 20 years ago. I
| suppose things have declined quite a bit since then.
| locallost wrote:
| Notorious on social media perhaps. I am yet to see someone
| in Frankfurt passed out with a needle in their arm. I've
| been to Frankfurt several times in the last years -- slept
| once in a hotel near the train station, spent a couple
| hours until 2-3am at and around the train station because
| of a missed train, spent a lot of time waiting for my next
| train connection etc.
| thebruce87m wrote:
| > I knew this was impossible, because...
|
| There's an easier tell. It's impossible because you can't to
| get Google to help you at all about any account issues, never
| mind them being as proactive as to call you.
|
| In other words if Google call you, it's not Google.
|
| It's slightly depressing that there are probably more fake
| Google support staff than real ones.
| AlienRobot wrote:
| If it weren't for the routine ex-Googler postmortem blog post
| shared on HN I'd think Google doesn't even have human
| employees.
|
| The greatest mystery of my life is what is a "Google Product
| Expert" on their community forums whom I assume:
|
| 1. isn't an employee speaking as the company.
|
| 2. is someone given the title by the company.
|
| 3. spends a lot of time answering questions despite not being
| paid for it.
|
| 4. can contact Google employees somehow.
|
| The only perks for this that Google lists is that you can
| join a secret club of Google Product Experts. It feels like
| gig economy applied to customer support.
| nox101 wrote:
| several huge companies do this. here's one
|
| https://discussions.apple.com
|
| so frustrating
| rawgabbit wrote:
| But if you have a problem and you need to show that you
| own appleid xxxx@xxx.com, can't you go to an Apple Store
| and they will help you? I believe the frustration with
| Google is that there is not an actual human the regular
| person can talk to.
| lotsofpulp wrote:
| Apple isn't a good example to use here because you can
| contact a human at Apple very easily:
|
| https://support.apple.com/contact
|
| They will even remote into your device and walk you
| through how to do something.
| bad_haircut72 wrote:
| They will reach put to try and help sell you more ad spend.
| If that was a scam its very good cause they set up my adwords
| campaign for me.
| thanksgiving wrote:
| I have a similar anecdote which isn't very relevant except
| it felt like googlers now care about how they can help make
| google more money. I would have never expected engineers at
| Google to care about how to make more money for google like
| doesn't the money just flow in...
| Nzen wrote:
| In case you would like a concrete example to ground the
| cynicism about corporate trade offs around customer support,
| I recommend watching Jill Bearup's 10 minute video [0] about
| this week's demonetization. For example, she has to deal with
| some form that she "can't submit", a customer service contact
| 12 time zones away (so email replies are 12 hours delayed),
| and an account manager who is non-responsive. In her court,
| are some unaffiliated google employees giving guidance, but
| only because they were already part of her youtube watching
| audience.
|
| [0] https://www.youtube.com/watch?v=6RZHajVV9PA
| maeil wrote:
| > For example, she has to deal with some form that she
| "can't submit", a customer service contact 12 time zones
| away (so email replies are 12 hours delayed),
|
| At that point I'd set up an LLM agent to reply for me. Big
| Tech are no longer the only ones who can pretend to be a
| human.
| HeyLaughingBoy wrote:
| I smell a product idea...
| avidiax wrote:
| I feel Google, Facebook, etc. all need to setup actual phone
| numbers and chat rooms, and make them rank highly on searches
| for "Google support phone number", "Google fraud department",
| "Google account recovery department", "Google Live Support
| Chat" etc.
|
| Then those numbers should simply play a message that this is
| the only official phone number, and no human will ever call
| from or answer this number, and the company does not offer
| customer support or appeals to account problems.
|
| They also need to make searching for fraud phone numbers
| return anti-fraud messaging rather than what it currently
| does. Seems like the entire 844-906 exchange is fraudulent
| [1].
|
| I had a family member that just got scammed because they
| panicked after their Facebook account got banned, basically
| exactly like [2].
|
| [1] https://www.google.com/search?q=844-906
|
| [2] https://www.npr.org/sections/alltechconsidered/2017/01/31
| /51...
| otteromkram wrote:
| Where do you think Google would rank its own support, help,
| etc., contact pages and info if not at the top of searches
| like the ones you mentioned?
| fn-mote wrote:
| The problem is the subjunctive here.
|
| It's not where the _would_ rank ... it's where they
| currently _do_ rank.
|
| In my test, the AI Overview produced accurate information
| ("Google does not offer phone support for account
| recovery") but none of the other hits on the first page
| say anything like "Phone support calls are always fraud.
| Google will not call you."
| Super_Jambo wrote:
| I think the point they are making is that google will let
| the fraudsters pay to place higher than the warnings
| because it's profitable to do so.
| dustyventure wrote:
| If there is only one time they would honor their fair
| market obligations and not raise their own rankings, it
| would be on a cost center like free tech support to
| consumers.
| andrepd wrote:
| Or, hear me out: provide actual customer support.
| SideQuark wrote:
| To 4+ billion customers. Not possible at any realistic
| company size.
|
| If you or any person figured out how to do such a thing
| you'd be the next trillion $ company.
| 4oo4 wrote:
| That's a consequence of growth they should have thought
| of and a basic part of running any business.
|
| At least in the US Attorneys General are being forced to
| do this work for them. It's essentially the only way to
| get a hacked Facebook/Instagram account recovered.
|
| https://www.engadget.com/41-state-attorneys-general-tell-
| met...
| Retric wrote:
| Users in low wage countries with minimal profit per
| customer doesn't preclude US / Canadian tech support
| where they get 20+x the revenue per user.
|
| They are making 10+$/month per user for a few hundred
| million, and have a large profit margin that easily pays
| for basic tech support.
| HeatrayEnjoyer wrote:
| The corps want you to believe that but it's not true.
|
| India requires direct customer support by law.
| mafuy wrote:
| If your scaling requires you to ignore some laws and
| regulations, maybe your scaling is just a wet dream that
| should not become reality, and still attempting it should
| be punished. It's just the cost of doing business.
| andrepd wrote:
| Nonsense. It's (moderately) expensive, it's a cost. It's
| far from impossible, the proof of that being that huge
| companies did and do provide customer support.
