It does feel like the security protocols necessary to secure $100k to $Ms of crypto which transfers instantly and non-reversibly is a challenge for the average user.
Even as a fairly tech enabled GenX, I have forgotten passwords and had to reset them (usually accounts I havenāt used in a while), had files corrupted without a good backup, lost a Yubikey somewhere in the house (I think at least).
From what I can tell I would need to have my crypto seed laser etched into titanium, and then treat that talisman as if it was made of pure platinum as far as securing and tracking it.
Versus keeping my money in SIPC and FDIC protected accounts.
I will say, the BTC appreciation is a big attraction of course, but long term I donāt see how it becomes widely adopted with so much logistics risk, and appreciationā¦ well who knows about that.
I had these people call me the other day. I got a text message alerting me of a potential Google account security issue they had blocked and they I should expect a call. I also got one of those emails and an automated phone call. The automated phone call had me dial 1 if I wanted a call back from support to help recover my account.
I got a call from a very professional sounding woman assuring me she was with Google and they had discovered some potentially fraudulent activity with my Google account in Frankfurt. They said they had locked down my account to protect it but they would walk me through recovering it.
I knew this was impossible, because the Google account in question doesn't have passwords. It has a couple of passkeys which are all physical hardware tokens in my home. But I wanted to see how pushy they would get.
Turned into a half hour phone call with me playing dumb (was watching my kid's sports practice, nothing to do for a half hour but cheer him on). Eventually when I was done with it I let them know I was in the process of filing the report with the federal cybercrime department. Immediately hung up from that.
> I knew this was impossible, becauseā¦
Thereās an easier tell. Itās impossible because you canāt to get Google to help you at all about any account issues, never mind them being as proactive as to call you.
In other words if Google call you, itās not Google.
Itās slightly depressing that there are probably more fake Google support staff than real ones.
In case you would like a concrete example to ground the cynicism about corporate trade offs around customer support, I recommend watching Jill Bearup's 10 minute video [0] about this week's demonetization. For example, she has to deal with some form that she "can't submit", a customer service contact 12 time zones away (so email replies are 12 hours delayed), and an account manager who is non-responsive. In her court, are some unaffiliated google employees giving guidance, but only because they were already part of her youtube watching audience.
> For example, she has to deal with some form that she "can't submit", a customer service contact 12 time zones away (so email replies are 12 hours delayed),
At that point I'd set up an LLM agent to reply for me. Big Tech are no longer the only ones who can pretend to be a human.
They will reach put to try and help sell you more ad spend. If that was a scam its very good cause they set up my adwords campaign for me.
I have a similar anecdote which isn't very relevant except it felt like googlers now care about how they can help make google more money. I would have never expected engineers at Google to care about how to make more money for google like doesn't the money just flow in...
If it weren't for the routine ex-Googler postmortem blog post shared on HN I'd think Google doesn't even have human employees.
The greatest mystery of my life is what is a "Google Product Expert" on their community forums whom I assume:
1. isn't an employee speaking as the company.
2. is someone given the title by the company.
3. spends a lot of time answering questions despite not being paid for it.
4. can contact Google employees somehow.
The only perks for this that Google lists is that you can join a secret club of Google Product Experts. It feels like gig economy applied to customer support.
> I got a call from a very professional sounding woman
That's usually the tell, right there.
Legit support operations tend to sound unprofessional as hell. Heavy accents, scratchy lines, scripts referencing the wrong OS, etc.
Yeah, hah, it is funny that "Google offering phone support" is so unthinkable to me that it's a red flag for a scam.
Yeah, that was also another big red flag for me.
I do have paid services on other Google accounts and have dealt with their support before, but the account they were trying to break into was an ancient one I made as a teenager and don't use for much of anything anymore. If Google Support were to call me about anything (unfathomably unlikely, and never about a security issue like this), it wouldn't be from a free account that has never given Google a dime.
I have received calls from Google associates before. Almost always some account manager looking to find yet another product to sell me. Never proactively to any kind of account issue.
Frankfurt of all places!
