I had these people call me the other day. I got a text message alerting me of a potential Google account security issue they had blocked and they I should expect a call. I also got one of those emails and an automated phone call. The automated phone call had me dial 1 if I wanted a call back from support to help recover my account.
I got a call from a very professional sounding woman assuring me she was with Google and they had discovered some potentially fraudulent activity with my Google account in Frankfurt. They said they had locked down my account to protect it but they would walk me through recovering it.
I knew this was impossible, because the Google account in question doesn't have passwords. It has a couple of passkeys which are all physical hardware tokens in my home. But I wanted to see how pushy they would get.
Turned into a half hour phone call with me playing dumb (was watching my kid's sports practice, nothing to do for a half hour but cheer him on). Eventually when I was done with it I let them know I was in the process of filing the report with the federal cybercrime department. Immediately hung up from that.
There’s an easier tell. It’s impossible because you can’t to get Google to help you at all about any account issues, never mind them being as proactive as to call you.
In other words if Google call you, it’s not Google.
It’s slightly depressing that there are probably more fake Google support staff than real ones.
I feel Google, Facebook, etc. all need to setup actual phone numbers and chat rooms, and make them rank highly on searches for "Google support phone number", "Google fraud department", "Google account recovery department", "Google Live Support Chat" etc.
Then those numbers should simply play a message that this is the only official phone number, and no human will ever call from or answer this number, and the company does not offer customer support or appeals to account problems.
They also need to make searching for fraud phone numbers return anti-fraud messaging rather than what it currently does. Seems like the entire 844-906 exchange is fraudulent [1].
I had a family member that just got scammed because they panicked after their Facebook account got banned, basically exactly like [2].
In case you would like a concrete example to ground the cynicism about corporate trade offs around customer support, I recommend watching Jill Bearup's 10 minute video [0] about this week's demonetization. For example, she has to deal with some form that she "can't submit", a customer service contact 12 time zones away (so email replies are 12 hours delayed), and an account manager who is non-responsive. In her court, are some unaffiliated google employees giving guidance, but only because they were already part of her youtube watching audience.
If it weren't for the routine ex-Googler postmortem blog post shared on HN I'd think Google doesn't even have human employees.
The greatest mystery of my life is what is a "Google Product Expert" on their community forums whom I assume:
1. isn't an employee speaking as the company.
2. is someone given the title by the company.
3. spends a lot of time answering questions despite not being paid for it.
4. can contact Google employees somehow.
The only perks for this that Google lists is that you can join a secret club of Google Product Experts. It feels like gig economy applied to customer support.
I had Google call me once :) It was when I was riding in a Waymo and one of the screens in the vehicle was lagging a little bit. They made the surprising choice of calling my phone, rather than ringing the car itself, and I didn't pick up because... who picks up when your phone says, "Call from Google" :) They called the car shortly afterward to reassure me that the lagging screen wasn't an indicator that the car would underperform.
Being guaranteed to be able to talk to a human would be great, but I just don't see how it can possibly scale to over 1 billion users that aren't paying like gmail has.
Years ago, my brother used to work for XBox Live Tech Support, and he said that easily over half the calls he got were for things that customers could easily self-service, like a password reset. Many tech issues were fixed by the most basic troubleshooting step: Power cycling.
Meanwhile, my uncle works XFinity tech support, and he'll frequently get calls when a website has an outage, not to mention how many non-technical people think any internet-related issue, such as a forgotten Google password, means calling your ISP.
This doesn't even begin to talk about bad actors calling tech support to try to break into someone else's account. Google accounts are high-value targets. Once you've gotten in, there's a really good chance you could easily pivot to all of that person's other accounts.
To handle the call volume that a service like Google would have, if they offered phone tech support, the amount of staff they would need would be in the hundreds of thousands, and so many of the calls they take would be wastes of time. There are a lot of non-technical people that have no idea how things work and basically think that Google IS the Internet.
I had a weird security alert on my Google account the other night after trying to do a "Sign in with Google" to a service I've used for years. Trying to view my account/security info kept redirecting me to a page instructing me on how to clear cookies.
I clicked support and was able to get a call right away. But I pay $20/year for Google One.
Somehow Google and other tech companies are not required to have a customer service that actually solves the legitimate problems customers have with their services. I wonder how they are allowed to do this not just in the US but across the world.
I got one of the same calls (didn't believe them). Afterwards I phoned Google support and they said the same thing, they will never call you. I had them confirm nothing was wrong with my account, just in case.
So it's very possible to phone Google support, just don't believe anyone who calls you.
> It’s slightly depressing that there are probably more fake Google support staff than real ones.
I've never thought of it that way but you're right! Dealing with support at most tech companies is a horrible experience and is usually something I research before using a product where a failure in service provision could lead to catastrophic results.
Depends heavily on the company. Fidelity, for example, has super friendly, local sounding support employees. They will sometimes call you directly, too, for things like "checking in on your retirement goals". If someone called sounding professional, it would not be a tell that it isn't actually fidelity.
Plus, most of the weird "customer support" scams I've gotten in the past are people with thick accents on a garbage connection.
I've gotten real support calls where the audio was so bad it was hard to understand anything they said. And/Or the standby music fidelity was so awful it's like pounding a spike in my ears. (Or maybe that's intentional so I hang up and don't bother with them.)
You'd think they'd have equipment newer than the 1960's.
I get lots of helpful emails from my mail administrator telling me I have some sort of problem I need to log in/revalidate/release pending messages etc.
Frankfurt is actually notorious in Germany for their issues with drugs. Going outta the train station you can see ppl passed out with literal needles in their arms, taking a shit in public view etc
Doesn't really transfer to cyber crime, but it's definitely one of the more "criminal" places in Germany. Still super tame compared to actual slums etc though
The glaring common denominator here is that the attacker has the ability to send an unprompted, unblockable request to the victim's phone. Pressing the safe-looking green button that shows up, even accidentally, is digital suicide.
Google Prompt is supposed to be a safety feature. The account recovery process lets a hostile actor turn Google Prompt into a loaded gun, and Google puts it directly into the victim's hand, aimed straight at their own head.
There's absolutely no way to shut off Google Prompt that doesn't involve removing every Google app from your mobile devices.
This is called MFA bombing. Just send prompts until the user accidentally accepts one.
Microsoft’s authentication has protection against this, requiring you to manually enter a 2 digit number in your phone, matching what you see on your other device. Very simple, there is no excuse for Google to not have similar.
That quickly becomes tedious when you need to do it multiple times a day - e.g. logging in to different customer environments. Much prefer the one-click approval.
Google allowing OTP codes to be generated from the cloud is also insane to me. I've known about this feature for a little while, but it never ceases to amaze me how careless Google is with security.
> Unbeknownst to him at the time, Google Authenticator by default also makes the same codes available in one’s Google account online.
This sounded absolutely crazy to me so I went to open Authenticator on my phone and lo and behold it offered me the option of linking to my account and "backing up my codes in the cloud" to which I declined.
But I had never seen this behavior before, so is this new? It did not seem to be enabled by default in my case.
What's crazy to me is that Google would allow access to a foreign device from a single click. It would be easy for a person to accidentally click it, or for a kid playing on their parents advice to click it when it popped up. I really can't understand why they wouldn't send a code that would have to be entered instead; it would be far less prone to those kinds of problems.
"foreign device" based on IP geolocation is pretty tricky and annoying.
My home in Texas had an IP address which a lot of databases had as supposedly being in Montreal. It was like that for years. Gotta love so many sites trying to default to French.
How would a code help? The victim has already bought into the social engineering. If the person on the phone asks the user to read out a code, they will. If the person on the phone asks them to enter a code (i.e. the version of this kind of prompt where the user needs to enter a code on the phone matching the one showing on the login page), they will.
Google only added this feature recently. I am really conflicted about this feature. Without it you need to either save every TOTP code when you first set up the account or manually disable 2FA on every account and then enable it again so you can enroll it on a new phone. I used it when migrating to my most recent cell phone but then disabled it. Of course you have to trust that Google actually deletes the codes from your account.
Generating and storing your passwords, OTPs, and passkeys in a fully E2EE system like 1Password is effectively a root of trust, although you also have to trust (a) the password manager company, (b) whatever third-party systems and devices they use to build and deliver their software, (c) the quality of their cryptosystem, and (d) whatever device you use to decrypt/access secrets in your vault.
Yup. If you DON'T have this feature, you're depending on every user who has TOTP 2FA to actually save their backup codes somewhere they can retrieve ~years later or back up their TOTP some other way manually. Naturally, most users will fail to do this, so you'll have to deal with how to securely reset the accounts of people whose phones got lost or destroyed.
But then if you DO have it, you have to deal with the situation in this story, where if you can compromise their one key account, you get all of their TOTP codes too.
There is a big gap in the greater security landscape here. I personally use hardware authenticators for this reason, but I have to manually enrol each security key for each account.
Really what I would like is a root of trust which maybe is a cipher text which I can store in several physical locations, and then my security keys are derived from that root of trust. Then when I set up 2fa with a service it is using the root of trust and seeing that my security keys are is derived from that root of trust. This allows me to register the root of trust only once and then I can use any key derived from it.
Some cryptocurrency hardware wallets such as Trezor's are usable exactly how you want: they support fido2/webauthn and derive their keys from the recovery seed phrase. You can write down the recovery seed phrase, initialize other hardware wallets with the same recovery seed later on, and they will present to a computer as the same fido2/webauthn token.
Just checked and Google authenticator seems to be synced to my account, which is a huge SPOF and not what I want. It's possible that I did this without realising, but does anyone know of a way to revert authenticator to local-only? I don't see anything obvious.
> does anyone know of a way to revert authenticator to local-only?
To answer my own question: tap the profile pic (top right on Android) and choose the Use Without an Account option. Removes codes from cloud storage and any _other_ devices. Mentioned in TFA.
I use Authy and it does this too. I like that I can get the code on my phone or tablet. I also keep paper copies of the original QR codes in a safe place.
The trick with Authy is to disable multi-device access unless you're in the process of adding another device, so hackers and scammers can't add their own devices to your account without your aid. If you leave the setting enabled, someone may get your TOTP secrets from Authy before you can stop them.
You can just decode the QR code and use whatever secret is in there to generate the OTP codes. TOTP isn't that complicated, it's really just a second password that the system generates.
