I got a call from a very professional sounding woman assuring me she was with Google and they had discovered some potentially fraudulent activity with my Google account in Frankfurt. They said they had locked down my account to protect it but they would walk me through recovering it.
I knew this was impossible, because the Google account in question doesn't have passwords. It has a couple of passkeys which are all physical hardware tokens in my home. But I wanted to see how pushy they would get.
Turned into a half hour phone call with me playing dumb (was watching my kid's sports practice, nothing to do for a half hour but cheer him on). Eventually when I was done with it I let them know I was in the process of filing the report with the federal cybercrime department. Immediately hung up from that.
There’s an easier tell. It’s impossible because you can’t to get Google to help you at all about any account issues, never mind them being as proactive as to call you.
In other words if Google call you, it’s not Google.
It’s slightly depressing that there are probably more fake Google support staff than real ones.
Then those numbers should simply play a message that this is the only official phone number, and no human will ever call from or answer this number, and the company does not offer customer support or appeals to account problems.
They also need to make searching for fraud phone numbers return anti-fraud messaging rather than what it currently does. Seems like the entire 844-906 exchange is fraudulent [1].
I had a family member that just got scammed because they panicked after their Facebook account got banned, basically exactly like [2].
[1] https://www.google.com/search?q=844-906
[2] https://www.npr.org/sections/alltechconsidered/2017/01/31/51...
If you or any person figured out how to do such a thing you’d be the next trillion $ company.
At least in the US Attorneys General are being forced to do this work for them. It's essentially the only way to get a hacked Facebook/Instagram account recovered.
https://www.engadget.com/41-state-attorneys-general-tell-met...
They are making 10+$/month per user for a few hundred million, and have a large profit margin that easily pays for basic tech support.
It's not where the _would_ rank ... it's where they currently _do_ rank.
In my test, the AI Overview produced accurate information ("Google does not offer phone support for account recovery") but none of the other hits on the first page say anything like "Phone support calls are always fraud. Google will not call you."
At that point I'd set up an LLM agent to reply for me. Big Tech are no longer the only ones who can pretend to be a human.
Years ago, my brother used to work for XBox Live Tech Support, and he said that easily over half the calls he got were for things that customers could easily self-service, like a password reset. Many tech issues were fixed by the most basic troubleshooting step: Power cycling.
Meanwhile, my uncle works XFinity tech support, and he'll frequently get calls when a website has an outage, not to mention how many non-technical people think any internet-related issue, such as a forgotten Google password, means calling your ISP.
This doesn't even begin to talk about bad actors calling tech support to try to break into someone else's account. Google accounts are high-value targets. Once you've gotten in, there's a really good chance you could easily pivot to all of that person's other accounts.
To handle the call volume that a service like Google would have, if they offered phone tech support, the amount of staff they would need would be in the hundreds of thousands, and so many of the calls they take would be wastes of time. There are a lot of non-technical people that have no idea how things work and basically think that Google IS the Internet.
I talked to a human Apple support person once and we had quite a long chat but ultimately his conclusion was basically "I can't know anything you don't already know and there's no way to resolve the problem."
Why not charge for support?
You bet your ass I would pay a support fee if my Gmail account was having issues.
They do. And when you actually pay for support, they answer the phone. At least in my experiences.
The only times they've left me high and dry is when I didn't have any actual paid support contract or subscription for whatever the question was about.
They have a Gmail support contract. You signing up?
$19.95 per incident to talk to someone who could ACTUALLY resolve an issue would be totally worth it, especially for people who suddenly find themselves locked out for no known reason. A fee would also filter out most the silly calls, and if not, and they can resolve a password reset in 2 minutes, it is way worth it for both the caller and Google.
I clicked support and was able to get a call right away. But I pay $20/year for Google One.
The support is excellent. I can get a human on a live chat and request a screenshare and phone call session with a few clicks in under 10 minutes.
But of course that’s only available to me because I pay for the business version of Google albeit for personal use.
Also, you don’t pay for Google. It’s a free search engine and a free email service. You get tech support if you pay for the enterprise workspace features.
I've never thought of it that way but you're right! Dealing with support at most tech companies is a horrible experience and is usually something I research before using a product where a failure in service provision could lead to catastrophic results.
The greatest mystery of my life is what is a "Google Product Expert" on their community forums whom I assume:
1. isn't an employee speaking as the company.
2. is someone given the title by the company.
3. spends a lot of time answering questions despite not being paid for it.
4. can contact Google employees somehow.
The only perks for this that Google lists is that you can join a secret club of Google Product Experts. It feels like gig economy applied to customer support.
so frustrating
https://support.apple.com/contact
They will even remote into your device and walk you through how to do something.
Paying Google apps / GSuite users can call a number and it's real humans answering (and they're very helpful).