Frankfurt is actually notorious in Germany for their issues with drugs. Going outta the train station you can see ppl passed out with literal needles in their arms, taking a shit in public view etc
Doesn't really transfer to cyber crime, but it's definitely one of the more "criminal" places in Germany. Still super tame compared to actual slums etc though
> Unbeknownst to him at the time, Google Authenticator by default also makes the same codes available in oneās Google account online.
This sounded absolutely crazy to me so I went to open Authenticator on my phone and lo and behold it offered me the option of linking to my account and "backing up my codes in the cloud" to which I declined.
But I had never seen this behavior before, so is this new? It did not seem to be enabled by default in my case.
Google only added this feature recently. I am really conflicted about this feature. Without it you need to either save every TOTP code when you first set up the account or manually disable 2FA on every account and then enable it again so you can enroll it on a new phone. I used it when migrating to my most recent cell phone but then disabled it. Of course you have to trust that Google actually deletes the codes from your account.
What's crazy to me is that Google would allow access to a foreign device from a single click. It would be easy for a person to accidentally click it, or for a kid playing on their parents advice to click it when it popped up. I really can't understand why they wouldn't send a code that would have to be entered instead; it would be far less prone to those kinds of problems.
"foreign device" based on IP geolocation is pretty tricky and annoying.
My home in Texas had an IP address which a lot of databases had as supposedly being in Montreal. It was like that for years. Gotta love so many sites trying to default to French.
As a network admin I have found that whitelisting only US address space for my companies IPs drastically reduces how many attacks we get.
How would a code help? The victim has already bought into the social engineering. If the person on the phone asks the user to read out a code, they will. If the person on the phone asks them to enter a code (i.e. the version of this kind of prompt where the user needs to enter a code on the phone matching the one showing on the login page), they will.
Every step you make someone who is being socially engineered jumo through, is an extra chance for them to realize what is happening, especially if those steps contain warnings.
I use Authy and it does this too. I like that I can get the code on my phone or tablet. I also keep paper copies of the original QR codes in a safe place.
The trick with Authy is to disable multi-device access unless you're in the process of adding another device, so hackers and scammers can't add their own devices to your account without your aid. If you leave the setting enabled, someone may get your TOTP secrets from Authy before you can stop them.
If there is a trick to doing something securely, then that is already an automatic fail.
No. That's not "the trick". As soon as it's in the cloud, it's over, it's gone, you've lost the game.
You can just decode the QR code and use whatever secret is in there to generate the OTP codes. TOTP isn't that complicated, it's really just a second password that the system generates.
Just checked and Google authenticator seems to be synced to my account, which is a huge SPOF and not what I want. It's possible that I did this without realising, but does anyone know of a way to revert authenticator to local-only? I don't see anything obvious.
> It's possible that I did this without realising
IIRC on my platform, when they added the feature they turned it on by default, as an auto-installed update.
And if you're logged into the gmail app on the same device that also logs you into authenticator.
You didn't do anything wrong.
FWIW, I still remember recoiling in horror when I was asked whether I wanted to sync my Google Authenticator stuff.
> does anyone know of a way to revert authenticator to local-only?
To answer my own question: tap the profile pic (top right on Android) and choose the Use Without an Account option. Removes codes from cloud storage and any _other_ devices. Mentioned in TFA.
I am literally mind f** by the wording āUse Authenticator without an Accountā. This is one of the most tortured and cryptic phrases I have seen. Government legalese is more straightforward than Google.
You can't revert, they keys are sent, they have them. They can't un have them. You'll need to rotate your MFA.
> You can't revert, they keys are sent, they have them. They can't un have them. You'll need to rotate your MFA.
Not true. See https://news.ycombinator.com/item?id=42471459
Better option is to not use Google's TOTP app. Use something else
About a year ago I got an email from an actual Coinbase email address telling me that my account had been compromised. It included a case number.