It is at least relatively new. Years ago I had to try the Google “hard landing” account recovery process because it wasn’t happening, which is how I learned that they had that form going to an email address which had been deleted. Fortunately I had paper recovery codes in my safe.
Google rolled out that hare-brained "improvement" in an update to Google Authenticator a few months ago, with the nice extra that for some users, when you dared unselecting the new cloud backup checkbox, the secrets stored in the app were instantly corrupted in some way, so you were locked out of your Google accounts immediately as a bonus <chef's kiss>. Happened to a family member, luckily they had a working emergency access method.
We will never use Google Authenticator again.
They added this recently, because lots of people complained to Google that they lose their tokens; Authy and others started to gain traction because they did synchronization. Google was pretty much forced.
I know, 2FA loses the entire point when it's synchronized. But, well. People lose their stuff all the time!
The active ingredient in 2FA as practically implemented for nearly everyone has never been the 2. It's mostly just not letting humans choose their entire password.
It does feel like the security protocols necessary to secure $100k to $Ms of crypto which transfers instantly and non-reversibly is a challenge for the average user.
Even as a fairly tech enabled GenX, I have forgotten passwords and had to reset them (usually accounts I haven’t used in a while), had files corrupted without a good backup, lost a Yubikey somewhere in the house (I think at least).
From what I can tell I would need to have my crypto seed laser etched into titanium, and then treat that talisman as if it was made of pure platinum as far as securing and tracking it.
Versus keeping my money in SIPC and FDIC protected accounts.
I will say, the BTC appreciation is a big attraction of course, but long term I don’t see how it becomes widely adopted with so much logistics risk, and appreciation… well who knows about that.
1) if you don't exclusively have the private key (wallet), you don't own the crypto. if someone else gets the private key unwittingly, they now own the crypto
2) split cumulative funds into two wallets, a "hot" wallet and a "cold" wallet. keep the funds in the "hot" wallet to no more than for which total unintentional loss is tolerable. keep the private key to the "cold" wallet off any internet connected device except for the minimum duration required to transfer funds to the hot wallet.
3) print the recovery phrase for the cold wallet and store it in a physically secure location
4) if an ideally secure physical location is not possible, split risk across multiple "cold" wallets
that sounds tedious af and still prone to error, i'd rather literally pay someone to handle all of this for me, let's say, some kind of institution which specializes in storing and handling money
> 1) if you don't exclusively have the private key (wallet), you don't own the crypto. if someone else gets the private key unwittingly, they now own the crypto
That's not how the legal system works, and they're the ones who decide who owns things.
> From what I can tell I would need to have my crypto seed laser etched into titanium, and then treat that talisman as if it was made of pure platinum as far as securing and tracking it.
Not sufficient. You'd also need someone you trust 100% to have another seed protected as if it was the gold of Fort Knox. And then you'd only only use "multisig" to sign transfers.
And that other person needs to live on another continent.
And you both need a backup plan in case you die if you plan to leave these 0.1 Bitcoin to your heirs.
This makes the $5 wrench attack impossible to succeed. As to whether the attacker is willing to add gratuitous (because it's impossible it'd succeed) torture/killing to its list of crime is something else though.
> I will say, the BTC appreciation is a big attraction of course, but long term I don’t see how it becomes widely adopted...
I think mid-term to long-term people simply buy a Bitcoin ETF or stocks from a company holding shitloads of Bitcoins like MicroStrategy. Just like I buy SLV (paper silver) or the ZKB silver ETF (physical replication, in vaults in Switzerland).
Keeping your own Bitcoins is not unlike keeping physical gold coins. It's doable but risky. Multisig really helps a lot but buying a Bitcoin ETF is simply easier. Open bank or broker website, click click. Done.
I'm not saying Satoshi's dream or the Bitcoin maximalists' dream is good old Wall Street manipulating Bitcoin's price using paper Bitcoin (silver ETFs were in big trouble in 2021) but what I'm saying is I think that's how it's going to end.
>I think mid-term to long-term people simply buy a Bitcoin ETF or stocks from a company holding shitloads of Bitcoins like MicroStrategy. Just like I buy SLV (paper silver) or the ZKB silver ETF (physical replication, in vaults in Switzerland).
But what's the inherent value of BTC if it doesn't do the things it claims? What value does Michael Saylor owning a bunch of bitcoin, of which I have a pretend share, even have?
This is the paradox of Bitcoin. It's a really cool technology that's really hard for normies to use.
I feel that crypto offers a different risk profile than say the gold ETF. There certainly is significant risk and expense to storing and securing the physical gold backing the ETF. I think it also needed to be audited as matching expected reserves occasionally?
But crypto has similar it and physical security costs at a minimum, though physical storage will be cheaper. Auditing maybe similar costs, I’m not quite sure how you confirm ownership of an address or pile of BTC without transactions?
The big risk is that these big holding companies of bitcoin become targets of state-scale cybercrime hacking armies. Can you imagine an adversary deploying constant attack on every facet of you IT infrastructure, from accessing the private keys presumably stored in hot wallets to support active trading to the interface where they may try interfere with client functions to all sorts of ends from theft to market manipulation.
I partially agree, although I can see more companies offering these kinds of services in the future. Block already has a system with Bitkey, custody companies like Casa and Unchained are providing services as signers, and AnchorWatch is stepping in as both a custody and insurance provider at the institutional level. Despite the government's best efforts to limit participation from existing banks[1], other services are jumping through the arduous hoops of regulation to fill in the void.
> Just like I buy SLV (paper silver) or the ZKB silver ETF (physical replication, in vaults in Switzerland)
I'd suggest that holding precious metals without actually having physical metal under your exclusive control is essentially as flawed as holding crypto without exclusively holding the private key.
I have no doubt that at least some especially in the early days envisioned crypto as a legitimate alternative to fiat currency. That being said, in it's mature state as a technology, it amounts to nothing more than a clone of the modern financial system with a different set of oligarchs, except that it has far fewer consumer protections, and the nature of it makes implementing said protections in any way extremely difficult.
That combined with the extreme volatility of value that is not only endemic to any coin with meaningful usage, but is generally a goal of most coins, makes it only really useful as a speculative vehicle, and those same properties also make it uniquely bad in terms of a store of value to be used in commerce unless the seller also plans to speculate on the value.
And, even if you're good with all of that: Yes, the tech itself is decentralized, but if you don't have at least some background in basic software development or scripting, you're almost certainly going to end up using some product or another to manage your wallets and transactions, and while the wallet is anonymous, the accounts you connect the wallet to are often quite the opposite, and because of the structure of the chains, your entire transaction history is visible to everyone on the network, at all times. So it's private by default, but basically any casual user is immediately and forever doxxable.
Xmr aims to be a digital cash, and basically achieves that. Btc has goals more akin to digital gold, hence being more useful to speculators than people buying things is somewhat intentional.
I don't know who the oligarchs you're talking about are. Buterin? Bankman Fried? In either case, their position is quite different from that of a banking titan.
I wonder if people who are "invested" in cryptocurrency are more susceptible to these kind of scams. There's a strong aspect of FOMO in getting people to buy imaginary internet money, and also in getting them to panic and fumble said internet money.
One of the reasons I stay away from it is that, at least in recent years, every scam that I see taking place involves crypto. I have a lot of acquaintances and I can almost draw a line at this stage: the higher the "shadyness" of the person, the more they are invested or talking about crypto. I am yet, even tho I owned, to have had the need to use crypto in my daily/weekly/monthly/yearly life.
It is very easy to destroy lives with it as we can see in this case, and, making it harder to do so will work against the vary nature of this tech. This is a tough nut to crack but I think the space will remain filled with predators constantly baiting prey into the system with the promise of a big reward.
"You can't undo a transaction" is a core feature of crypto. This is hilarious, because in actual payment networks, it literally only benefits scammers.
Every consumer ever has at one point or another wanted or needed to reverse a transaction. Chargebacks are a FEATURE of credit cards.
Traditional banks and the financial industry are generally sub-optimal, but at least if you are scammed, they will do their best to either recover your money or return you whole.
To have this safety, money and finances have to be centralized, regulated, and governed, all of which crypto doesn't have and doesn't want.
No they won't. If you bank transfer money to a scammer, the bank won't refund you, nor can they recover it. If you give a scammer your bank access credentials, they also won't refund you because you broke the TOS.
I wonder if it is just harder to give away several million dollars of government currency without being able to recover it? This is only an interesting story because it is so much money and because they are able to narrow the suspects down to a small group.
Cryptocurrencies are like speedrunning the discovery of why finance is regulated, though, that is certainly true.
I think you’re saying the same thing from the other side: it’s definitely true that it’s harder to get or transfer large amounts of real money because the system has layers of protection due to past fraud, but those fraud protections also mean that most people can’t get the kind of paper profits which lure people to cryptocurrencies. This gives scammers the appealing target of a self-selected group of financially unsophisticated people who have chosen a system designed to make large scale theft easy and safe.
It's obviously going to be much much more difficult to steal $450K from an actual bank account and get clean away - you're going to need a lot more proof of identity than a google login. From that POV, owning a lot of cryptocurrency is painting a target on your back.
100%. It's been that way forever too. I've caught numerous people setting up mining crap, it's everywhere and anyone that shouldn't be trusted but is probably will be a vector.
About a year ago I got an email from an actual Coinbase email address telling me that my account had been compromised. It included a case number.
Trying to log in with my username and password did not work. Moments later I get a phone call, the caller id says that it is Coinbase. Guy on the phone with a thick German accent tells me he's calling about my account and gives me the case number from the email. I know damn well never to trust a phone call you did not initiate, so I'm kind of just stringing the dude along on the phone.
I remember that I had set up a passkey, and try it. I get in with that and immediately run to the emergency "lock my account" button. I tell the guy on the phone that I have clicked it and after a bit of "uhmmm..."-ing and "hmmm..."-ing he just hangs up.
I call Coinbase support and they verify some recent transactions and ask me to forward them the email, and that's that. I still have no idea what the actual attack was or how they changed or invalidated my password. Best I can tell they did not manage to actually get in to my account.
I ended up changing my password to just about everything out of caution.
Last time I called boss money transfer, i called them and their real agents told me they must call me to verify. I was like, how would I know if it is boss money transfer or scammer. At the end I had to trust because voice was same.