But indeed I don't think they proactively call you.
So it's very possible to phone Google support, just don't believe anyone who calls you.
That's usually the tell, right there.
Legit support operations tend to sound unprofessional as hell. Heavy accents, scratchy lines, scripts referencing the wrong OS, etc.
Plus, most of the weird "customer support" scams I've gotten in the past are people with thick accents on a garbage connection.
Sounds like although they might not be 100% scammer, you can be assured it's marketing and not customer support.
However, these scammers tend to come across as the platonic ideal of a perfect support rep.
My wife almost got taken by one, several years ago.
The number of times I've had someone ask "how do you know this stuff" when it's something I learned in 7th grade or similar is astounding.
- never answer unknown number calls - never answer unknown number texts - never open any emails from anyone you don’t know or do anything that email tells you to do if curiosity gets the best of ya and you open it.
ALL communication with any “business” or “government” (state/local/federal) is in one direction, YOU contact THEM. That’s it, can’t be any simpler
Might be, because I was travelling a lot, but I got lots of unknown numbers calling me that turned out to be friends with a new number. Now I surely could have locked myself up in a cage then there would be no risk, but also not reward.
Calling a unknown number back - no. But taking a call and saying hello did never cost me anything. I also don't just send money away or would install weird things on my computer because someone on the phone says so, so what is the danger?
They want to record your voice, saying "yes."
I always say "I can hear you." I never say "yes," or anything like that, during the short time I'm on the line with them.
However, that is probably not valid, anymore, because they just need to record a fairly short segment of your voice, to generate a deepfake.
And as for deepfakes, I assume they become good and widespread enough soon, that no telephone contracts become enforcable.
taking a call from unknown number, never under any circumstance. people calling you do this for a living, you pick up and your odds are stacked against you. maybe not yours or mine but my Father’s for sure :)
* Don't respond to any unsolicited communications. Period.
* If some business you have a pre-existing relationship reaches out to you unsolicited and you suspect it might be real, still don't respond. Go reach out to them via their posted customer support channel.
I have complicated feelings about phishing training because while it's good they're teaching you about common manipulation tactics and scams, trying to sus out from vibes the legitness of an email is the wrong approach. Just don't do anything.
You'd think they'd have equipment newer than the 1960's.
I do have paid services on other Google accounts and have dealt with their support before, but the account they were trying to break into was an ancient one I made as a teenager and don't use for much of anything anymore. If Google Support were to call me about anything (unfathomably unlikely, and never about a security issue like this), it wouldn't be from a free account that has never given Google a dime.
I have received calls from Google associates before. Almost always some account manager looking to find yet another product to sell me. Never proactively to any kind of account issue.
Urgently!
(I run my own mail server and I am the admin)
Doesn't really transfer to cyber crime, but it's definitely one of the more "criminal" places in Germany. Still super tame compared to actual slums etc though
Google Prompt is supposed to be a safety feature. The account recovery process lets a hostile actor turn Google Prompt into a loaded gun, and Google puts it directly into the victim's hand, aimed straight at their own head.
There's absolutely no way to shut off Google Prompt that doesn't involve removing every Google app from your mobile devices.
Microsoft’s authentication has protection against this, requiring you to manually enter a 2 digit number in your phone, matching what you see on your other device. Very simple, there is no excuse for Google to not have similar.
Even as a fairly tech enabled GenX, I have forgotten passwords and had to reset them (usually accounts I haven’t used in a while), had files corrupted without a good backup, lost a Yubikey somewhere in the house (I think at least).
From what I can tell I would need to have my crypto seed laser etched into titanium, and then treat that talisman as if it was made of pure platinum as far as securing and tracking it.
Versus keeping my money in SIPC and FDIC protected accounts.
I will say, the BTC appreciation is a big attraction of course, but long term I don’t see how it becomes widely adopted with so much logistics risk, and appreciation… well who knows about that.
2) split cumulative funds into two wallets, a "hot" wallet and a "cold" wallet. keep the funds in the "hot" wallet to no more than for which total unintentional loss is tolerable. keep the private key to the "cold" wallet off any internet connected device except for the minimum duration required to transfer funds to the hot wallet.
3) print the recovery phrase for the cold wallet and store it in a physically secure location
4) if an ideally secure physical location is not possible, split risk across multiple "cold" wallets
The problem with crypto is that every problem requires additional layers of complication which each have their own failure modes which then need to be further addressed. And the complication itself adds yet more ways to breed failure.
This is the fundamental challenge with a system where any mistake or error results in the instantaneous and irrevocable loss of unbounded funds.
What are the other desirable features of BTC?
It's not anonymous, but pseudononymous. It's a public ledger, for everyone to copy and analyze. It's a public ledger that's mathematically proven to not have mistakes in it.