|
| Big tech loves "stripping unnecessary fluff" and "being
| efficient". Turns out the "unnecessary" stuff is there
| for a reason. The automatic management + zero customer
| support is dystopian to say the least.
| coliveira wrote:
| Somehow Google and other tech companies are not required to
| have a customer service that actually solves the legitimate
| problems customers have with their services. I wonder how
| they are allowed to do this not just in the US but across the
| world.
| cj wrote:
| I pay for Google Workspace for my personal Gmail account.
| It's billed per user (with no minimums) so it's actually
| very cheap even for the "enterprise" version.
|
| The support is excellent. I can get a human on a live chat
| and request a screenshare and phone call session with a few
| clicks in under 10 minutes.
|
| But of course that's only available to me because I pay for
| the business version of Google albeit for personal use.
| thephyber wrote:
| Software is not considered a "product", so it doesn't come
| with the government protections against companies that sell
| defective or dangerous products.
|
| Also, you don't pay for Google. It's a free search engine
| and a free email service. You get tech support if you pay
| for the enterprise workspace features.
| coliveira wrote:
| So, if it's not a product it shouldn't be sold or leased,
| and people shouldn't be hired to build it.
| lockyc wrote:
| Unless their salespeople are calling you
| Sohcahtoa82 wrote:
| Being guaranteed to be able to talk to a human would be
| great, but I just don't see how it can possibly scale to over
| 1 billion users that aren't paying like gmail has.
|
| Years ago, my brother used to work for XBox Live Tech
| Support, and he said that easily over half the calls he got
| were for things that customers could easily self-service,
| like a password reset. Many tech issues were fixed by the
| most basic troubleshooting step: Power cycling.
|
| Meanwhile, my uncle works XFinity tech support, and he'll
| frequently get calls when a website has an outage, not to
| mention how many non-technical people think any internet-
| related issue, such as a forgotten Google password, means
| calling your ISP.
|
| This doesn't even _begin_ to talk about bad actors calling
| tech support to try to break into someone else 's account.
| Google accounts are high-value targets. Once you've gotten
| in, there's a really good chance you could easily pivot to
| all of that person's other accounts.
|
| To handle the call volume that a service like Google would
| have, if they offered phone tech support, the amount of staff
| they would need would be in the hundreds of thousands, and so
| many of the calls they take would be wastes of time. There
| are a lot of non-technical people that have no idea how
| things work and basically think that Google _IS_ the
| Internet.
| hamandcheese wrote:
| > but I just don't see how it can possibly scale to over 1
| billion users that aren't paying like gmail has.
|
| Why not charge for support?
|
| You bet your ass I would pay a support fee if my Gmail
| account was having issues.
| toss1 wrote:
| Yup
|
| $19.95 per incident to talk to someone who could
| _ACTUALLY_ resolve an issue would be totally worth it,
| especially for people who suddenly find themselves locked
| out for no known reason. A fee would also filter out most
| the silly calls, and if not, and they can resolve a
| password reset in 2 minutes, it is way worth it for both
| the caller and Google.
| dmd wrote:
| That exists - it's called Google Workspace.
| immibis wrote:
| I don't understand. How do I use Google Workspace to pay
| $19.95 to solve a problem with my Gmail account?
| vel0city wrote:
| > Why not charge for support?
|
| They do. And when you actually pay _for support_ , they
| answer the phone. At least in my experiences.
|
| The only times they've left me high and dry is when I
| didn't have any actual paid support contract or
| subscription for whatever the question was about.
|
| They have a Gmail support contract. You signing up?
| foxglacier wrote:
| What can a human do that the automated processes for
| account recovery/etc. can't?
|
| I talked to a human Apple support person once and we had
| quite a long chat but ultimately his conclusion was
| basically "I can't know anything you don't already know and
| there's no way to resolve the problem."
| eschneider wrote:
| Right? "Google support" calling is an obvious tell.
| samlinnfer wrote:
| I had a legit call come from Google Maps and I called them a
| scammer and various other names.
| SeanAnderson wrote:
| I had Google call me once :) It was when I was riding in a
| Waymo and one of the screens in the vehicle was lagging a
| little bit. They made the surprising choice of calling my
| phone, rather than ringing the car itself, and I didn't pick
| up because... who picks up when your phone says, "Call from
| Google" :) They called the car shortly afterward to reassure
| me that the lagging screen wasn't an indicator that the car
| would underperform.
| ChrisClark wrote:
| I got one of the same calls (didn't believe them). Afterwards
| I phoned Google support and they said the same thing, they
| will never call you. I had them confirm nothing was wrong
| with my account, just in case.
|
| So it's very possible to phone Google support, just don't
| believe anyone who calls you.
| throaway920181 wrote:
| I had a weird security alert on my Google account the other
| night after trying to do a "Sign in with Google" to a service
| I've used for years. Trying to view my account/security info
| kept redirecting me to a page instructing me on how to clear
| cookies.
|
| I clicked support and was able to get a call right away. But
| I pay $20/year for Google One.
| TacticalCoder wrote:
| > There's an easier tell. It's impossible because you can't
| to get Google to help you at all about any account issues,
| ...
|
| Paying Google apps / GSuite users can call a number and it's
| real humans answering (and they're very helpful).
|
| But indeed I don't think they proactively call you.
| derangedHorse wrote:
| > It's slightly depressing that there are probably more fake
| Google support staff than real ones.
|
| I've never thought of it that way but you're right! Dealing
| with support at most tech companies is a horrible experience
| and is usually something I research before using a product
| where a failure in service provision could lead to
| catastrophic results.
| ChrisMarshallNY wrote:
| _> I got a call from a very professional sounding woman_
|
| That's usually the tell, right there.
|
| Legit support operations tend to sound unprofessional as hell.
| Heavy accents, scratchy lines, scripts referencing the wrong
| OS, etc.
| mavamaarten wrote:
| Yeah, hah, it is funny that "Google offering phone support"
| is so unthinkable to me that it's a red flag for a scam.
| vel0city wrote:
| Yeah, that was also another big red flag for me.
|
| I do have paid services on other Google accounts and have
| dealt with their support before, but the account they were
| trying to break into was an ancient one I made as a
| teenager and don't use for much of anything anymore. If
| Google Support _were_ to call me about anything (
| _unfathomably_ unlikely, and never about a security issue
| like this), it wouldn 't be from a free account that has
| never given Google a dime.