I wonder if there's any one legitimate instance of a company calling you about compromised accounts and requiring your action. It seems to me that anyone reaching out and lighting a fire under your ass can be assumed to me a malicious actor.
Any notification asking you to confirm your identity that is not initiated by your actions should be immediately dismissed with a "no" and that should be all there is to such things, no?
I got a call from "Bank of America," and they smoothly talked me into giving them my debit card PIN. The trick was they had gotten into my online banking beforehand. "We've detected possibly fraudulent activity on your account." Then they read me real transactions from my actual account. "To be safe, let's lock down the account. For this we need more information for authentication, though." Probably started from a phishing thing that I fell for online without noticing. It was pretty clever of them. Not so easy to steal from a checking account without leaving a trail, unless you have the PIN. Then the main risk is to whomever was on camera at the ATM withdrawing as much cash as possible before the account was automatically locked down.
The next day, I got a call from "Bank of America" telling me that I'd been had. Fortunately they just credited the money back into my account. About $5000.
The main difference is that the first call wanted me to give them information, while the second call advised only "go into a bank branch in person."
The article's advice is correct. If someone asks you for info, tell them you'll call them back. It is almost certainly a scam. Calling back the possibly spoofed number at worst wastes a little time being on hold, and at best saves you or the bank a lot of money.
Don't call back the number possibly being spoofed (i.e. using your Caller ID as the source of the callback number). Call an independently-listed number for the company, such as the phone number on the back of a credit or debit card. Using an independent number prevents any failures where the Caller ID correctly reports an attacker-controlled but plausible-sounding number.
For extra paranoia and safety, perform the callback from a separate phone line. That would avoid at least some of the more-targeted attacks involving a compromise of the victim's phone connection, which could potentially allow the attacker to redirect outgoing calls.
> The main difference is that the first call wanted me to give them information, while the second call advised only "go into a bank branch in person."
Unfortunately physical branches are expensive to maintain, so a lot of banks have been closing them down. There are even plenty of banks with zero physical branches now. All contact is via phone or email, so there is no scam-proof way for them to contact you.
Here's a thing that is enraging, though: when a bank has SMS 2FA (insecure if you're being targeted but better than nothing) and they keep having you enter that into third-party websites. I mean going to a legitimate business, making a purchase with a credit card, and then the bank wants 2FA to validate a purchase instead of a login? Fuck off, I'll use a different card, then.
If it weren't for bullshit FICO calculations I would drop that account entirely.
Banks are pretty good at doing an impression of phishing scams, unfortunately. Almost every red flag for a scammer has also been done by a bank, legitimately.
There was a comment on Hacker News, which alas I can no longer locate, where a guy said he'd been called by his bank and the bank wanted him to answer various security questions. He said he was happy to do so, but firstly needed the bank to verify who they were, or to call the bank back on a telephone number on their website. The bank refused, so he refused to give them any details. The bank then blocked his bank account, meaning he couldn't pay his university tuition on time, meaning his student visa was no longer valid as he was no longer "studying", meaning he had to leave the country.
Also healthcare providers, though they seem to have finally wised up. They would call me from poorly configured phone systems (so unrecognizable caller id) and the first thing they would ask is to confirm full name and date of birth.
Patterns like this do a great deal of damage in desensitizing folks and making them accept dangerous patterns that get exploited by scams.
I have had my telephone company ask me to give them a code sent to my device. It is presumably to prove to the company that the representative is talking to me so that bad actors low in the company cannot start randomly messing with people’s accounts. It is the equivalent of the bad click here. The only real defense is to know the difference between a mechanism meant to authorize someone a the company and a mechanism to authorize you. Confuse the latter for the former like the victim did here and bad things will happen.
I called a bank to increase my ATM limit. The agent sent me an SMS code to verify my identity and wanted me to read it back to him. The message said not to give the code to any human. Sigh.
If some bank calls you about compromised accounts, the recommended action should be to hang up, find the official phone number for your bank, wait one minute[1], then call back.
[1] You have to wait or call from a different phone, because the call might not terminate immediately, and the scammer might still be listening on the line.
Sometimes there are good reasons for a bank to call you. The infuriating part is that not every bank has a quickly accessible number to call back if you don't trust the caller. Caller ID may be useless, but me calling the official number for my bank is pretty hard to fake (unless my carrier is part of the scam).
My bank has a button inside the app that will confirm that a real bank representative is calling you, or provides a button to call the bank's emergency line if they're not. It's a simple and effective way of preventing scams that I think more banks should implement.
A ss7 attack could make your carrier part of the scam without their knowledge, such that calling back the number will connect you to the scammer and not the bank.
Ideally yes no one would fall for that. But these type of attacks doesn't just rely on solely ignorance. They introduced urgency, the fight or flight situation. Plus the first guy in the article got caught up in bad timing where his mental condition aren't right with his kid crying, his wife yelling etc.
“In Soundcloud’s instance, part of declaring your innocence is you have to give them your home address and everything else, and it says right on there, ‘this will be provided to the person making the copyright claim.'”
The defining feature of crypto - decentralized, irreversible, no "higher power" you can go to in order to get your money back - turns out to be the thing that burns people ALL the time.
Surprisingly, there's also no "higher power" to get your money back from scams using traditional banking rails as well. I have family members who have lost thousands from bank transfers to legally registered companies that establish legitimacy through having a business bank account. It usually takes forever to shut them down, even after hundreds of thousands of reports from people like me who recognize what they are early on.
Many haven't actually lost money in significant ways through bank transfers, but when it does happen, the disillusionment of institutional security really falls away. Additionally, governments are slow and ineffective, so when these companies do get caught with class action lawsuits, they usually don't have anything to return.
Maybe but this shit is hard for institutions too. There are so many sharp edges.
Even in a well-respected fintech with responsible, talented people I’ve seen: safe deposit boxes get lost (literally no idea where in the world they actually are), go missing (the bank relocates or closes and disposes of them without notification) or become destroyed (fire, flood). I have seen industrial-grade hardware security modules spontaneously corrupt all the internal keys, happily continuing to produce “encrypted” output which can never be decrypted.
Building crypto offerings at scale that can survive the myriad unknown unknowns of real world and hardware failures that can affect both paper and hardware wallets is a really difficult problem. Not impossible, but the stakes are extreme and getting one thing wrong that leads to the loss of a cold wallet can easily lead to total ruin.
Even if “only” a hot wallet gets popped, the instantaneous and irrevocable loss of those funds needs to be offset by a comparatively large amount of operating profit.
At least with the traditional banking system there are a lot of safeguards in place.
The start of the article and comments thus far focus on the authenticator/Google account scam. I think a separate topic of note is taking a photo of the wallet recovery words [on an internet-connectable device]. This was, IMO, the primary mistake the user made. (And an easy one to make if you don't consider its consequences)
What I want to know is if the attackers knew that the photo was there, and if so, how. Or were they just planning to get into the victim's gmail and exploit whatever they found?
I had read of this attack back in September[1]. It seems very sophisticated because they spoof a phone number that at first glance is associated with Google, but is really just the “uncanny-valley” Google Assistant service that can check wait times or make reservations on your behalf.
Does Google even offer live-person support if you’re not their Workspace customer?
Also, one other difference is that apparently the attackers may have been using Salesforce to send the emails. Maybe they were using a trial or developer edition? I believe those can send out emails too, but they are very limited. So this must be a very targeted kind of attack. The scary part is that the attacker’s emails pass SPF, DKIM, and DMARC. There’s a technical write-up I found about this aspect of the attack.[2]
> Does Google even offer live-person support if you’re not their Workspace customer?
Not really. That's the giant red flag behind committing to a gmail, outlook, etc. account. If it gets messed up you're at the whim of "on-rail" support and if you need anything more all you can do is shout into social media and hope a stray employee feels bad for you.
I couldn't find it from the article, but how the scammer got access to the Gmail account? How he triggered that prompt in the victim's phone, and what did it mean?
Basically someone can request access to your account and if you click Yes, they do access it.
This part from a Reddit thread [1] scared me a bit:
> The notification pops up on my screen over whatever I am doing, and if I'm using my phone, I worry that I might accidentally hit YES (it almost happened today).
Unfortunately, when a person is getting support from a large corporation it's completely routine and normal for the follow-up e-mail to have random extra branding like "zendesk" or "atlassian" or "salesforce"
It's a clever move by the scammers - I can see how people would fall for it.
> More importantly, Tony recognized the voice of “Daniel from Google” when it was featured in an interview by Junseth, a podcaster who covers cryptocurrency scams. The same voice that had coaxed Tony out of his considerable cryptocurrency holdings just days earlier also had tried to phish Junseth, who played along for several minutes before revealing he knew it was a scam.
> [...]
> Daniel told Junseth he and his co-conspirators had just scored a $1.2 million theft that was still pending on the bitcoin investment platform SwanBitcoin. In response, Junseth tagged SwanBitcoin in a post about his podcast on Twitter/X, and the CEO of Swan quickly replied that they caught the $1.2 million transaction that morning.
> Apparently, Daniel didn’t appreciate having his voice broadcast to the world (or his $1.2 million bitcoin heist disrupted) because according to Junseth someone submitted a baseless copyright infringement claim about it to Soundcloud, which was hosting the recording.
> The complaint alleged the recording included a copyrighted song, but that wasn’t true: Junseth later posted a raw version of the recording to Telegram, and it clearly had no music in the background. Nevertheless, Soundcloud removed the audio file.
DMCA enabling bad actors to cover their tracks was not on my bingo list.
You mean besides literally all the times when people upload raw copyrighted movies and music to YouTube? DMCA is boring and un-newsworthy when it's working properly. (Unless you're the type who thinks copyright is inherently wrong, but it would then be very silly to ask if DMCA was ever "used in a manner".)
While this is devastating, the lesson that we should all remember:
Never, ever, no matter the circumstances, store private keys (or seed phrases) on photos. Especially if those photos are synchronized to the cloud.
Hand-write them, store them in a safe and secure PHYSICAL location.
Of course we're humans, we make mistakes, and we usually start with small amounts of money that we can lose where it would be unnecessary to take all these precautions, but we still need to regularly remind ourselves to avoid disasters like this in the self-custody world.