Exchanges are highly regulated. KYC is rediculously tight.
Sure, Bitcoin allows one to flee/fly to some criminals' paradise with their entire wealth stored in their brain (or on a napkin). And as long as they keep the money in crypto or black, it's unstoppable, really.
But it's a terrible medium to turn black money into white money. One of the worst of all options, really. And that's what laundering is.
Now, it's used for laundering. But that's more because its a great and easy store of value in itself. Not because a public, tracable ledger without any anonymity other than pseudonimity is a great system for laundering, because it's the exact opposite of that.
And certainly, if you mix in monero, defi, otc-trades and -there they are- "corrupt bankers", crypto as a whole can turn black money into white, circumvent blockades, fund terrorism and whatnot. But hardly easier or simpler than paper-money, gold, and corrupt bankers already can.
Isn't that what NFTs are for?
Create a stupid image, sell it on Open Sea as an NFT, bam, you've cleaned the money. Just claim it on your taxes similar to selling art and you're in the clear.
If you want to transfer money in a way that's unblockable, unceasable, and pseudonomic, Bitcoin is a good system.
If you want to then convert that into dollars, it's not.
Ransomware is paid in Bitcoin despite it being terrible to launder.
What people want is the value it represents in a way they can manage that value.
I don't want fictional numbers in some asset fund that say I own zero point not not not 1 percent of some company in stocks either. Or even numbers that say I have money on an account. I don't want gold in my sock-drawer, either. It's the value this represents (and the trust that this value will give me real stuff that I actually need, like a pizza, in future).
Bitcoin, to many, over the years, has acquired this too. There's real and obvious proof that people trust that Bitcoin has value. Not all people. But enough.
https://www.cnn.com/2024/10/10/investing/td-bank-settlement-...
https://www.icij.org/investigations/fincen-files/global-bank...
https://www.investopedia.com/stock-analysis/2013/investing-n...
https://www.coinbase.com/blog/fact-check-crypto-is-increasin...
Even from SWIFT: "Identified cases of laundering through cryptocurrencies remain relatively small compared to the volumes of cash laundered through traditional methods" https://www.swift.com/sites/default/files/files/swift_bae_re...
What you're saying is simply unsubstantiated.
But cash isn't pseudonomic, it's actually anonymous. It's even (practically) untracable. Cash is also unstoppable and permissionless. So it's far more a criminal's dream. Cash, however, isn't easy to transfer, especially larger values. It gets harder even if that transfer is internationally. Bitcoin solves that.
Bitcoin's upside of being very easy to transfer, sometimes outweigh its downside of being hard to launder, being tracable. But let's stop the myth that it's so much better than all existing systems to move criminal assets around, because it's not. It's complementary, not a holy grail. It really has a lot of weaknesses, especially to criminals' needs.
Cash comes with serial numbers, and occasionally gets traced. It’s about as effective as tracing pseudonyms, most of the time.
Companies that use it as hedge, or diversification, just need to "hold" it. Investors (not traders, there's a big difference) also commonly just "hodl" it. Also no need to exchange it. And several more such use-cases.
Sure, after a while, they might want to exchange it for something they "need". Like housing, healthcare, food, materials, etc. But often that's a one-time after years of not exchanging. And we still don't know how the future may look. Some believe Bitcoin is what we'll be paying with in a few decades (I don't, not really). I'm pretty sure I can buy almost any house for a few bitcoin, especially if that's "overpriced" in dollar-terms, today already.
In both of these cases the only value to "holding" it comes from the possibility of being able to exchange it if needed. While you might go a very long time without interacting with a centralized exchange, the Bitcoin is worthless for these use cases if there's no acceptable path to trading it for something else.
Not sufficient. You'd also need someone you trust 100% to have another seed protected as if it was the gold of Fort Knox. And then you'd only only use "multisig" to sign transfers.
And that other person needs to live on another continent.
And you both need a backup plan in case you die if you plan to leave these 0.1 Bitcoin to your heirs.
This makes the $5 wrench attack impossible to succeed. As to whether the attacker is willing to add gratuitous (because it's impossible it'd succeed) torture/killing to its list of crime is something else though.
> I will say, the BTC appreciation is a big attraction of course, but long term I don’t see how it becomes widely adopted...
I think mid-term to long-term people simply buy a Bitcoin ETF or stocks from a company holding shitloads of Bitcoins like MicroStrategy. Just like I buy SLV (paper silver) or the ZKB silver ETF (physical replication, in vaults in Switzerland).
Keeping your own Bitcoins is not unlike keeping physical gold coins. It's doable but risky. Multisig really helps a lot but buying a Bitcoin ETF is simply easier. Open bank or broker website, click click. Done.