|
| I have received calls from Google associates before. Almost
| always some account manager looking to find yet another
| product to sell me. Never proactively to any kind of
| account issue.
| WalterBright wrote:
| I've gotten real support calls where the audio was so bad it
| was hard to understand anything they said. And/Or the standby
| music fidelity was so awful it's like pounding a spike in my
| ears. (Or maybe that's intentional so I hang up and don't
| bother with them.)
|
| You'd think they'd have equipment newer than the 1960's.
| foobarchu wrote:
| Depends heavily on the company. Fidelity, for example, has
| super friendly, local sounding support employees. They will
| sometimes call you directly, too, for things like "checking
| in on your retirement goals". If someone called sounding
| professional, it would not be a tell that it isn't actually
| fidelity.
|
| Plus, most of the weird "customer support" scams I've gotten
| in the past are people with thick accents on a garbage
| connection.
| ChrisMarshallNY wrote:
| Yeah, it was a joke.
|
| However, these scammers tend to come across as the platonic
| ideal of a perfect support rep.
|
| My wife almost got taken by one, several years ago.
| bdangubic wrote:
| here's what I don't understand - why isn't all education
| related to this kind of shit very simple. never answer a
| call (or return a call from voicemail) and never
| open/respond to an email. being in this industry for 2.5+
| decades the first thing I thought my wife was exactly
| this. and my daughter as soon as she was of age where she
| started her digital life. 100% no exceptions. never ever
| answer a call from anyone you don't know and if you get a
| voicemail that says whatever never callback. same on the
| email side, SMS side. no one will be calling you, no one
| will be emailing you... except scammers, no exceptions.
| lukan wrote:
| "no one will be emailing you... except scammers, no
| exceptions."
|
| Might be, because I was travelling a lot, but I got lots
| of unknown numbers calling me that turned out to be
| friends with a new number. Now I surely could have locked
| myself up in a cage then there would be no risk, but also
| not reward.
|
| Calling a unknown number back - no. But taking a call and
| saying hello did never cost me anything. I also don't
| just send money away or would install weird things on my
| computer because someone on the phone says so, so what is
| the danger?
| bdangubic wrote:
| friends with a new number can leave a voicemail saying
| they are who they are (or text or hit you up on social
| or...)
|
| taking a call from unknown number, never under any
| circumstance. people calling you do this for a living,
| you pick up and your odds are stacked against you. maybe
| not yours or mine but my Father's for sure :)
| lukan wrote:
| Well, I allmost did fell for a phone scam once, but due
| to weird circumstances I believed it was official
| Microsoft support as I expected them. Still, I won't
| install shady things from shady sites on request from a
| phone, so it did not got far.
| ChrisMarshallNY wrote:
| Have you ever answered a robocall, and the first thing
| they ask is "Can you hear me OK?" or "My Bluetooth is
| acting up. Can you hear me?"
|
| They want to record your voice, saying "yes."
|
| I always say "I can hear you." I never say "yes," or
| anything like that, during the short time I'm on the line
| with them.
|
| However, that is probably not valid, anymore, because
| they just need to record a fairly short segment of your
| voice, to generate a deepfake.
| lukan wrote:
| If it is a robocall, I would hang up and not say yes.
| Otherwise "I can hear you" and avoiding saying yes is
| good advice.
|
| And as for deepfakes, I assume they become good and
| widespread enough soon, that no telephone contracts
| become enforcable.
| vel0city wrote:
| You think people remember half of the shit they learned
| in their middle school or high school classes?
|
| The number of times I've had someone ask "how do you know
| this stuff" when it's something I learned in 7th grade or
| similar is astounding.
| bdangubic wrote:
| It is pretty easy to remember and follow things if you
| keep it simple. with this it is remarkably simple.
|
| - never answer unknown number calls - never answer
| unknown number texts - never open any emails from anyone
| you don't know or do anything that email tells you to do
| if curiosity gets the best of ya and you open it.
|
| ALL communication with any "business" or "government"
| (state/local/federal) is in one direction, YOU contact
| THEM. That's it, can't be any simpler
| leni536 wrote:
| It's not like phishing trainings don't exist, but almost
| all of them are just wrong. They tell you things like
| "look out for spelling mistakes and sketchy looking
| URLs".
| immibis wrote:
| How will you get business done if you never answer a call
| or open an email, no exceptions?
| Spivak wrote:
| Because the advice is actually
|
| * Don't respond to any unsolicited communications.
| Period.
|
| * If some business you have a pre-existing relationship
| reaches out to you unsolicited and you suspect it might
| be real, still don't respond. Go reach out to them via
| their posted customer support channel.
|
| I have complicated feelings about phishing training
| because while it's good they're teaching you about common
| manipulation tactics and scams, trying to sus out from
| vibes the legitness of an email is the wrong approach.
| Just don't do anything.
| asddubs wrote:
| wow, the scammer tried to steal your wife?
| ChrisMarshallNY wrote:
| Maybe. She said he had "a golden voice."
| fn-mote wrote:
| > They will sometimes call you directly, too, for things
| like "checking in on your retirement goals". If someone
| called sounding professional, it would not be a tell that
| it isn't actually fidelity.
|
| Sounds like although they might not be 100% scammer, you
| can be assured it's marketing and not customer support.
| m463 wrote:
| I get lots of helpful emails from my mail administrator telling
| me I have some sort of problem I need to log
| in/revalidate/release pending messages etc.
|
| Urgently!
|
| (I run my own mail server and I am the admin)
| semking wrote:
| Sounds as urgent as legit :)
| onemoresoop wrote:
| You should have recorded the whole thing
| ryao wrote:
| I have a simple defense against this. I use a special email
| account for financial information that only my email provider,
| myself and my financial institutions know to exist. Even if I tap
| yes instead of no by mistake on a prompt like this, my financial
| accounts are safe unless the attacker breaches my bank to find
| out the email account I use with them first.
| pavel_lishin wrote:
| > _my financial accounts are safe unless the attacker breaches
| my bank to find out the email account I use with them first._
|
| It's entirely possible that someone can accomplish this with a
| phone call to your financial institution's customer help line.