I think a lot of people bought some crypto early on when it was really cheap, were kind of sloppy about the security of things, and then left it alone and ignored everything while it went up by 10,000x in value. Now when their account is worth hundreds of thousands of dollars, their security is pretty inadequate for something with that actual value.
Many people have accounts worth hundreds of thousands of dollars of non crypto assets but are relatively safe with the same level of security (or even less) than what crypto demands of its users.
Honestly, that part of the story seemed completely unbelievable. I mean I get that someone might stare such a photo in the cloud, but hackers are really going to run a scam on him and then sift through photos thinking “maybe?”
Ok but you have to balance that with the risk that your PHYSICAL item will be lost, stolen, or destroyed. What happens then?
The problem is that the security protocols required to keep cryptocurrency safe are simply untenable for any mere mortal. But hey, we keep blaming the victims… because they didn’t know the one simple trick to keep their Bitcoin safe!
I feel like attacks like this would be much harder if we had never adopted HTML emails. Then it would make more intuitive sense (for the user) for an institution to write:
(1) Go to our website
(2) Login and check your account
Of course, leigitimate emails do that now, but because of the way we've been trained to "click" (such as "click to verify your email"), this conditioning carries over to phishing and other attacks, whereas that would be impossible with plain text. With plain text, the email verification would have to be "paste this code into a box".
Email clients would probably still parse URLs into links. People would click them. Then people would prefer links that didn't look like gobbledygook, so email clients would start supporting extensions like parsing of [markdown-style links](https://gobbledygook.com/ddkf878dfjlsfd). And then we would arrive at HTML.
> Then people would prefer links that didn't look like gobbledygook
Well, I can say with relative confidence that people prefer those links but _marketers_ prefer hxxps://awsmail.me/b64trustmebro/8675309== that leads who fucking knows where
I am maybe missing something obvious here, but isn't it suspicious that these attacks "affecting a small number of google users" happened to "hit" two people with significant cryptocurrency holdings?
I have a simple defense against this. I use a special email account for financial information that only my email provider, myself and my financial institutions know to exist. Even if I tap yes instead of no by mistake on a prompt like this, my financial accounts are safe unless the attacker breaches my bank to find out the email account I use with them first.
I wonder how that would work if they cannot prove my identity first by telling the representative a code sent to my phone number. I would expect the bank to tell the attacker to go into the local branch with identification.
> By default, Google Authenticator syncs all one-time codes with a Gmail user’s account, meaning if someone gains access to your Google account, they can then access all of the one-time codes handed out by your Google Authenticator app.
When business guys are involved in a security app. Many of us can easily imagine the "user story" that caused this.
Just look at the probably hundreds or more comments here through the years of people bashing Google for having their authenticator app not sync TOTP secrets to the cloud. For the longest time it was pulling teeth to get the app to surrender the TOTP secrets saved inside.
It seems like the common thread here is that the thefts were of cryptocurrency, rather than real assets in a financial system with safeguards. You can still get robbed of those assets, but it leaves a far stronger paper trail to catch the perpetrators.
The difference is that we haven't spent a century building up police organizations, bureaucracies, processes and international working relationships to track down crypto crime the way we have for "normal" financial crimes.
You would track down this crypto in just about the same way you'd track down a fraudulently ordered wire transfer that was cashed out. Records would be requested, IP's and timestamps recorded, more records would be requested from other parties based on those, and so on and so on. The difference is that it's somebody's job to go after those. It's nobody's job to go after this.
It’s the classic tradeoff of freedom vs. security. It’s the biggest reason I can’t foresee myself storing substantial amounts of cryptocurrency. I just want to hand my hard earned money to a financial institution and not have to think about it too much.
I always tell people to take control of the situation and stay calm. If “Google” or someone contacts you about a problem, simply hang up or ignore the email, look up the company’s info online, and contact the company directly.
Almost all scammers use more or less the same trick, they try to trigger a fear or greed rush with their message/call, so you don't get a chance to question authenticity of what you read or hear.
That is also what many salespersons do to get you to buy what you don't need nor even want, you cannot miss this limited time discount.
Always stop for a moment and be skeptical, caller ID can be spoofed, email addresd can have ä or ē in the domain that you won't notice if you don't look carefully.
So the attacker has known in advance that the secret was stored in google photos? Is it a common way to store passwords, or is some piece missing here?
I hadn't considered that use of Google Forms to send emails from a Google domain. That's a pretty huge security risk, technically it doesn't risk your zgiogle account but the phishing and impersonation risks for Google are huge.
I wholehearted agree with your mantra. But I need banks and other businesses to learn this. Particularly banks.
My bank has literally called me with what amounts to "ur being haxxor3d", and like … who are you? The representative literally would not tell me who he worked for. I was 210% sure it was a scam, and hung up on him. Turned out, it was legit.¹
Companies need to make sure their own operations don't bear the trappings of fraud.
¹(I don't regret hanging up, though. Calling back to a known, published-by-the-business-itself number is the right thing to do.)
Yeah I got a similar call once from someone, maybe a credit card company, and the first question was "to verify your identity we need the last four digits of your social security number" and I was like wait a minute, you called me. What are the last four digits of YOUR social security number?
Easy for me to be a smartass in hindsight, but I can't resist:
> Unfortunately for Griffin, years ago he used Google Photos to store an image of the secret seed phrase that was protecting his cryptocurrency wallet.
Um, duh...
> "[...] I put my seed phrase into a phishing site, and that was it.”
>Almost immediately, all of the funds he was planning to save for retirement and for his children’s college fund were drained from his account.
Um, duh. First mistake to put all eggs in a single basket. Second mistake, this basket was a cryptocurrency. Third mistake, pasting the secret key to that _anywhere_.
> Daniel told Tony his account was being accessed by someone in Frankfurt, Germany, and that he could evict the hacker and recover access to the account by clicking “yes” to the prompt that Google was going to send to his phone.
Are these spammers just lucky or is there something that lets them sniff blood in the water and specifically target people holding large amounts of crypto?
It's not really a matter of intelligence, and nobody's smart 100% of the time.
Let's take the average person on this forum, who's probably pretty tech savvy. Their odds of falling for a scam on a given day might be 1 in a billion. But when they're exhausted after work, they might be 10X likelier to fall for a scam. Another 10X when they're stressed out about family life, or going through a breakup. Another 10X when they're out drinking with their friends. And so on.
Eventually, whether it's due to age or other factors, everyone gets to be in situations where they're susceptible to scams. And scammers are experts at emotional manipulation, exploiting fear and embarrassment.
I had these people call me the other day. I got a text message alerting me of a potential Google account security issue they had blocked and they I should expect a call. I also got one of those emails and an automated phone call. The automated phone call had me dial 1 if I wanted a call back from support to help recover my account.
I got a call from a very professional sounding woman assuring me she was with Google and they had discovered some potentially fraudulent activity with my Google account in Frankfurt. They said they had locked down my account to protect it but they would walk me through recovering it.
I knew this was impossible, because the Google account in question doesn't have passwords. It has a couple of passkeys which are all physical hardware tokens in my home. But I wanted to see how pushy they would get.
Turned into a half hour phone call with me playing dumb (was watching my kid's sports practice, nothing to do for a half hour but cheer him on). Eventually when I was done with it I let them know I was in the process of filing the report with the federal cybercrime department. Immediately hung up from that.
> I knew this was impossible, because…
There’s an easier tell. It’s impossible because you can’t to get Google to help you at all about any account issues, never mind them being as proactive as to call you.
In other words if Google call you, it’s not Google.
It’s slightly depressing that there are probably more fake Google support staff than real ones.
I feel Google, Facebook, etc. all need to setup actual phone numbers and chat rooms, and make them rank highly on searches for "Google support phone number", "Google fraud department", "Google account recovery department", "Google Live Support Chat" etc.
Then those numbers should simply play a message that this is the only official phone number, and no human will ever call from or answer this number, and the company does not offer customer support or appeals to account problems.
They also need to make searching for fraud phone numbers return anti-fraud messaging rather than what it currently does. Seems like the entire 844-906 exchange is fraudulent [1].
I had a family member that just got scammed because they panicked after their Facebook account got banned, basically exactly like [2].
[1] https://www.google.com/search?q=844-906
[2] https://www.npr.org/sections/alltechconsidered/2017/01/31/51...
22 replies →
In case you would like a concrete example to ground the cynicism about corporate trade offs around customer support, I recommend watching Jill Bearup's 10 minute video [0] about this week's demonetization. For example, she has to deal with some form that she "can't submit", a customer service contact 12 time zones away (so email replies are 12 hours delayed), and an account manager who is non-responsive. In her court, are some unaffiliated google employees giving guidance, but only because they were already part of her youtube watching audience.
[0] https://www.youtube.com/watch?v=6RZHajVV9PA
2 replies →
If it weren't for the routine ex-Googler postmortem blog post shared on HN I'd think Google doesn't even have human employees.
The greatest mystery of my life is what is a "Google Product Expert" on their community forums whom I assume:
1. isn't an employee speaking as the company.
2. is someone given the title by the company.
3. spends a lot of time answering questions despite not being paid for it.
4. can contact Google employees somehow.
The only perks for this that Google lists is that you can join a secret club of Google Product Experts. It feels like gig economy applied to customer support.
4 replies →
I had Google call me once :) It was when I was riding in a Waymo and one of the screens in the vehicle was lagging a little bit. They made the surprising choice of calling my phone, rather than ringing the car itself, and I didn't pick up because... who picks up when your phone says, "Call from Google" :) They called the car shortly afterward to reassure me that the lagging screen wasn't an indicator that the car would underperform.
Being guaranteed to be able to talk to a human would be great, but I just don't see how it can possibly scale to over 1 billion users that aren't paying like gmail has.
Years ago, my brother used to work for XBox Live Tech Support, and he said that easily over half the calls he got were for things that customers could easily self-service, like a password reset. Many tech issues were fixed by the most basic troubleshooting step: Power cycling.
Meanwhile, my uncle works XFinity tech support, and he'll frequently get calls when a website has an outage, not to mention how many non-technical people think any internet-related issue, such as a forgotten Google password, means calling your ISP.
This doesn't even begin to talk about bad actors calling tech support to try to break into someone else's account. Google accounts are high-value targets. Once you've gotten in, there's a really good chance you could easily pivot to all of that person's other accounts.