I'm not saying Satoshi's dream or the Bitcoin maximalists' dream is good old Wall Street manipulating Bitcoin's price using paper Bitcoin (silver ETFs were in big trouble in 2021) but what I'm saying is I think that's how it's going to end.
But what's the inherent value of BTC if it doesn't do the things it claims? What value does Michael Saylor owning a bunch of bitcoin, of which I have a pretend share, even have?
This is the paradox of Bitcoin. It's a really cool technology that's really hard for normies to use.
[1] https://www.swanbitcoin.com/politics/biden-s-sab121-veto-sta...
But crypto has similar it and physical security costs at a minimum, though physical storage will be cheaper. Auditing maybe similar costs, I’m not quite sure how you confirm ownership of an address or pile of BTC without transactions?
The big risk is that these big holding companies of bitcoin become targets of state-scale cybercrime hacking armies. Can you imagine an adversary deploying constant attack on every facet of you IT infrastructure, from accessing the private keys presumably stored in hot wallets to support active trading to the interface where they may try interfere with client functions to all sorts of ends from theft to market manipulation.
I'd suggest that holding precious metals without actually having physical metal under your exclusive control is essentially as flawed as holding crypto without exclusively holding the private key.
That combined with the extreme volatility of value that is not only endemic to any coin with meaningful usage, but is generally a goal of most coins, makes it only really useful as a speculative vehicle, and those same properties also make it uniquely bad in terms of a store of value to be used in commerce unless the seller also plans to speculate on the value.
And, even if you're good with all of that: Yes, the tech itself is decentralized, but if you don't have at least some background in basic software development or scripting, you're almost certainly going to end up using some product or another to manage your wallets and transactions, and while the wallet is anonymous, the accounts you connect the wallet to are often quite the opposite, and because of the structure of the chains, your entire transaction history is visible to everyone on the network, at all times. So it's private by default, but basically any casual user is immediately and forever doxxable.
I don't know who the oligarchs you're talking about are. Buterin? Bankman Fried? In either case, their position is quite different from that of a banking titan.
This sounded absolutely crazy to me so I went to open Authenticator on my phone and lo and behold it offered me the option of linking to my account and "backing up my codes in the cloud" to which I declined.
But I had never seen this behavior before, so is this new? It did not seem to be enabled by default in my case.
My home in Texas had an IP address which a lot of databases had as supposedly being in Montreal. It was like that for years. Gotta love so many sites trying to default to French.
As a person who had to deal with other associates, I also found whitelisting only US address space led to a number of people being unable to connect from their homes.
As a person who had this happen to them, I had quite a lot of frustrations with services insisting they couldn't provide me service because Texas is in Canada apparently.
I'm actually working to get rid of any public IPs that isn't a VPN access point.
If it's not actually reaching you to log in and what not, how do you know it's legit or not?
How do you know it's US traffic or not in the end?
I'm not saying it's not something anyone can reasonably do, but I've both been the gatekeeper required to implement/support such a policy and been someone burned by it. It shouldn't be assumed the block lists are actually that good.
But then if you DO have it, you have to deal with the situation in this story, where if you can compromise their one key account, you get all of their TOTP codes too.
Next day the phone broke, and I lost that account forever. I had not written the backup codes down anywhere.
Really what I would like is a root of trust which maybe is a cipher text which I can store in several physical locations, and then my security keys are derived from that root of trust. Then when I set up 2fa with a service it is using the root of trust and seeing that my security keys are is derived from that root of trust. This allows me to register the root of trust only once and then I can use any key derived from it.
IIRC on my platform, when they added the feature they turned it on by default, as an auto-installed update.
And if you're logged into the gmail app on the same device that also logs you into authenticator.
You didn't do anything wrong.
To answer my own question: tap the profile pic (top right on Android) and choose the Use Without an Account option. Removes codes from cloud storage and any _other_ devices. Mentioned in TFA.
Not true. See https://news.ycombinator.com/item?id=42471459
I don't particularly like that my codes were apparently synced to Google's cloud without my being aware, or the ux that prevented me from noticing. But I'm pretty confident that, having disabled the cloud sync, Google no longer has my codes
(And in fact I verified this by installing the authenticator on a tablet before turning off sync on my phone. The codes vanished from the tablet.)
In principle, yes I should rotate all the secrets. Because google may have borked their data retention, or is just outright lying and keeping my secrets. In practice, though, for my personal account, I'm content that nothing has been compromised.
Based on just your intuition. Since you don't have access to the backend specs or code, assuming this isn't a responsible security practice. It is a shortcut you can choose to take personally but should never take with any professional credentials.
I'm going to point out that you responded "Not true." instead of adding a caveat about how you personally choose to ignore security best practices for personal accounts.