|
| "Oh gosh, I'm sorry, I forgot whether I used my email address
| or my wife's for this account - can you tell me what's on
| file?"
| ryao wrote:
| I wonder how that would work if they cannot prove my identity
| first by telling the representative a code sent to my phone
| number. I would expect the bank to tell the attacker to go
| into the local branch with identification.
| doublerabbit wrote:
| Social Engineering. You would expect the bank too but not
| so. These scummy people are good at manipulation.
|
| Humans are very exploitable.
|
| "Im ever so sorry; but I am unable to get to the bank right
| now, my mother was in an accident and I need to get to the
| hospital in 30 minutes. Is there any other way?" "No? Can
| you do it for me".
|
| Playing empathy over the phone gets you places as does
| wearing a workers Hi-Vis jacket to get in to back stage at
| festivals.
| ryao wrote:
| My bank would happily say too bad. I have had them insist
| on getting me into the branch for absurd things in the
| past.
| Fokamul wrote:
| Holding $500k in hot wallet, this man is braindead...
| joezydeco wrote:
| Are these spammers just lucky or is there something that lets
| them sniff blood in the water and specifically target people
| holding large amounts of crypto?
| samatman wrote:
| It wasn't a hot wallet, he had taken a _photo of his seed_ and
| then _left it in Google photos_.
|
| So your conclusion is sound but your premise is invalid.
| Dansvidania wrote:
| I am maybe missing something obvious here, but isn't it
| suspicious that these attacks "affecting a small number of google
| users" happened to "hit" two people with significant
| cryptocurrency holdings?
| tantalor wrote:
| Maybe the attackers already knew through some other means that
| they had large crypto holdings, i.e., spear phishing.
| pjdesno wrote:
| It seems like the common thread here is that the thefts were of
| cryptocurrency, rather than real assets in a financial system
| with safeguards. You can still get robbed of those assets, but it
| leaves a far stronger paper trail to catch the perpetrators.
| Vegenoid wrote:
| It's the classic tradeoff of freedom vs. security. It's the
| biggest reason I can't foresee myself storing substantial
| amounts of cryptocurrency. I just want to hand my hard earned
| money to a financial institution and not have to think about it
| too much.
| potato3732842 wrote:
| The difference is that we haven't spent a century building up
| police organizations, bureaucracies, processes and
| international working relationships to track down crypto crime
| the way we have for "normal" financial crimes.
|
| You would track down this crypto in just about the same way
| you'd track down a fraudulently ordered wire transfer that was
| cashed out. Records would be requested, IP's and timestamps
| recorded, more records would be requested from other parties
| based on those, and so on and so on. The difference is that
| it's somebody's job to go after those. It's nobody's job to go
| after this.
| psychoslave wrote:
| How stressful it must be as an experience to go through.
|
| Having nothing to be robbed from is such an underrated means to
| live in serenity.
| donatj wrote:
| About a year ago I got an email from an actual Coinbase email
| address telling me that my account had been compromised. It
| included a case number.
|
| Trying to log in with my username and password did not work.
| Moments later I get a phone call, the caller id says that it is
| Coinbase. Guy on the phone with a thick German accent tells me
| he's calling about my account and gives me the case number from
| the email. I know damn well never to trust a phone call you did
| not initiate, so I'm kind of just stringing the dude along on the
| phone.
|
| I remember that I had set up a passkey, and try it. I get in with
| that and immediately run to the emergency "lock my account"
| button. I tell the guy on the phone that I have clicked it and
| after a bit of "uhmmm..."-ing and "hmmm..."-ing he just hangs up.
|
| I call Coinbase support and they verify some recent transactions
| and ask me to forward them the email, and that's that. I still
| have no idea what the actual attack was or how they changed or
| invalidated my password. Best I can tell they did not manage to
| actually get in to my account.
|
| I ended up changing my password to just about everything out of
| caution.
| cute_boi wrote:
| Last time I called boss money transfer, i called them and their
| real agents told me they must call me to verify. I was like,
| how would I know if it is boss money transfer or scammer. At
| the end I had to trust because voice was same.
| imp0cat wrote:
| how they changed or invalidated my password.
|
| Probably just too many invalid login attempts.
| cute_boi wrote:
| Never Trust a call you didn't initiate.
| deathanatos wrote:
| I wholehearted agree with your mantra. But I need banks and
| other businesses to learn this. Particularly banks.
|
| My bank has literally called me with what amounts to "ur being
| haxxor3d", and like ... who are you? _The representative
| literally would not tell me who he worked for._ I was 210% sure
| it was a scam, and hung up on him. Turned out, _it was legit._
| 1
|
| Companies need to make sure their own operations don't bear the
| trappings of fraud.
|
| 1(I don't regret hanging up, though. Calling back to a known,
| published-by-the-business-itself number is the right thing to
| do.)
| SoftTalker wrote:
| Yeah I got a similar call once from someone, maybe a credit
| card company, and the first question was "to verify your
| identity we need the last four digits of your social security
| number" and I was like wait a minute, you called me. What are
| the last four digits of YOUR social security number?
| buttercraft wrote:
| "In Soundcloud's instance, part of declaring your innocence is
| you have to give them your home address and everything else, and
| it says right on there, 'this will be provided to the person
| making the copyright claim.'"
|
| Good job helping the scammers, SoundCloud. WTF
| packtreefly wrote:
| The glaring common denominator here is that the attacker has the
| ability to send an unprompted, unblockable request to the
| victim's phone. Pressing the safe-looking green button that shows
| up, even accidentally, is digital suicide.
|
| Google Prompt is supposed to be a safety feature. The account
| recovery process lets a hostile actor turn Google Prompt into a
| loaded gun, and Google puts it directly into the victim's hand,
| aimed straight at their own head.
|
| There's absolutely no way to shut off Google Prompt that doesn't
| involve removing every Google app from your mobile devices.
| Too wrote:
| This is called MFA bombing. Just send prompts until the user
| accidentally accepts one.
|
| Microsoft's authentication has protection against this,
| requiring you to manually enter a 2 digit number in your phone,
| matching what you see on your other device. Very simple, there
| is no excuse for Google to not have similar.