To handle the call volume that a service like Google would have, if they offered phone tech support, the amount of staff they would need would be in the hundreds of thousands, and so many of the calls they take would be wastes of time. There are a lot of non-technical people that have no idea how things work and basically think that Google IS the Internet.
11 replies →
I had a weird security alert on my Google account the other night after trying to do a "Sign in with Google" to a service I've used for years. Trying to view my account/security info kept redirecting me to a page instructing me on how to clear cookies.
I clicked support and was able to get a call right away. But I pay $20/year for Google One.
They will reach put to try and help sell you more ad spend. If that was a scam its very good cause they set up my adwords campaign for me.
1 reply →
Somehow Google and other tech companies are not required to have a customer service that actually solves the legitimate problems customers have with their services. I wonder how they are allowed to do this not just in the US but across the world.
4 replies →
I got one of the same calls (didn't believe them). Afterwards I phoned Google support and they said the same thing, they will never call you. I had them confirm nothing was wrong with my account, just in case.
So it's very possible to phone Google support, just don't believe anyone who calls you.
> There’s an easier tell. It’s impossible because you can’t to get Google to help you at all about any account issues, ...
Paying Google apps / GSuite users can call a number and it's real humans answering (and they're very helpful).
But indeed I don't think they proactively call you.
Unless their salespeople are calling you
> It’s slightly depressing that there are probably more fake Google support staff than real ones.
I've never thought of it that way but you're right! Dealing with support at most tech companies is a horrible experience and is usually something I research before using a product where a failure in service provision could lead to catastrophic results.
I had a legit call come from Google Maps and I called them a scammer and various other names.
Right? "Google support" calling is an obvious tell.
> I got a call from a very professional sounding woman
That's usually the tell, right there.
Legit support operations tend to sound unprofessional as hell. Heavy accents, scratchy lines, scripts referencing the wrong OS, etc.
Depends heavily on the company. Fidelity, for example, has super friendly, local sounding support employees. They will sometimes call you directly, too, for things like "checking in on your retirement goals". If someone called sounding professional, it would not be a tell that it isn't actually fidelity.
Plus, most of the weird "customer support" scams I've gotten in the past are people with thick accents on a garbage connection.
15 replies →
I've gotten real support calls where the audio was so bad it was hard to understand anything they said. And/Or the standby music fidelity was so awful it's like pounding a spike in my ears. (Or maybe that's intentional so I hang up and don't bother with them.)
You'd think they'd have equipment newer than the 1960's.
Yeah, hah, it is funny that "Google offering phone support" is so unthinkable to me that it's a red flag for a scam.
1 reply →
I get lots of helpful emails from my mail administrator telling me I have some sort of problem I need to log in/revalidate/release pending messages etc.
Urgently!
(I run my own mail server and I am the admin)
Sounds as urgent as legit :)
> I got a call from a very professional sounding woman assuring me she was with Google
A customer support person from google? Scamers really tell the craziest stories.
You should have recorded the whole thing
Frankfurt of all places!
Frankfurt is actually notorious in Germany for their issues with drugs. Going outta the train station you can see ppl passed out with literal needles in their arms, taking a shit in public view etc
Doesn't really transfer to cyber crime, but it's definitely one of the more "criminal" places in Germany. Still super tame compared to actual slums etc though
2 replies →
They called from Bahnhof Viertel ;)
[dead]
The glaring common denominator here is that the attacker has the ability to send an unprompted, unblockable request to the victim's phone. Pressing the safe-looking green button that shows up, even accidentally, is digital suicide.
Google Prompt is supposed to be a safety feature. The account recovery process lets a hostile actor turn Google Prompt into a loaded gun, and Google puts it directly into the victim's hand, aimed straight at their own head.
There's absolutely no way to shut off Google Prompt that doesn't involve removing every Google app from your mobile devices.
This is called MFA bombing. Just send prompts until the user accidentally accepts one.
Microsoft’s authentication has protection against this, requiring you to manually enter a 2 digit number in your phone, matching what you see on your other device. Very simple, there is no excuse for Google to not have similar.
That quickly becomes tedious when you need to do it multiple times a day - e.g. logging in to different customer environments. Much prefer the one-click approval.
1 reply →
Hmm. I remember using a code like this with google, too. Seems like they had something similar in the past.
1 reply →
Google allowing OTP codes to be generated from the cloud is also insane to me. I've known about this feature for a little while, but it never ceases to amaze me how careless Google is with security.
> Unbeknownst to him at the time, Google Authenticator by default also makes the same codes available in one’s Google account online.
This sounded absolutely crazy to me so I went to open Authenticator on my phone and lo and behold it offered me the option of linking to my account and "backing up my codes in the cloud" to which I declined.
But I had never seen this behavior before, so is this new? It did not seem to be enabled by default in my case.
What's crazy to me is that Google would allow access to a foreign device from a single click. It would be easy for a person to accidentally click it, or for a kid playing on their parents advice to click it when it popped up. I really can't understand why they wouldn't send a code that would have to be entered instead; it would be far less prone to those kinds of problems.
"foreign device" based on IP geolocation is pretty tricky and annoying.
My home in Texas had an IP address which a lot of databases had as supposedly being in Montreal. It was like that for years. Gotta love so many sites trying to default to French.
8 replies →
How would a code help? The victim has already bought into the social engineering. If the person on the phone asks the user to read out a code, they will. If the person on the phone asks them to enter a code (i.e. the version of this kind of prompt where the user needs to enter a code on the phone matching the one showing on the login page), they will.
1 reply →
Google only added this feature recently. I am really conflicted about this feature. Without it you need to either save every TOTP code when you first set up the account or manually disable 2FA on every account and then enable it again so you can enroll it on a new phone. I used it when migrating to my most recent cell phone but then disabled it. Of course you have to trust that Google actually deletes the codes from your account.
Same with me, I had setup MFA using Google Auth for an important account I use.
Next day the phone broke, and I lost that account forever. I had not written the backup codes down anywhere.
Generating and storing your passwords, OTPs, and passkeys in a fully E2EE system like 1Password is effectively a root of trust, although you also have to trust (a) the password manager company, (b) whatever third-party systems and devices they use to build and deliver their software, (c) the quality of their cryptosystem, and (d) whatever device you use to decrypt/access secrets in your vault.
13 replies →
Yup. If you DON'T have this feature, you're depending on every user who has TOTP 2FA to actually save their backup codes somewhere they can retrieve ~years later or back up their TOTP some other way manually. Naturally, most users will fail to do this, so you'll have to deal with how to securely reset the accounts of people whose phones got lost or destroyed.
But then if you DO have it, you have to deal with the situation in this story, where if you can compromise their one key account, you get all of their TOTP codes too.
There is a big gap in the greater security landscape here. I personally use hardware authenticators for this reason, but I have to manually enrol each security key for each account.
Really what I would like is a root of trust which maybe is a cipher text which I can store in several physical locations, and then my security keys are derived from that root of trust. Then when I set up 2fa with a service it is using the root of trust and seeing that my security keys are is derived from that root of trust. This allows me to register the root of trust only once and then I can use any key derived from it.
Some cryptocurrency hardware wallets such as Trezor's are usable exactly how you want: they support fido2/webauthn and derive their keys from the recovery seed phrase. You can write down the recovery seed phrase, initialize other hardware wallets with the same recovery seed later on, and they will present to a computer as the same fido2/webauthn token.
2 replies →
Just checked and Google authenticator seems to be synced to my account, which is a huge SPOF and not what I want. It's possible that I did this without realising, but does anyone know of a way to revert authenticator to local-only? I don't see anything obvious.
> It's possible that I did this without realising
IIRC on my platform, when they added the feature they turned it on by default, as an auto-installed update.
And if you're logged into the gmail app on the same device that also logs you into authenticator.
You didn't do anything wrong.
2 replies →
Better option is to not use Google's TOTP app. Use something else
You can't revert, they keys are sent, they have them. They can't un have them. You'll need to rotate your MFA.
5 replies →
> does anyone know of a way to revert authenticator to local-only?
To answer my own question: tap the profile pic (top right on Android) and choose the Use Without an Account option. Removes codes from cloud storage and any _other_ devices. Mentioned in TFA.
1 reply →
I use Authy and it does this too. I like that I can get the code on my phone or tablet. I also keep paper copies of the original QR codes in a safe place.
The trick with Authy is to disable multi-device access unless you're in the process of adding another device, so hackers and scammers can't add their own devices to your account without your aid. If you leave the setting enabled, someone may get your TOTP secrets from Authy before you can stop them.
4 replies →
You can just decode the QR code and use whatever secret is in there to generate the OTP codes. TOTP isn't that complicated, it's really just a second password that the system generates.
2 replies →
It is at least relatively new. Years ago I had to try the Google “hard landing” account recovery process because it wasn’t happening, which is how I learned that they had that form going to an email address which had been deleted. Fortunately I had paper recovery codes in my safe.
Google rolled out that hare-brained "improvement" in an update to Google Authenticator a few months ago, with the nice extra that for some users, when you dared unselecting the new cloud backup checkbox, the secrets stored in the app were instantly corrupted in some way, so you were locked out of your Google accounts immediately as a bonus <chef's kiss>. Happened to a family member, luckily they had a working emergency access method. We will never use Google Authenticator again.
Recommended alternative: 2FAS (https://play.google.com/store/apps/details?id=com.twofasapp) which allows you to import the secrets from Google Authenticator via QR codes, and has a local backup feature (e.g. to a USB drive).
5 replies →
I'm shocked how often one of my ~50 colleagues asks me to reset their 2FA. It's every 6-8 weeks or so.
Their personal accounts will be affected in the same way (lost phone, new phone etc).
Was about to say this but yeah.
Big brains at google didn't understand the number '2' in 2FA
They added this recently, because lots of people complained to Google that they lose their tokens; Authy and others started to gain traction because they did synchronization. Google was pretty much forced.
I know, 2FA loses the entire point when it's synchronized. But, well. People lose their stuff all the time!
4 replies →
The active ingredient in 2FA as practically implemented for nearly everyone has never been the 2. It's mostly just not letting humans choose their entire password.
Most people wouldn't realise they can't recover their TOTP codes. But the hacker would still need to know your password surely
15 replies →
It's because everybody wants to put everything in 2FA protocols, because people just can't use passwords...