I could have been clearer, but that was in response to the asserion of "you can't revert".
Recommended alternative: 2FAS (https://play.google.com/store/apps/details?id=com.twofasapp) which allows you to import the secrets from Google Authenticator via QR codes, and has a local backup feature (e.g. to a USB drive).
Since then, I always use at least two 2FA apps at the same time.
This has all the "looks nice", but I have no reason to trust this recommendation over any other social engineering.
You didn't have to do anything, either, the update just instantly corrupted some 2FAs. How can an app not do a TOTP? It's literally just math.
I had to recover a few MFAs from backup codes due to that.
Their personal accounts will be affected in the same way (lost phone, new phone etc).
Big brains at google didn't understand the number '2' in 2FA
I know, 2FA loses the entire point when it's synchronized. But, well. People lose their stuff all the time!
This could be made easy for users by having each device share a public key with the third party (Google, in this case), then the authenticator app on one device could encrypt secrets for the other devices.
This would be vulnerable to Google lying about what a device’s public key is, of course, but enduring malice is less likely (and potentially more detectable) than one-time misbehaviour.
Sadly the problem Google is actually trying to solve is providing security for the dumbest people you've ever met. Dumbasses are entitled to security too!
I'm talking people who've lost access to their e-mail, and their phone number, and their 2FA all at once. Then they've also forgotten their password.
No password manager, no backup phone, no yubikeys, no printed codes, no recovery contacts, nothing.
And the fact that one of those doesn't lead to the other passes way over their heads.
The only time I'd consider transferring a secret like this is secure is within an HSM cluster. But these are exceptionally hardened devices, operating in very secure environments, managed by professionals.
Your TOTP seed on the other hand is stored on any of the thousands of types of phones, most of which can be (and are) outdated and about as secure as a sieve. These devices also have no standard protocol to transfer. Allowing the extraction via cable is still allowing the extraction, the cable "helps" with the transfer. Once you have the option to extract, as I said, you add some extra steps to an attack. Many if not most attacks would maybe be thwarted but a motivated attacker (and a potential payoff in the millions is a hell of a motivator) will find ways to exfiltrate the copy of the keys from the device even without a cable.
This is plain security vs. convenience. The backup to cloud exists because people lose/destroy the phones and with that their access to everything. The contactless transfer exists because there's no interoperability between phones, they used different connectors, etc. No access to the phone is a more pressing risk than phishing for most people, hence the convenience over security.
Sure, when I make a new account I can easily enroll the token hanging on my keychain, but what about the backup token lying in my safe? Why can't I easily enroll that one as well? It's inconvenient enough that I don't think I could really recommend it to the average user...
When I make an account, if I have at least two authenticators around me, I'll set up the hardware authenticators or make sure it's got a decent recovery set up. As time goes on I'll add the rest of them when it's convenient. If I don't have at least two at account creation or I don't trust their recovery workflow, I guess I'll just wait to add them. No big deal.
If I'm out and I make an account with $service but I only have my phone, I'll probably wait to add any authenticators. When I'm with my keys, I'll add my phone and my keyring authenticator to it. When I sit down at my desktop sometime in the next few days and I use $service I'll add my desktop and the token in my desk drawer to it. Next time I sit down with my laptop and use $service, I'll add that device too. Now I've got a ton of hardware authenticators to the account in question.
It's not like I want to make an account to $service, gotta run home and have all my devices around so I can set this up only this one time!
If you do, you're in a tiny minority of users. Well, even if you have one you're in a tiny minority, but having two laying around is extremely unusual.
Do most people with hardware authenticators not also have laptops, desktops, or phones? They just have an authenticator, no other computers?
This person I replied to already has two hardware tokens. They probably also have a phone that can be used with passkeys, they probably also have a laptop which can be used with passkeys, they might also have a tablet or desktop which can be used with passkeys. That person probably has 3-6 authenticators, and is probably with two of them often if they carry keys regularly.
Their point is to ensure the private keys cannot be extracted, not even by the owner. So when you need to sign that firmware update, or log into a system, or decrypt something, you don't use a certificate (private key) file lying around that someone can just copy, you have the HSM safely handling that for you without the key ever leaving the HSM.
You can already guess the point of a cluster now. With only one HSM there's a real risk that a maintenance activity, malfunction, accident, or malicious act will lead to temporary unavailability or permanently losing all the keys. So you have many more HSMs duplicating the functionality and keys. So by design there must be a way to extract a copy and sync it to the other HSMs in the cluster. But again, these are exceptionally hardened HW and SW so this in incomparably more secure than any other transfer mechanism you'd run into day to day.
Trying to log in with my username and password did not work. Moments later I get a phone call, the caller id says that it is Coinbase. Guy on the phone with a thick German accent tells me he's calling about my account and gives me the case number from the email. I know damn well never to trust a phone call you did not initiate, so I'm kind of just stringing the dude along on the phone.