| panstromek wrote:
| Hmm. I remember using a code like this with google, too.
| Seems like they had something similar in the past.
| franga2000 wrote:
| You used to have to click the correct two-digit number out
| of 3 options, but now it's just "way this you? (yes/no)"
| derangedHorse wrote:
| Google allowing OTP codes to be generated from the cloud is
| also insane to me. I've known about this feature for a little
| while, but it never ceases to amaze me how careless Google is
| with security.
| VoodooJuJu wrote:
| _If you 're so rich, why aren't you so smart?_ is the burning
| question here.
|
| It's mind-boggling to me how crypto guys can be simultaneously
| savvy enough to be involved in crypto, to the tune of millions of
| dollars, but also retarded enough to fall for stuff like this.
| jlund-molfese wrote:
| It's not really a matter of intelligence, and nobody's smart
| 100% of the time.
|
| Let's take the average person on this forum, who's probably
| pretty tech savvy. Their odds of falling for a scam on a given
| day might be 1 in a billion. But when they're exhausted after
| work, they might be 10X likelier to fall for a scam. Another
| 10X when they're stressed out about family life, or going
| through a breakup. Another 10X when they're out drinking with
| their friends. And so on.
|
| Eventually, whether it's due to age or other factors, everyone
| gets to be in situations where they're susceptible to scams.
| And scammers are experts at emotional manipulation, exploiting
| fear and embarrassment.
| bdangubic wrote:
| 100% - yes - if you follow simple rules
| UltraSane wrote:
| That is one really nasty aspect of cryptocurrency. They make
| theft cryptographically irreversible. And you can watch the
| thieves spend your money!
| nytesky wrote:
| It does feel like the security protocols necessary to secure
| $100k to $Ms of crypto which transfers instantly and non-
| reversibly is a challenge for the average user.
|
| Even as a fairly tech enabled GenX, I have forgotten passwords
| and had to reset them (usually accounts I haven't used in a
| while), had files corrupted without a good backup, lost a Yubikey
| somewhere in the house (I think at least).
|
| From what I can tell I would need to have my crypto seed laser
| etched into titanium, and then treat that talisman as if it was
| made of pure platinum as far as securing and tracking it.
|
| Versus keeping my money in SIPC and FDIC protected accounts.
|
| I will say, the BTC appreciation is a big attraction of course,
| but long term I don't see how it becomes widely adopted with so
| much logistics risk, and appreciation... well who knows about
| that.
| ToucanLoucan wrote:
| I have no doubt that at least some especially in the early days
| envisioned crypto as a legitimate alternative to fiat currency.
| That being said, in it's mature state as a technology, it
| amounts to nothing more than a clone of the modern financial
| system with a different set of oligarchs, except that it has
| far fewer consumer protections, and the nature of it makes
| _implementing_ said protections in any way extremely difficult.
|
| That combined with the extreme volatility of value that is not
| only endemic to any coin with meaningful usage, but is
| generally a _goal_ of most coins, makes it only really useful
| as a speculative vehicle, and those same properties also make
| it uniquely bad in terms of a store of value to be used in
| commerce unless the seller also plans to speculate on the
| value.
|
| And, even if you're good with all of that: Yes, the tech itself
| is decentralized, but if you don't have at least some
| background in basic software development or scripting, you're
| almost certainly going to end up using some product or another
| to manage your wallets and transactions, and while the _wallet_
| is anonymous, the accounts _you connect the wallet to_ are
| often quite the opposite, and because of the structure of the
| chains, your entire transaction history is visible to everyone
| on the network, at all times. So it 's private by default, but
| basically any casual user is immediately and forever doxxable.
| f33d5173 wrote:
| Xmr aims to be a digital cash, and basically achieves that.
| Btc has goals more akin to digital gold, hence being more
| useful to speculators than people buying things is somewhat
| intentional.
|
| I don't know who the oligarchs you're talking about are.
| Buterin? Bankman Fried? In either case, their position is
| quite different from that of a banking titan.
| ForHackernews wrote:
| > I will say, the BTC appreciation is a big attraction of
| course
|
| What are the other desirable features of BTC?
| henry2023 wrote:
| Non centralized proof of ownership is pretty cool.
| Analemma_ wrote:
| How is it non-centralized? Basically everybody actually
| using crypto uses exchanges.
| zaik wrote:
| You don't have to.
| bdangubic wrote:
| he said "basically everyone" which is true. I don't have
| to eat this large apple pie that is front me now but I'm
| about to :)
| okanat wrote:
| Then how would you exchange it with real money? There are
| few things that accept cryptographic coins as currency.
| berkes wrote:
| Depending on how you use it, you mightn't need to
| exchange it often, or at all.
|
| Companies that use it as hedge, or diversification, just
| need to "hold" it. Investors (not traders, there's a big
| difference) also commonly just "hodl" it. Also no need to
| exchange it. And several more such use-cases.
|
| Sure, after a while, they might want to exchange it for
| something they "need". Like housing, healthcare, food,
| materials, etc. But often that's a one-time after years
| of not exchanging. And we still don't know how the future
| may look. Some believe Bitcoin is what we'll be paying
| with in a few decades (I don't, not really). I'm pretty
| sure I can buy almost any house for a few bitcoin,
| especially if that's "overpriced" in dollar-terms, today
| already.
| lolinder wrote:
| > Companies that use it as hedge, or diversification,
| just need to "hold" it. Investors (not traders, there's a
| big difference) also commonly just "hodl" it. Also no
| need to exchange it.
|
| In both of these cases the only value to "holding" it
| comes from the possibility of being able to exchange it
| if needed. While you might go a very long time without
| interacting with a centralized exchange, the Bitcoin is
| worthless for these use cases if there's no acceptable
| path to trading it for something else.
| lotu wrote:
| It's great for laundering money.
| berkes wrote:
| It is not.
|
| It's not anonymous, but pseudononymous. It's a public
| ledger, for everyone to copy and analyze. It's a public
| ledger that's mathematically proven to not have mistakes in
| it.
|
| Exchanges are highly regulated. KYC is rediculously tight.