And the fact that one of those doesn't lead to the other passes way over their heads.
It does feel like the security protocols necessary to secure $100k to $Ms of crypto which transfers instantly and non-reversibly is a challenge for the average user.
Even as a fairly tech enabled GenX, I have forgotten passwords and had to reset them (usually accounts I haven’t used in a while), had files corrupted without a good backup, lost a Yubikey somewhere in the house (I think at least).
From what I can tell I would need to have my crypto seed laser etched into titanium, and then treat that talisman as if it was made of pure platinum as far as securing and tracking it.
Versus keeping my money in SIPC and FDIC protected accounts.
I will say, the BTC appreciation is a big attraction of course, but long term I don’t see how it becomes widely adopted with so much logistics risk, and appreciation… well who knows about that.
1) if you don't exclusively have the private key (wallet), you don't own the crypto. if someone else gets the private key unwittingly, they now own the crypto
2) split cumulative funds into two wallets, a "hot" wallet and a "cold" wallet. keep the funds in the "hot" wallet to no more than for which total unintentional loss is tolerable. keep the private key to the "cold" wallet off any internet connected device except for the minimum duration required to transfer funds to the hot wallet.
3) print the recovery phrase for the cold wallet and store it in a physically secure location
4) if an ideally secure physical location is not possible, split risk across multiple "cold" wallets
that sounds tedious af and still prone to error, i'd rather literally pay someone to handle all of this for me, let's say, some kind of institution which specializes in storing and handling money
9 replies →
> 1) if you don't exclusively have the private key (wallet), you don't own the crypto. if someone else gets the private key unwittingly, they now own the crypto
That's not how the legal system works, and they're the ones who decide who owns things.
> From what I can tell I would need to have my crypto seed laser etched into titanium, and then treat that talisman as if it was made of pure platinum as far as securing and tracking it.
Not sufficient. You'd also need someone you trust 100% to have another seed protected as if it was the gold of Fort Knox. And then you'd only only use "multisig" to sign transfers.
And that other person needs to live on another continent.
And you both need a backup plan in case you die if you plan to leave these 0.1 Bitcoin to your heirs.
This makes the $5 wrench attack impossible to succeed. As to whether the attacker is willing to add gratuitous (because it's impossible it'd succeed) torture/killing to its list of crime is something else though.
> I will say, the BTC appreciation is a big attraction of course, but long term I don’t see how it becomes widely adopted...
I think mid-term to long-term people simply buy a Bitcoin ETF or stocks from a company holding shitloads of Bitcoins like MicroStrategy. Just like I buy SLV (paper silver) or the ZKB silver ETF (physical replication, in vaults in Switzerland).
Keeping your own Bitcoins is not unlike keeping physical gold coins. It's doable but risky. Multisig really helps a lot but buying a Bitcoin ETF is simply easier. Open bank or broker website, click click. Done.
I'm not saying Satoshi's dream or the Bitcoin maximalists' dream is good old Wall Street manipulating Bitcoin's price using paper Bitcoin (silver ETFs were in big trouble in 2021) but what I'm saying is I think that's how it's going to end.
>I think mid-term to long-term people simply buy a Bitcoin ETF or stocks from a company holding shitloads of Bitcoins like MicroStrategy. Just like I buy SLV (paper silver) or the ZKB silver ETF (physical replication, in vaults in Switzerland).
But what's the inherent value of BTC if it doesn't do the things it claims? What value does Michael Saylor owning a bunch of bitcoin, of which I have a pretend share, even have?
This is the paradox of Bitcoin. It's a really cool technology that's really hard for normies to use.
I feel that crypto offers a different risk profile than say the gold ETF. There certainly is significant risk and expense to storing and securing the physical gold backing the ETF. I think it also needed to be audited as matching expected reserves occasionally?
But crypto has similar it and physical security costs at a minimum, though physical storage will be cheaper. Auditing maybe similar costs, I’m not quite sure how you confirm ownership of an address or pile of BTC without transactions?
The big risk is that these big holding companies of bitcoin become targets of state-scale cybercrime hacking armies. Can you imagine an adversary deploying constant attack on every facet of you IT infrastructure, from accessing the private keys presumably stored in hot wallets to support active trading to the interface where they may try interfere with client functions to all sorts of ends from theft to market manipulation.
I partially agree, although I can see more companies offering these kinds of services in the future. Block already has a system with Bitkey, custody companies like Casa and Unchained are providing services as signers, and AnchorWatch is stepping in as both a custody and insurance provider at the institutional level. Despite the government's best efforts to limit participation from existing banks[1], other services are jumping through the arduous hoops of regulation to fill in the void.
[1] https://www.swanbitcoin.com/politics/biden-s-sab121-veto-sta...
> Just like I buy SLV (paper silver) or the ZKB silver ETF (physical replication, in vaults in Switzerland)
I'd suggest that holding precious metals without actually having physical metal under your exclusive control is essentially as flawed as holding crypto without exclusively holding the private key.
I have no doubt that at least some especially in the early days envisioned crypto as a legitimate alternative to fiat currency. That being said, in it's mature state as a technology, it amounts to nothing more than a clone of the modern financial system with a different set of oligarchs, except that it has far fewer consumer protections, and the nature of it makes implementing said protections in any way extremely difficult.
That combined with the extreme volatility of value that is not only endemic to any coin with meaningful usage, but is generally a goal of most coins, makes it only really useful as a speculative vehicle, and those same properties also make it uniquely bad in terms of a store of value to be used in commerce unless the seller also plans to speculate on the value.
And, even if you're good with all of that: Yes, the tech itself is decentralized, but if you don't have at least some background in basic software development or scripting, you're almost certainly going to end up using some product or another to manage your wallets and transactions, and while the wallet is anonymous, the accounts you connect the wallet to are often quite the opposite, and because of the structure of the chains, your entire transaction history is visible to everyone on the network, at all times. So it's private by default, but basically any casual user is immediately and forever doxxable.
Xmr aims to be a digital cash, and basically achieves that. Btc has goals more akin to digital gold, hence being more useful to speculators than people buying things is somewhat intentional.
I don't know who the oligarchs you're talking about are. Buterin? Bankman Fried? In either case, their position is quite different from that of a banking titan.
> I will say, the BTC appreciation is a big attraction of course
What are the other desirable features of BTC?
It’s great for laundering money.
16 replies →
Non centralized proof of ownership is pretty cool.
7 replies →
SIPC and FDIC don’t protect against fraud.
I wonder if people who are "invested" in cryptocurrency are more susceptible to these kind of scams. There's a strong aspect of FOMO in getting people to buy imaginary internet money, and also in getting them to panic and fumble said internet money.
One of the reasons I stay away from it is that, at least in recent years, every scam that I see taking place involves crypto. I have a lot of acquaintances and I can almost draw a line at this stage: the higher the "shadyness" of the person, the more they are invested or talking about crypto. I am yet, even tho I owned, to have had the need to use crypto in my daily/weekly/monthly/yearly life.
It is very easy to destroy lives with it as we can see in this case, and, making it harder to do so will work against the vary nature of this tech. This is a tough nut to crack but I think the space will remain filled with predators constantly baiting prey into the system with the promise of a big reward.
"You can't undo a transaction" is a core feature of crypto. This is hilarious, because in actual payment networks, it literally only benefits scammers.
Every consumer ever has at one point or another wanted or needed to reverse a transaction. Chargebacks are a FEATURE of credit cards.
2 replies →
While "Nigerian spam" scams profit off simple-minded gullible people, cryptocurrency scams profit off sophisticated gullible people.
Traditional banks and the financial industry are generally sub-optimal, but at least if you are scammed, they will do their best to either recover your money or return you whole.
To have this safety, money and finances have to be centralized, regulated, and governed, all of which crypto doesn't have and doesn't want.
> they will do their best to either recover your money or return you whole.
And if they don't, the courts can force them to do it and give you some extra money for the trouble.
No they won't. If you bank transfer money to a scammer, the bank won't refund you, nor can they recover it. If you give a scammer your bank access credentials, they also won't refund you because you broke the TOS.
3 replies →
I wonder if it is just harder to give away several million dollars of government currency without being able to recover it? This is only an interesting story because it is so much money and because they are able to narrow the suspects down to a small group.
Cryptocurrencies are like speedrunning the discovery of why finance is regulated, though, that is certainly true.
I think you’re saying the same thing from the other side: it’s definitely true that it’s harder to get or transfer large amounts of real money because the system has layers of protection due to past fraud, but those fraud protections also mean that most people can’t get the kind of paper profits which lure people to cryptocurrencies. This gives scammers the appealing target of a self-selected group of financially unsophisticated people who have chosen a system designed to make large scale theft easy and safe.
It's obviously going to be much much more difficult to steal $450K from an actual bank account and get clean away - you're going to need a lot more proof of identity than a google login. From that POV, owning a lot of cryptocurrency is painting a target on your back.
How do they identify their marks? A random firefighter seems like an odd target.
3 replies →
100%. It's been that way forever too. I've caught numerous people setting up mining crap, it's everywhere and anyone that shouldn't be trusted but is probably will be a vector.
About a year ago I got an email from an actual Coinbase email address telling me that my account had been compromised. It included a case number.
Trying to log in with my username and password did not work. Moments later I get a phone call, the caller id says that it is Coinbase. Guy on the phone with a thick German accent tells me he's calling about my account and gives me the case number from the email. I know damn well never to trust a phone call you did not initiate, so I'm kind of just stringing the dude along on the phone.
I remember that I had set up a passkey, and try it. I get in with that and immediately run to the emergency "lock my account" button. I tell the guy on the phone that I have clicked it and after a bit of "uhmmm..."-ing and "hmmm..."-ing he just hangs up.
I call Coinbase support and they verify some recent transactions and ask me to forward them the email, and that's that. I still have no idea what the actual attack was or how they changed or invalidated my password. Best I can tell they did not manage to actually get in to my account.
I ended up changing my password to just about everything out of caution.
Last time I called boss money transfer, i called them and their real agents told me they must call me to verify. I was like, how would I know if it is boss money transfer or scammer. At the end I had to trust because voice was same.
Probably just too many invalid login attempts.