I remember that I had set up a passkey, and try it. I get in with that and immediately run to the emergency "lock my account" button. I tell the guy on the phone that I have clicked it and after a bit of "uhmmm..."-ing and "hmmm..."-ing he just hangs up.
I call Coinbase support and they verify some recent transactions and ask me to forward them the email, and that's that. I still have no idea what the actual attack was or how they changed or invalidated my password. Best I can tell they did not manage to actually get in to my account.
I ended up changing my password to just about everything out of caution.
how they changed or invalidated my password.
It is very easy to destroy lives with it as we can see in this case, and, making it harder to do so will work against the vary nature of this tech. This is a tough nut to crack but I think the space will remain filled with predators constantly baiting prey into the system with the promise of a big reward.
Every consumer ever has at one point or another wanted or needed to reverse a transaction. Chargebacks are a FEATURE of credit cards.
And it isn't just businesses who carry this risk. If a business was depending on a large inflow to make payroll, and that inflow gets reversed, the people who are expecting payment for their labor also are subject to a payment reversal.
There's definitely a lot of benefits to reversibility, but it has very real costs and tradeoffs.
That's how I feel about crypto.
To have this safety, money and finances have to be centralized, regulated, and governed, all of which crypto doesn't have and doesn't want.
And if they don't, the courts can force them to do it and give you some extra money for the trouble.
The video linked in the article by Junseth also goes over some of this.
Cryptocurrencies are like speedrunning the discovery of why finance is regulated, though, that is certainly true.
Any notification asking you to confirm your identity that is not initiated by your actions should be immediately dismissed with a "no" and that should be all there is to such things, no?
I got a call from "Bank of America," and they smoothly talked me into giving them my debit card PIN. The trick was they had gotten into my online banking beforehand. "We've detected possibly fraudulent activity on your account." Then they read me real transactions from my actual account. "To be safe, let's lock down the account. For this we need more information for authentication, though." Probably started from a phishing thing that I fell for online without noticing. It was pretty clever of them. Not so easy to steal from a checking account without leaving a trail, unless you have the PIN. Then the main risk is to whomever was on camera at the ATM withdrawing as much cash as possible before the account was automatically locked down.
The next day, I got a call from "Bank of America" telling me that I'd been had. Fortunately they just credited the money back into my account. About $5000.
The main difference is that the first call wanted me to give them information, while the second call advised only "go into a bank branch in person."
The article's advice is correct. If someone asks you for info, tell them you'll call them back. It is almost certainly a scam. Calling back the possibly spoofed number at worst wastes a little time being on hold, and at best saves you or the bank a lot of money.
Don't call back the number possibly being spoofed (i.e. using your Caller ID as the source of the callback number). Call an independently-listed number for the company, such as the phone number on the back of a credit or debit card. Using an independent number prevents any failures where the Caller ID correctly reports an attacker-controlled but plausible-sounding number.
For extra paranoia and safety, perform the callback from a separate phone line. That would avoid at least some of the more-targeted attacks involving a compromise of the victim's phone connection, which could potentially allow the attacker to redirect outgoing calls.
Unfortunately physical branches are expensive to maintain, so a lot of banks have been closing them down. There are even plenty of banks with zero physical branches now. All contact is via phone or email, so there is no scam-proof way for them to contact you.
That way, any phone call or email to me can be immediately ended with me saying "Thanks, I'll call the number on the back of my card," and hanging up.
Most banks seem to have some kind of internal message center within the application that is just for bank to client communications. That's the place to authoritatively tell me something needs to happen and what potential next steps would be.
I recommend not calling back the incoming number even if you think it's real and spoofed, always look it up on the bank's website.
I don't think all ATMs require chipped cards yet, and its still common to have a debit card issued with a magstripe. If the GP used their debit card to pay for things it could have easily been duped. My bank issued me a new card for an account a few years ago; it still has a magstripe and I assume can still be used at magstripe-only ATMs.
If it was even a few years ago, a lot of ATMs would have still worked with just a stripe. It's a bit more difficult to find these days, but old ATMs still running OS/2 WARP are still around and kicking.
Its frustrating so many banks and what not are still issuing cards with magstripes. These days wipe the cards I use most with a magnet to try and mess up the magstripe. I don't want to ever use it. Generally speaking, if they can't take chipped cards, tap to pay, or cash I'm not doing business with them.
Far easier to track/reverse a debit transaction done as a credit card network than debit requiring PIN.
If it weren't for bullshit FICO calculations I would drop that account entirely.