|
| Sure, Bitcoin allows one to flee/fly to some criminals'
| paradise with their entire wealth stored in their brain (or
| on a napkin). And as long as they keep the money in crypto
| or black, it's unstoppable, really.
|
| But it's a terrible medium to turn black money into white
| money. One of the worst of all options, really. And that's
| what laundering is.
|
| Now, it's used for laundering. But that's more because its
| a great and easy store of value in itself. Not because a
| public, tracable ledger without any anonymity other than
| pseudonimity is a great system for laundering, because it's
| the exact opposite of that.
|
| And certainly, if you mix in monero, defi, otc-trades and
| -there they are- "corrupt bankers", crypto as a whole can
| turn black money into white, circumvent blockades, fund
| terrorism and whatnot. But hardly easier or simpler than
| paper-money, gold, and corrupt bankers already can.
| bronson wrote:
| So why is basically all ransomware paid in Bitcoin?
| berkes wrote:
| That's not laundering. That's getting paid.
|
| If you want to transfer money in a way that's
| unblockable, unceasable, and pseudonomic, Bitcoin is a
| good system.
|
| If you want to then convert that into dollars, it's not.
|
| Ransomware is paid in Bitcoin despite it being terrible
| to launder.
| Sohcahtoa82 wrote:
| > But it's a terrible medium to turn black money into
| white money.
|
| Isn't that what NFTs are for?
|
| Create a stupid image, sell it on Open Sea as an NFT,
| bam, you've cleaned the money. Just claim it on your
| taxes similar to selling art and you're in the clear.
| bb88 wrote:
| Nobody wants some silly digital "coin". Everyone wants US
| greenbacks.
| berkes wrote:
| Nobody wants US greenbacks. You can't even use them to
| stay warm for long.
|
| What people want is the value it represents in a way they
| can manage that value.
|
| I don't want fictional numbers in some asset fund that
| say I own zero point not not not 1 percent of some
| company in stocks either. Or even numbers that say I have
| money on an account. I don't want gold in my sock-drawer,
| either. It's the value this represents (and the trust
| that this value will give me real stuff that I actually
| need, like a pizza, in future).
|
| Bitcoin, to many, over the years, has acquired this too.
| There's real and obvious proof that people trust that
| Bitcoin has value. Not all people. But enough.
| tugu77 wrote:
| Yeah, especially the people scamming others.
| amelius wrote:
| It's great for transferring ransoms. Basically a criminal's
| dream coming true.
| berkes wrote:
| It is unstoppable, permissionless and pseudomic. All but
| the last is indeed this criminals dream.
|
| But cash isn't pseudonomic, it's actually anonymous. It's
| even (practically) untracable. Cash is also unstoppable
| and permissionless. So it's far more a criminal's dream.
| Cash, however, isn't easy to transfer, especially larger
| values. It gets harder even if that transfer is
| internationally. Bitcoin solves that.
|
| Bitcoin's upside of being very easy to transfer,
| sometimes outweigh its downside of being hard to launder,
| being tracable. But let's stop the myth that it's so much
| better than all existing systems to move criminal assets
| around, because it's not. It's complementary, not a holy
| grail. It really has a lot of weaknesses, especially to
| criminals' needs.
| dahart wrote:
| What is making you think criminals are scared of
| pseudonyms, or that pseudonyms don't provide all the real
| and practical benefits of anonymity most of the time?
| It's not a myth that a lot of crime involves BTC right
| now, it's a fact, regardless of the theoretical
| underpinnings or hypothetical weaknesses.
|
| Cash comes with serial numbers, and occasionally gets
| traced. It's about as effective as tracing pseudonyms,
| most of the time.
| derangedHorse wrote:
| It isn't, banks are way better and cash is still king:
|
| https://www.cnn.com/2024/10/10/investing/td-bank-
| settlement-...
|
| https://www.icij.org/investigations/fincen-files/global-
| bank...
|
| https://www.investopedia.com/stock-
| analysis/2013/investing-n...
|
| https://www.coinbase.com/blog/fact-check-crypto-is-
| increasin...
|
| Even from SWIFT: "Identified cases of laundering through
| cryptocurrencies remain relatively small compared to the
| volumes of cash laundered through traditional methods" http
| s://www.swift.com/sites/default/files/files/swift_bae_re...
|
| What you're saying is simply unsubstantiated.
| ashleyn wrote:
| 1) if you don't exclusively have the private key (wallet), you
| don't own the crypto. if someone else gets the private key
| unwittingly, they now own the crypto
|
| 2) split cumulative funds into two wallets, a "hot" wallet and
| a "cold" wallet. keep the funds in the "hot" wallet to no more
| than for which total unintentional loss is tolerable. keep the
| private key to the "cold" wallet off any internet connected
| device except for the minimum duration required to transfer
| funds to the hot wallet.
|
| 3) print the recovery phrase for the cold wallet and store it
| in a physically secure location
|
| 4) if an ideally secure physical location is not possible,
| split risk across multiple "cold" wallets
| thousand_nights wrote:
| that sounds tedious af and still prone to error, i'd rather
| literally pay someone to handle all of this for me, let's
| say, some kind of institution which specializes in storing
| and handling money
| hatthew wrote:
| Hey, what if there was a way to _get paid_ to have someone
| else handle this for you? That would be crazy right
| dullcrisp wrote:
| While practically that's true of course, I think a hardware
| appliance that did this that you had to physically interact
| with to release the funds from would be cyberpunk and cool.
| Imagine exchanging a handful of currency chips for like a
| flying motorcycle or something.
| stouset wrote:
| And when that hardware fails?
|
| The problem with crypto is that every problem requires
| additional layers of complication which each have their
| own failure modes which then need to be further
| addressed. And the complication itself adds yet more ways
| to breed failure.
|
| This is the fundamental challenge with a system where any
| mistake or error results in the instantaneous and
| irrevocable loss of unbounded funds.
| dullcrisp wrote:
| If it fails, you can't retrieve the money of course.
| Don't put more than you can afford to lose on one chip.
| stouset wrote:
| You understand this is insane right?
| bb88 wrote:
| It would also be cool if it were guaranteed up to a certain
| amount, very much like FDIC does for amounts smaller than
| $250k.