I wonder if there's any one legitimate instance of a company calling you about compromised accounts and requiring your action. It seems to me that anyone reaching out and lighting a fire under your ass can be assumed to me a malicious actor.
Any notification asking you to confirm your identity that is not initiated by your actions should be immediately dismissed with a "no" and that should be all there is to such things, no?
Yes, but you have to know that.
I got a call from "Bank of America," and they smoothly talked me into giving them my debit card PIN. The trick was they had gotten into my online banking beforehand. "We've detected possibly fraudulent activity on your account." Then they read me real transactions from my actual account. "To be safe, let's lock down the account. For this we need more information for authentication, though." Probably started from a phishing thing that I fell for online without noticing. It was pretty clever of them. Not so easy to steal from a checking account without leaving a trail, unless you have the PIN. Then the main risk is to whomever was on camera at the ATM withdrawing as much cash as possible before the account was automatically locked down.
The next day, I got a call from "Bank of America" telling me that I'd been had. Fortunately they just credited the money back into my account. About $5000.
The main difference is that the first call wanted me to give them information, while the second call advised only "go into a bank branch in person."
The article's advice is correct. If someone asks you for info, tell them you'll call them back. It is almost certainly a scam. Calling back the possibly spoofed number at worst wastes a little time being on hold, and at best saves you or the bank a lot of money.
> Calling back the possibly spoofed number
Don't call back the number possibly being spoofed (i.e. using your Caller ID as the source of the callback number). Call an independently-listed number for the company, such as the phone number on the back of a credit or debit card. Using an independent number prevents any failures where the Caller ID correctly reports an attacker-controlled but plausible-sounding number.
For extra paranoia and safety, perform the callback from a separate phone line. That would avoid at least some of the more-targeted attacks involving a compromise of the victim's phone connection, which could potentially allow the attacker to redirect outgoing calls.
1 reply →
> The main difference is that the first call wanted me to give them information, while the second call advised only "go into a bank branch in person."
Unfortunately physical branches are expensive to maintain, so a lot of banks have been closing them down. There are even plenty of banks with zero physical branches now. All contact is via phone or email, so there is no scam-proof way for them to contact you.
2 replies →
How were they able to use an ATM without having your card?
I recommend not calling back the incoming number even if you think it's real and spoofed, always look it up on the bank's website.
4 replies →
Here's a thing that is enraging, though: when a bank has SMS 2FA (insecure if you're being targeted but better than nothing) and they keep having you enter that into third-party websites. I mean going to a legitimate business, making a purchase with a credit card, and then the bank wants 2FA to validate a purchase instead of a login? Fuck off, I'll use a different card, then.
If it weren't for bullshit FICO calculations I would drop that account entirely.
Banks are pretty good at doing an impression of phishing scams, unfortunately. Almost every red flag for a scammer has also been done by a bank, legitimately.
There was a comment on Hacker News, which alas I can no longer locate, where a guy said he'd been called by his bank and the bank wanted him to answer various security questions. He said he was happy to do so, but firstly needed the bank to verify who they were, or to call the bank back on a telephone number on their website. The bank refused, so he refused to give them any details. The bank then blocked his bank account, meaning he couldn't pay his university tuition on time, meaning his student visa was no longer valid as he was no longer "studying", meaning he had to leave the country.
12 replies →
This.
Also healthcare providers, though they seem to have finally wised up. They would call me from poorly configured phone systems (so unrecognizable caller id) and the first thing they would ask is to confirm full name and date of birth.
Patterns like this do a great deal of damage in desensitizing folks and making them accept dangerous patterns that get exploited by scams.
6 replies →
I have had my telephone company ask me to give them a code sent to my device. It is presumably to prove to the company that the representative is talking to me so that bad actors low in the company cannot start randomly messing with people’s accounts. It is the equivalent of the bad click here. The only real defense is to know the difference between a mechanism meant to authorize someone a the company and a mechanism to authorize you. Confuse the latter for the former like the victim did here and bad things will happen.
2 replies →
Banks maybe, but Google? Google only has "AI" support and that doesn't call us yet. So it's safe to assume that any call from Google is fake.
1 reply →
I called a bank to increase my ATM limit. The agent sent me an SMS code to verify my identity and wanted me to read it back to him. The message said not to give the code to any human. Sigh.
If some bank calls you about compromised accounts, the recommended action should be to hang up, find the official phone number for your bank, wait one minute[1], then call back.
[1] You have to wait or call from a different phone, because the call might not terminate immediately, and the scammer might still be listening on the line.
https://security.stackexchange.com/a/100342
Sometimes there are good reasons for a bank to call you. The infuriating part is that not every bank has a quickly accessible number to call back if you don't trust the caller. Caller ID may be useless, but me calling the official number for my bank is pretty hard to fake (unless my carrier is part of the scam).
My bank has a button inside the app that will confirm that a real bank representative is calling you, or provides a button to call the bank's emergency line if they're not. It's a simple and effective way of preventing scams that I think more banks should implement.
A ss7 attack could make your carrier part of the scam without their knowledge, such that calling back the number will connect you to the scammer and not the bank.
Ideally yes no one would fall for that. But these type of attacks doesn't just rely on solely ignorance. They introduced urgency, the fight or flight situation. Plus the first guy in the article got caught up in bad timing where his mental condition aren't right with his kid crying, his wife yelling etc.
I’ve had my bank call me because of dubious online purchases, asking if it was me. The call was legitimate and my card number had been skimmed.
“In Soundcloud’s instance, part of declaring your innocence is you have to give them your home address and everything else, and it says right on there, ‘this will be provided to the person making the copyright claim.'”
Good job helping the scammers, SoundCloud. WTF
The defining feature of crypto - decentralized, irreversible, no "higher power" you can go to in order to get your money back - turns out to be the thing that burns people ALL the time.
Surprisingly, there's also no "higher power" to get your money back from scams using traditional banking rails as well. I have family members who have lost thousands from bank transfers to legally registered companies that establish legitimacy through having a business bank account. It usually takes forever to shut them down, even after hundreds of thousands of reports from people like me who recognize what they are early on.
Many haven't actually lost money in significant ways through bank transfers, but when it does happen, the disillusionment of institutional security really falls away. Additionally, governments are slow and ineffective, so when these companies do get caught with class action lawsuits, they usually don't have anything to return.
Lots of people still don't quite understand their debit card. No way they're going to learn how private keys work.
Still might some sense as an institutional store of value though I guess.
Maybe but this shit is hard for institutions too. There are so many sharp edges.
Even in a well-respected fintech with responsible, talented people I’ve seen: safe deposit boxes get lost (literally no idea where in the world they actually are), go missing (the bank relocates or closes and disposes of them without notification) or become destroyed (fire, flood). I have seen industrial-grade hardware security modules spontaneously corrupt all the internal keys, happily continuing to produce “encrypted” output which can never be decrypted.
Building crypto offerings at scale that can survive the myriad unknown unknowns of real world and hardware failures that can affect both paper and hardware wallets is a really difficult problem. Not impossible, but the stakes are extreme and getting one thing wrong that leads to the loss of a cold wallet can easily lead to total ruin.
Even if “only” a hot wallet gets popped, the instantaneous and irrevocable loss of those funds needs to be offset by a comparatively large amount of operating profit.
At least with the traditional banking system there are a lot of safeguards in place.
The start of the article and comments thus far focus on the authenticator/Google account scam. I think a separate topic of note is taking a photo of the wallet recovery words [on an internet-connectable device]. This was, IMO, the primary mistake the user made. (And an easy one to make if you don't consider its consequences)
What I want to know is if the attackers knew that the photo was there, and if so, how. Or were they just planning to get into the victim's gmail and exploit whatever they found?
I had read of this attack back in September[1]. It seems very sophisticated because they spoof a phone number that at first glance is associated with Google, but is really just the “uncanny-valley” Google Assistant service that can check wait times or make reservations on your behalf.
Does Google even offer live-person support if you’re not their Workspace customer?
Also, one other difference is that apparently the attackers may have been using Salesforce to send the emails. Maybe they were using a trial or developer edition? I believe those can send out emails too, but they are very limited. So this must be a very targeted kind of attack. The scary part is that the attacker’s emails pass SPF, DKIM, and DMARC. There’s a technical write-up I found about this aspect of the attack.[2]
[1]: https://sammitrovic.com/infosec/gmail-account-takeover-super...
[2]: https://docs.google.com/document/d/1xrJsRBcGj9x2mMvRoKLG4ANS...
> Does Google even offer live-person support if you’re not their Workspace customer?
Not really. That's the giant red flag behind committing to a gmail, outlook, etc. account. If it gets messed up you're at the whim of "on-rail" support and if you need anything more all you can do is shout into social media and hope a stray employee feels bad for you.
Yes they do. If you subscribe to Google One.
https://support.google.com/googleone/
I couldn't find it from the article, but how the scammer got access to the Gmail account? How he triggered that prompt in the victim's phone, and what did it mean?
It feels something is missing here?
Edit: Well, I learnt about Google Prompts today: https://support.google.com/accounts/answer/7026266?hl=en&co=...
Basically someone can request access to your account and if you click Yes, they do access it.
This part from a Reddit thread [1] scared me a bit:
> The notification pops up on my screen over whatever I am doing, and if I'm using my phone, I worry that I might accidentally hit YES (it almost happened today).
1: https://www.reddit.com/r/techsupport/comments/ccd304/someone...
The red-flag he should have spotted was Google "Support".
The idea that Google would spend money to help a non-business user for anything is beyond unlikely.
They don’t even support businesses. We pay for whatever the highest tier of support is.
We have been emailing our TAM (or whatever Google calls them) for weeks (and opening tickets)
They keep giving us the same fucking documentation link.
Literally useless.
Another instance we were using code from their docs and they refused to help saying they don’t look at code ever
3 replies →
I mean, the email says it's from Google Forms. Is that not suspect enough?
Unfortunately, when a person is getting support from a large corporation it's completely routine and normal for the follow-up e-mail to have random extra branding like "zendesk" or "atlassian" or "salesforce"
It's a clever move by the scammers - I can see how people would fall for it.
My favorite bit:
> More importantly, Tony recognized the voice of “Daniel from Google” when it was featured in an interview by Junseth, a podcaster who covers cryptocurrency scams. The same voice that had coaxed Tony out of his considerable cryptocurrency holdings just days earlier also had tried to phish Junseth, who played along for several minutes before revealing he knew it was a scam.