My bank (in the EU) wrote to me a while back (post, no copy to email, no sms, no phone call, etc.) saying if I didn't provide info on certain recent transactions (my salary) they'd block my account in two weeks. Thankfully I wasn't on vacation and saw the letter and answered and it was all OK.
How is a bank not validating one phone call grounds for freezing funds?
But the mentions of "his student visa was no longer valid [...] meaning he had to leave the country" make me think walking to a local bank branch might not have been an easy option in the post adrianmsmith recalls.
They probably know this and don't care because it won't happen this quarter or likely even this fiscal year, so it doesn't matter to anyone in charge. But it does matter to ordinary people trying to conduct their lives without being irreversibly de-personed by a flakey customer service bot.
Also healthcare providers, though they seem to have finally wised up. They would call me from poorly configured phone systems (so unrecognizable caller id) and the first thing they would ask is to confirm full name and date of birth.
Patterns like this do a great deal of damage in desensitizing folks and making them accept dangerous patterns that get exploited by scams.
So asking people to take the step to confirm the call is legitimate won’t work- they can’t tell until they’ve already terminated the call. It’s useless for purpose imo.
I imagine it is doing something with STIR/SHAKEN along with how many other times similar calls have been flagged as spam calls.
I have reported at least a thousand different scam calls over the past two years and so my blocked number list is so large it freezes the phone for a minute or so while it loads. Still the scammers persist…
[1] You have to wait or call from a different phone, because the call might not terminate immediately, and the scammer might still be listening on the line.
My bank has a button inside the app that will confirm that a real bank representative is calling you, or provides a button to call the bank's emergency line if they're not. It's a simple and effective way of preventing scams that I think more banks should implement.
Many haven't actually lost money in significant ways through bank transfers, but when it does happen, the disillusionment of institutional security really falls away. Additionally, governments are slow and ineffective, so when these companies do get caught with class action lawsuits, they usually don't have anything to return.
Still might some sense as an institutional store of value though I guess.
Even in a well-respected fintech with responsible, talented people I’ve seen: safe deposit boxes get lost (literally no idea where in the world they actually are), go missing (the bank relocates or closes and disposes of them without notification) or become destroyed (fire, flood). I have seen industrial-grade hardware security modules spontaneously corrupt all the internal keys, happily continuing to produce “encrypted” output which can never be decrypted.
Building crypto offerings at scale that can survive the myriad unknown unknowns of real world and hardware failures that can affect both paper and hardware wallets is a really difficult problem. Not impossible, but the stakes are extreme and getting one thing wrong that leads to the loss of a cold wallet can easily lead to total ruin.
Even if “only” a hot wallet gets popped, the instantaneous and irrevocable loss of those funds needs to be offset by a comparatively large amount of operating profit.
At least with the traditional banking system there are a lot of safeguards in place.
It feels something is missing here?
Edit: Well, I learnt about Google Prompts today: https://support.google.com/accounts/answer/7026266?hl=en&co=...
Basically someone can request access to your account and if you click Yes, they do access it.
This part from a Reddit thread [1] scared me a bit:
> The notification pops up on my screen over whatever I am doing, and if I'm using my phone, I worry that I might accidentally hit YES (it almost happened today).
1: https://www.reddit.com/r/techsupport/comments/ccd304/someone...
Does Google even offer live-person support if you’re not their Workspace customer?
Also, one other difference is that apparently the attackers may have been using Salesforce to send the emails. Maybe they were using a trial or developer edition? I believe those can send out emails too, but they are very limited. So this must be a very targeted kind of attack. The scary part is that the attacker’s emails pass SPF, DKIM, and DMARC. There’s a technical write-up I found about this aspect of the attack.[2]
[1]: https://sammitrovic.com/infosec/gmail-account-takeover-super...
[2]: https://docs.google.com/document/d/1xrJsRBcGj9x2mMvRoKLG4ANS...
Not really. That's the giant red flag behind committing to a gmail, outlook, etc. account. If it gets messed up you're at the whim of "on-rail" support and if you need anything more all you can do is shout into social media and hope a stray employee feels bad for you.
Good job helping the scammers, SoundCloud. WTF
Never, ever, no matter the circumstances, store private keys (or seed phrases) on photos. Especially if those photos are synchronized to the cloud.
Hand-write them, store them in a safe and secure PHYSICAL location.
Of course we're humans, we make mistakes, and we usually start with small amounts of money that we can lose where it would be unnecessary to take all these precautions, but we still need to regularly remind ourselves to avoid disasters like this in the self-custody world.
The problem is that the security protocols required to keep cryptocurrency safe are simply untenable for any mere mortal. But hey, we keep blaming the victims… because they didn’t know the one simple trick to keep their Bitcoin safe!