| TacticalCoder wrote:
| > From what I can tell I would need to have my crypto seed
| laser etched into titanium, and then treat that talisman as if
| it was made of pure platinum as far as securing and tracking
| it.
|
| Not sufficient. You'd also need someone you trust 100% to have
| another seed protected as if it was the gold of Fort Knox. And
| then you'd only only use "multisig" to sign transfers.
|
| And that other person needs to live on another continent.
|
| And you both need a backup plan in case you die if you plan to
| leave these 0.1 Bitcoin to your heirs.
|
| This makes the $5 wrench attack impossible to succeed. As to
| whether the attacker is willing to add gratuitous (because it's
| impossible it'd succeed) torture/killing to its list of crime
| is something else though.
|
| > I will say, the BTC appreciation is a big attraction of
| course, but long term I don't see how it becomes widely
| adopted...
|
| I think mid-term to long-term people simply buy a Bitcoin ETF
| or stocks from a company holding shitloads of Bitcoins like
| MicroStrategy. Just like I buy SLV (paper silver) or the ZKB
| silver ETF (physical replication, in vaults in Switzerland).
|
| Keeping your own Bitcoins is not unlike keeping physical gold
| coins. It's doable but risky. Multisig really helps a lot but
| buying a Bitcoin ETF is simply easier. Open bank or broker
| website, click click. Done.
|
| I'm not saying Satoshi's dream or the Bitcoin maximalists'
| dream is good old Wall Street manipulating Bitcoin's price
| using paper Bitcoin (silver ETFs were in big trouble in 2021)
| but what I'm saying is I think that's how it's going to end.
| nytesky wrote:
| I feel that crypto offers a different risk profile than say
| the gold ETF. There certainly is significant risk and expense
| to storing and securing the physical gold backing the ETF. I
| think it also needed to be audited as matching expected
| reserves occasionally?
|
| But crypto has similar it and physical security costs at a
| minimum, though physical storage will be cheaper. Auditing
| maybe similar costs, I'm not quite sure how you confirm
| ownership of an address or pile of BTC without transactions?
|
| The big risk is that these big holding companies of bitcoin
| become targets of state-scale cybercrime hacking armies. Can
| you imagine an adversary deploying constant attack on every
| facet of you IT infrastructure, from accessing the private
| keys presumably stored in hot wallets to support active
| trading to the interface where they may try interfere with
| client functions to all sorts of ends from theft to market
| manipulation.
| logifail wrote:
| > Just like I buy SLV (paper silver) or the ZKB silver ETF
| (physical replication, in vaults in Switzerland)
|
| I'd suggest that holding precious metals without actually
| having physical metal under your exclusive control is
| essentially as flawed as holding crypto without exclusively
| holding the private key.
| derangedHorse wrote:
| I partially agree, although I can see more companies offering
| these kinds of services in the future. Block already has a
| system with Bitkey, custody companies like Casa and Unchained
| are providing services as signers, and AnchorWatch is
| stepping in as both a custody and insurance provider at the
| institutional level. Despite the government's best efforts to
| limit participation from existing banks[1], other services
| are jumping through the arduous hoops of regulation to fill
| in the void.
|
| [1] https://www.swanbitcoin.com/politics/biden-s-sab121-veto-
| sta...
| itsoktocry wrote:
| > _I think mid-term to long-term people simply buy a Bitcoin
| ETF or stocks from a company holding shitloads of Bitcoins
| like MicroStrategy. Just like I buy SLV (paper silver) or the
| ZKB silver ETF (physical replication, in vaults in
| Switzerland)._
|
| But what's the inherent value of BTC if it doesn't do the
| things it claims? What value does Michael Saylor owning a
| bunch of bitcoin, of which I have a pretend share, even have?
|
| This is the paradox of Bitcoin. It's a really cool technology
| that's really hard for normies to use.
| mmaunder wrote:
| SIPC and FDIC don't protect against fraud.
| tdiff wrote:
| So the attacker has known in advance that the secret was stored
| in google photos? Is it a common way to store passwords, or is
| some piece missing here?
| dmonitor wrote:
| Likely a common way to store recovery codes. Similar to those
| bots that scrape github for API keys
| layman51 wrote:
| I had read of this attack back in September[1]. It seems very
| sophisticated because they spoof a phone number that at first
| glance is associated with Google, but is really just the
| "uncanny-valley" Google Assistant service that can check wait
| times or make reservations on your behalf.
|
| Does Google even offer live-person support if you're not their
| Workspace customer?
|
| Also, one other difference is that apparently the attackers may
| have been using Salesforce to send the emails. Maybe they were
| using a trial or developer edition? I believe those can send out
| emails too, but they are very limited. So this must be a very
| targeted kind of attack. The scary part is that the attacker's
| emails pass SPF, DKIM, and DMARC. There's a technical write-up I
| found about this aspect of the attack.[2]
|
| [1]: https://sammitrovic.com/infosec/gmail-account-takeover-
| super...
|
| [2]:
| https://docs.google.com/document/d/1xrJsRBcGj9x2mMvRoKLG4ANS...
| darknavi wrote:
| > Does Google even offer live-person support if you're not
| their Workspace customer?
|
| Not really. That's the giant red flag behind committing to a
| gmail, outlook, etc. account. If it gets messed up you're at
| the whim of "on-rail" support and if you need anything more all
| you can do is shout into social media and hope a stray employee
| feels bad for you.
| smoothgrammer wrote:
| Yes they do. If you subscribe to Google One.
|
| https://support.google.com/googleone/
| ht85 wrote:
| The wallet name was exodus, how fitting :D
| simonw wrote:
| The defining feature of crypto - decentralized, irreversible, no
| "higher power" you can go to in order to get your money back -
| turns out to be the thing that burns people ALL the time.
| mouse_ wrote:
| Lots of people still don't quite understand their debit card.
| No way they're going to learn how private keys work.
|
| Still might some sense as an institutional store of value
| though I guess.
| stouset wrote:
| Maybe but this shit is hard for institutions too. There are
| _so_ many sharp edges.
|
| Even in a well-respected fintech with responsible, talented
| people I've seen: safe deposit boxes get lost (literally no
| idea where in the world they actually are), go missing (the
| bank relocates or closes and disposes of them without
| notification) or become destroyed (fire, flood). I have seen
| industrial-grade hardware security modules spontaneously
| corrupt all the internal keys, happily continuing to produce
| "encrypted" output which can never be decrypted.