> [...]
> Daniel told Junseth he and his co-conspirators had just scored a $1.2 million theft that was still pending on the bitcoin investment platform SwanBitcoin. In response, Junseth tagged SwanBitcoin in a post about his podcast on Twitter/X, and the CEO of Swan quickly replied that they caught the $1.2 million transaction that morning.
> Apparently, Daniel didn’t appreciate having his voice broadcast to the world (or his $1.2 million bitcoin heist disrupted) because according to Junseth someone submitted a baseless copyright infringement claim about it to Soundcloud, which was hosting the recording.
> The complaint alleged the recording included a copyrighted song, but that wasn’t true: Junseth later posted a raw version of the recording to Telegram, and it clearly had no music in the background. Nevertheless, Soundcloud removed the audio file.
DMCA enabling bad actors to cover their tracks was not on my bingo list.
Are there examples of DMCA being used in a positive manner?
You mean besides literally all the times when people upload raw copyrighted movies and music to YouTube? DMCA is boring and un-newsworthy when it's working properly. (Unless you're the type who thinks copyright is inherently wrong, but it would then be very silly to ask if DMCA was ever "used in a manner".)
Someone once took one of my youtube videos and reuploaded it with a link to malware in the description. I took down the video with a copyright claim.
While this is devastating, the lesson that we should all remember:
Never, ever, no matter the circumstances, store private keys (or seed phrases) on photos. Especially if those photos are synchronized to the cloud.
Hand-write them, store them in a safe and secure PHYSICAL location.
Of course we're humans, we make mistakes, and we usually start with small amounts of money that we can lose where it would be unnecessary to take all these precautions, but we still need to regularly remind ourselves to avoid disasters like this in the self-custody world.
I think a lot of people bought some crypto early on when it was really cheap, were kind of sloppy about the security of things, and then left it alone and ignored everything while it went up by 10,000x in value. Now when their account is worth hundreds of thousands of dollars, their security is pretty inadequate for something with that actual value.
Many people have accounts worth hundreds of thousands of dollars of non crypto assets but are relatively safe with the same level of security (or even less) than what crypto demands of its users.
1 reply →
Honestly, that part of the story seemed completely unbelievable. I mean I get that someone might stare such a photo in the cloud, but hackers are really going to run a scam on him and then sift through photos thinking “maybe?”
I'd assume there's some model for finding those kinds of photos
Ok but you have to balance that with the risk that your PHYSICAL item will be lost, stolen, or destroyed. What happens then?
The problem is that the security protocols required to keep cryptocurrency safe are simply untenable for any mere mortal. But hey, we keep blaming the victims… because they didn’t know the one simple trick to keep their Bitcoin safe!
or store them in some encrypted form that you know how to reverse easily but which would take an attacker more trouble than it was worth to break.
I feel like attacks like this would be much harder if we had never adopted HTML emails. Then it would make more intuitive sense (for the user) for an institution to write:
(1) Go to our website
(2) Login and check your account
Of course, leigitimate emails do that now, but because of the way we've been trained to "click" (such as "click to verify your email"), this conditioning carries over to phishing and other attacks, whereas that would be impossible with plain text. With plain text, the email verification would have to be "paste this code into a box".
Email clients would probably still parse URLs into links. People would click them. Then people would prefer links that didn't look like gobbledygook, so email clients would start supporting extensions like parsing of [markdown-style links](https://gobbledygook.com/ddkf878dfjlsfd). And then we would arrive at HTML.
> Then people would prefer links that didn't look like gobbledygook
Well, I can say with relative confidence that people prefer those links but _marketers_ prefer hxxps://awsmail.me/b64trustmebro/8675309== that leads who fucking knows where
I am maybe missing something obvious here, but isn't it suspicious that these attacks "affecting a small number of google users" happened to "hit" two people with significant cryptocurrency holdings?
Maybe the attackers already knew through some other means that they had large crypto holdings, i.e., spear phishing.
How stressful it must be as an experience to go through.
Having nothing to be robbed from is such an underrated means to live in serenity.
I have a simple defense against this. I use a special email account for financial information that only my email provider, myself and my financial institutions know to exist. Even if I tap yes instead of no by mistake on a prompt like this, my financial accounts are safe unless the attacker breaches my bank to find out the email account I use with them first.
> my financial accounts are safe unless the attacker breaches my bank to find out the email account I use with them first.
It's entirely possible that someone can accomplish this with a phone call to your financial institution's customer help line.
"Oh gosh, I'm sorry, I forgot whether I used my email address or my wife's for this account - can you tell me what's on file?"
I wonder how that would work if they cannot prove my identity first by telling the representative a code sent to my phone number. I would expect the bank to tell the attacker to go into the local branch with identification.
2 replies →
> By default, Google Authenticator syncs all one-time codes with a Gmail user’s account, meaning if someone gains access to your Google account, they can then access all of the one-time codes handed out by your Google Authenticator app.
When business guys are involved in a security app. Many of us can easily imagine the "user story" that caused this.
Just look at the probably hundreds or more comments here through the years of people bashing Google for having their authenticator app not sync TOTP secrets to the cloud. For the longest time it was pulling teeth to get the app to surrender the TOTP secrets saved inside.
Google listened.
It seems like the common thread here is that the thefts were of cryptocurrency, rather than real assets in a financial system with safeguards. You can still get robbed of those assets, but it leaves a far stronger paper trail to catch the perpetrators.
The difference is that we haven't spent a century building up police organizations, bureaucracies, processes and international working relationships to track down crypto crime the way we have for "normal" financial crimes.
You would track down this crypto in just about the same way you'd track down a fraudulently ordered wire transfer that was cashed out. Records would be requested, IP's and timestamps recorded, more records would be requested from other parties based on those, and so on and so on. The difference is that it's somebody's job to go after those. It's nobody's job to go after this.
It’s the classic tradeoff of freedom vs. security. It’s the biggest reason I can’t foresee myself storing substantial amounts of cryptocurrency. I just want to hand my hard earned money to a financial institution and not have to think about it too much.
I always tell people to take control of the situation and stay calm. If “Google” or someone contacts you about a problem, simply hang up or ignore the email, look up the company’s info online, and contact the company directly.
Almost all scammers use more or less the same trick, they try to trigger a fear or greed rush with their message/call, so you don't get a chance to question authenticity of what you read or hear.
That is also what many salespersons do to get you to buy what you don't need nor even want, you cannot miss this limited time discount.
Always stop for a moment and be skeptical, caller ID can be spoofed, email addresd can have ä or ē in the domain that you won't notice if you don't look carefully.
So the attacker has known in advance that the secret was stored in google photos? Is it a common way to store passwords, or is some piece missing here?
Likely a common way to store recovery codes. Similar to those bots that scrape github for API keys
That is one really nasty aspect of cryptocurrency. They make theft cryptographically irreversible. And you can watch the thieves spend your money!
Stop using TOTP. Enable Advanced Protection on your Google account and exclusively use security keys.
Problem solved. Total cost: $30 in security keys (Advanced Protection enrollment is free.)
It’s just like Canada Bill Jones said: It’s immoral to let a sucker keep his money.
I hadn't considered that use of Google Forms to send emails from a Google domain. That's a pretty huge security risk, technically it doesn't risk your zgiogle account but the phishing and impersonation risks for Google are huge.
Never Trust a call you didn't initiate.
I wholehearted agree with your mantra. But I need banks and other businesses to learn this. Particularly banks.
My bank has literally called me with what amounts to "ur being haxxor3d", and like … who are you? The representative literally would not tell me who he worked for. I was 210% sure it was a scam, and hung up on him. Turned out, it was legit.¹
Companies need to make sure their own operations don't bear the trappings of fraud.
¹(I don't regret hanging up, though. Calling back to a known, published-by-the-business-itself number is the right thing to do.)
Yeah I got a similar call once from someone, maybe a credit card company, and the first question was "to verify your identity we need the last four digits of your social security number" and I was like wait a minute, you called me. What are the last four digits of YOUR social security number?
How did the scammers know these people were likely to have significant amount of crypto in the first place?
45 BTC (as in the screenshots) is not 500K, it's 4.5M
Losing a fortune with one bad click is not a new thing or all that rare, stock betting is all the same.
Idk I just think the title is pretty lame and generalizes a pretty informative phishing article, in a bad way.
Easy for me to be a smartass in hindsight, but I can't resist:
> Unfortunately for Griffin, years ago he used Google Photos to store an image of the secret seed phrase that was protecting his cryptocurrency wallet.
Um, duh...
> "[...] I put my seed phrase into a phishing site, and that was it.”
>Almost immediately, all of the funds he was planning to save for retirement and for his children’s college fund were drained from his account.
Um, duh. First mistake to put all eggs in a single basket. Second mistake, this basket was a cryptocurrency. Third mistake, pasting the secret key to that _anywhere_.
>ultimately seized control over the account by convincing him to click “yes” to a Google [2FA] prompt on his mobile device
Stopped reading there. What more can we do to protect people from their own stupidity (and I'm not talking about the crypto "investment" part)?
The wallet name was exodus, how fitting :D
> Daniel told Tony his account was being accessed by someone in Frankfurt, Germany, and that he could evict the hacker and recover access to the account by clicking “yes” to the prompt that Google was going to send to his phone.
Come on.
Holding $500k in hot wallet, this man is braindead...
Are these spammers just lucky or is there something that lets them sniff blood in the water and specifically target people holding large amounts of crypto?
It wasn't a hot wallet, he had taken a photo of his seed and then left it in Google photos.
So your conclusion is sound but your premise is invalid.
[dead]
[dead]
[dead]
[flagged]
It's not really a matter of intelligence, and nobody's smart 100% of the time.
Let's take the average person on this forum, who's probably pretty tech savvy. Their odds of falling for a scam on a given day might be 1 in a billion. But when they're exhausted after work, they might be 10X likelier to fall for a scam. Another 10X when they're stressed out about family life, or going through a breakup. Another 10X when they're out drinking with their friends. And so on.
Eventually, whether it's due to age or other factors, everyone gets to be in situations where they're susceptible to scams. And scammers are experts at emotional manipulation, exploiting fear and embarrassment.
100% - yes - if you follow simple rules
[dead]