(1) Go to our website
(2) Login and check your account
Of course, leigitimate emails do that now, but because of the way we've been trained to "click" (such as "click to verify your email"), this conditioning carries over to phishing and other attacks, whereas that would be impossible with plain text. With plain text, the email verification would have to be "paste this code into a box".
Well, I can say with relative confidence that people prefer those links but _marketers_ prefer hxxps://awsmail.me/b64trustmebro/8675309== that leads who fucking knows where
> More importantly, Tony recognized the voice of “Daniel from Google” when it was featured in an interview by Junseth, a podcaster who covers cryptocurrency scams. The same voice that had coaxed Tony out of his considerable cryptocurrency holdings just days earlier also had tried to phish Junseth, who played along for several minutes before revealing he knew it was a scam.
> [...]
> Daniel told Junseth he and his co-conspirators had just scored a $1.2 million theft that was still pending on the bitcoin investment platform SwanBitcoin. In response, Junseth tagged SwanBitcoin in a post about his podcast on Twitter/X, and the CEO of Swan quickly replied that they caught the $1.2 million transaction that morning.
> Apparently, Daniel didn’t appreciate having his voice broadcast to the world (or his $1.2 million bitcoin heist disrupted) because according to Junseth someone submitted a baseless copyright infringement claim about it to Soundcloud, which was hosting the recording.
> The complaint alleged the recording included a copyrighted song, but that wasn’t true: Junseth later posted a raw version of the recording to Telegram, and it clearly had no music in the background. Nevertheless, Soundcloud removed the audio file.
DMCA enabling bad actors to cover their tracks was not on my bingo list.
Having nothing to be robbed from is such an underrated means to live in serenity.
That is also what many salespersons do to get you to buy what you don't need nor even want, you cannot miss this limited time discount.
Always stop for a moment and be skeptical, caller ID can be spoofed, email addresd can have ä or ē in the domain that you won't notice if you don't look carefully.
It's entirely possible that someone can accomplish this with a phone call to your financial institution's customer help line.
"Oh gosh, I'm sorry, I forgot whether I used my email address or my wife's for this account - can you tell me what's on file?"
Humans are very exploitable.
"Im ever so sorry; but I am unable to get to the bank right now, my mother was in an accident and I need to get to the hospital in 30 minutes. Is there any other way?" "No? Can you do it for me".
Playing empathy over the phone gets you places as does wearing a workers Hi-Vis jacket to get in to back stage at festivals.
You would track down this crypto in just about the same way you'd track down a fraudulently ordered wire transfer that was cashed out. Records would be requested, IP's and timestamps recorded, more records would be requested from other parties based on those, and so on and so on. The difference is that it's somebody's job to go after those. It's nobody's job to go after this.
Idk I just think the title is pretty lame and generalizes a pretty informative phishing article, in a bad way.
We have been emailing our TAM (or whatever Google calls them) for weeks (and opening tickets)
They keep giving us the same fucking documentation link.
Literally useless.
Another instance we were using code from their docs and they refused to help saying they don’t look at code ever
It's a clever move by the scammers - I can see how people would fall for it.
> Unfortunately for Griffin, years ago he used Google Photos to store an image of the secret seed phrase that was protecting his cryptocurrency wallet.
Um, duh...
> "[...] I put my seed phrase into a phishing site, and that was it.”
>Almost immediately, all of the funds he was planning to save for retirement and for his children’s college fund were drained from his account.
Um, duh. First mistake to put all eggs in a single basket. Second mistake, this basket was a cryptocurrency. Third mistake, pasting the secret key to that _anywhere_.
Stopped reading there. What more can we do to protect people from their own stupidity (and I'm not talking about the crypto "investment" part)?
My bank has literally called me with what amounts to "ur being haxxor3d", and like … who are you? The representative literally would not tell me who he worked for. I was 210% sure it was a scam, and hung up on him. Turned out, it was legit.¹
Companies need to make sure their own operations don't bear the trappings of fraud.
¹(I don't regret hanging up, though. Calling back to a known, published-by-the-business-itself number is the right thing to do.)
When business guys are involved in a security app. Many of us can easily imagine the "user story" that caused this.
Google listened.
It's mind-boggling to me how crypto guys can be simultaneously savvy enough to be involved in crypto, to the tune of millions of dollars, but also retarded enough to fall for stuff like this.
Let's take the average person on this forum, who's probably pretty tech savvy. Their odds of falling for a scam on a given day might be 1 in a billion. But when they're exhausted after work, they might be 10X likelier to fall for a scam. Another 10X when they're stressed out about family life, or going through a breakup. Another 10X when they're out drinking with their friends. And so on.
Eventually, whether it's due to age or other factors, everyone gets to be in situations where they're susceptible to scams. And scammers are experts at emotional manipulation, exploiting fear and embarrassment.
So your conclusion is sound but your premise is invalid.
Come on.