|
| Building crypto offerings at scale that can survive the
| myriad unknown unknowns of real world and hardware failures
| that can affect both paper and hardware wallets is a really
| difficult problem. Not impossible, but the stakes are extreme
| and getting one thing wrong that leads to the loss of a cold
| wallet can easily lead to total ruin.
|
| Even if "only" a hot wallet gets popped, the instantaneous
| and irrevocable loss of those funds needs to be offset by a
| comparatively large amount of operating profit.
|
| At least with the traditional banking system there are a lot
| of safeguards in place.
| derangedHorse wrote:
| Surprisingly, there's also no "higher power" to get your money
| back from scams using traditional banking rails as well. I have
| family members who have lost thousands from bank transfers to
| legally registered companies that establish legitimacy through
| having a business bank account. It usually takes forever to
| shut them down, even after hundreds of thousands of reports
| from people like me who recognize what they are early on.
|
| Many haven't actually lost money in significant ways through
| bank transfers, but when it does happen, the disillusionment of
| institutional security really falls away. Additionally,
| governments are slow and ineffective, so when these companies
| do get caught with class action lawsuits, they usually don't
| have anything to return.
| Zopieux wrote:
| >ultimately seized control over the account by convincing him to
| click "yes" to a Google [2FA] prompt on his mobile device
|
| Stopped reading there. What more can we do to protect people from
| their own stupidity (and I'm not talking about the crypto
| "investment" part)?
| o999 wrote:
| Almost all scammers use more or less the same trick, they try to
| trigger a fear or greed rush with their message/call, so you
| don't get a chance to question authenticity of what you read or
| hear.
|
| That is also what many salespersons do to get you to buy what you
| don't need nor even want, you cannot miss this limited time
| discount.
|
| Always stop for a moment and be skeptical, caller ID can be
| spoofed, email addresd can have a or e in the domain that you
| won't notice if you don't look carefully.
| 101008 wrote:
| I couldn't find it from the article, but how the scammer got
| access to the Gmail account? How he triggered that prompt in the
| victim's phone, and what did it mean?
|
| It feels something is missing here?
|
| Edit: Well, I learnt about Google Prompts today:
| https://support.google.com/accounts/answer/7026266?hl=en&co=...
|
| Basically someone can request access to your account and if you
| click Yes, they do access it.
|
| This part from a Reddit thread [1] scared me a bit:
|
| > The notification pops up on my screen over whatever I am doing,
| and if I'm using my phone, I worry that I might accidentally hit
| YES (it almost happened today).
|
| 1:
| https://www.reddit.com/r/techsupport/comments/ccd304/someone...
| pico303 wrote:
| I always tell people to take control of the situation and stay
| calm. If "Google" or someone contacts you about a problem, simply
| hang up or ignore the email, look up the company's info online,
| and contact the company directly.
| megablast wrote:
| > Daniel told Tony his account was being accessed by someone in
| Frankfurt, Germany, and that he could evict the hacker and
| recover access to the account by clicking "yes" to the prompt
| that Google was going to send to his phone.
|
| Come on.
| can16358p wrote:
| While this is devastating, the lesson that we should all
| remember:
|
| Never, ever, no matter the circumstances, store private keys (or
| seed phrases) on photos. Especially if those photos are
| synchronized to the cloud.
|
| Hand-write them, store them in a safe and secure PHYSICAL
| location.
|
| Of course we're humans, we make mistakes, and we usually start
| with small amounts of money that we can lose where it would be
| unnecessary to take all these precautions, but we still need to
| regularly remind ourselves to avoid disasters like this in the
| self-custody world.
| ipython wrote:
| Ok but you have to balance that with the risk that your
| PHYSICAL item will be lost, stolen, or destroyed. What happens
| then?
|
| The problem is that the security protocols required to keep
| cryptocurrency safe are simply untenable for any mere mortal.
| But hey, we keep blaming the victims... because they didn't
| know the one simple trick to keep their Bitcoin safe!
| zem wrote:
| or store them in some encrypted form that you know how to
| reverse easily but which would take an attacker more trouble
| than it was worth to break.
| shusaku wrote:
| Honestly, that part of the story seemed completely
| unbelievable. I mean I get that someone might stare such a
| photo in the cloud, but hackers are really going to run a scam
| on him and then sift through photos thinking "maybe?"
| panstromek wrote:
| I'd assume there's some model for finding those kinds of
| photos
| ufmace wrote:
| I think a lot of people bought some crypto early on when it was
| really cheap, were kind of sloppy about the security of things,
| and then left it alone and ignored everything while it went up
| by 10,000x in value. Now when their account is worth hundreds
| of thousands of dollars, their security is pretty inadequate
| for something with that actual value.
| tugu77 wrote:
| Easy for me to be a smartass in hindsight, but I can't resist:
|
| > Unfortunately for Griffin, years ago he used Google Photos to
| store an image of the secret seed phrase that was protecting his
| cryptocurrency wallet.
|
| Um, duh...
|
| > "[...] I put my seed phrase into a phishing site, and that was
| it."
|
| >Almost immediately, all of the funds he was planning to save for
| retirement and for his children's college fund were drained from
| his account.
|
| Um, duh. First mistake to put all eggs in a single basket. Second
| mistake, this basket was a cryptocurrency. Third mistake, pasting
| the secret key to that _anywhere_.
| yapyap wrote:
| Losing a fortune with one bad click is not a new thing or all
| that rare, stock betting is all the same.
|
| Idk I just think the title is pretty lame and generalizes a
| pretty informative phishing article, in a bad way.
| fortran77 wrote:
| How did the scammers know these people were likely to have
| significant amount of crypto in the first place?
| SMAAART wrote:
| 45 BTC (as in the screenshots) is not 500K, it's 4.5M
| _heimdall wrote:
| I hadn't considered that use of Google Forms to send emails from
| a Google domain. That's a pretty huge security risk, technically
| it doesn't risk your zgiogle account but the phishing and
| impersonation risks for Google are huge.
___________________________________________________________________
(page generated 2024-12-21 18:01 UTC)