Trying to log in with my username and password did not work. Moments later I get a phone call, the caller id says that it is Coinbase. Guy on the phone with a thick German accent tells me he's calling about my account and gives me the case number from the email. I know damn well never to trust a phone call you did not initiate, so I'm kind of just stringing the dude along on the phone.
I remember that I had set up a passkey, and try it. I get in with that and immediately run to the emergency "lock my account" button. I tell the guy on the phone that I have clicked it and after a bit of "uhmmm..."-ing and "hmmm..."-ing he just hangs up.
I call Coinbase support and they verify some recent transactions and ask me to forward them the email, and that's that. I still have no idea what the actual attack was or how they changed or invalidated my password. Best I can tell they did not manage to actually get in to my account.
I ended up changing my password to just about everything out of caution.
Last time I called boss money transfer, i called them and their real agents told me they must call me to verify. I was like, how would I know if it is boss money transfer or scammer. At the end I had to trust because voice was same.
The glaring common denominator here is that the attacker has the ability to send an unprompted, unblockable request to the victim's phone. Pressing the safe-looking green button that shows up, even accidentally, is digital suicide.
Google Prompt is supposed to be a safety feature. The account recovery process lets a hostile actor turn Google Prompt into a loaded gun, and Google puts it directly into the victim's hand, aimed straight at their own head.
There's absolutely no way to shut off Google Prompt that doesn't involve removing every Google app from your mobile devices.
That is one really nasty aspect of cryptocurrency. They make theft cryptographically irreversible. And you can watch the thieves spend your money!
I wonder if people who are "invested" in cryptocurrency are more susceptible to these kind of scams. There's a strong aspect of FOMO in getting people to buy imaginary internet money, and also in getting them to panic and fumble said internet money.
One of the reasons I stay away from it is that, at least in recent years, every scam that I see taking place involves crypto. I have a lot of acquaintances and I can almost draw a line at this stage: the higher the "shadyness" of the person, the more they are invested or talking about crypto. I am yet, even tho I owned, to have had the need to use crypto in my daily/weekly/monthly/yearly life.
It is very easy to destroy lives with it as we can see in this case, and, making it harder to do so will work against the vary nature of this tech. This is a tough nut to crack but I think the space will remain filled with predators constantly baiting prey into the system with the promise of a big reward.
"You can't undo a transaction" is a core feature of crypto. This is hilarious, because in actual payment networks, it literally only benefits scammers.
Every consumer ever has at one point or another wanted or needed to reverse a transaction. Chargebacks are a FEATURE of credit cards.
While "Nigerian spam" scams profit off simple-minded gullible people, cryptocurrency scams profit off sophisticated gullible people.
It's obviously going to be much much more difficult to steal $450K from an actual bank account and get clean away - you're going to need a lot more proof of identity than a google login. From that POV, owning a lot of cryptocurrency is painting a target on your back.
How do they identify their marks? A random firefighter seems like an odd target.
Traditional banks and the financial industry are generally sub-optimal, but at least if you are scammed, they will do their best to either recover your money or return you whole.
To have this safety, money and finances have to be centralized, regulated, and governed, all of which crypto doesn't have and doesn't want.
> they will do their best to either recover your money or return you whole.
And if they don't, the courts can force them to do it and give you some extra money for the trouble.
I wonder if there's any one legitimate instance of a company calling you about compromised accounts and requiring your action. It seems to me that anyone reaching out and lighting a fire under your ass can be assumed to me a malicious actor.
Any notification asking you to confirm your identity that is not initiated by your actions should be immediately dismissed with a "no" and that should be all there is to such things, no?
Yes, but you have to know that.
I got a call from "Bank of America," and they smoothly talked me into giving them my debit card PIN. The trick was they had gotten into my online banking beforehand. "We've detected possibly fraudulent activity on your account." Then they read me real transactions from my actual account. "To be safe, let's lock down the account. For this we need more information for authentication, though." Probably started from a phishing thing that I fell for online without noticing. It was pretty clever of them. Not so easy to steal from a checking account without leaving a trail, unless you have the PIN. Then the main risk is to whomever was on camera at the ATM withdrawing as much cash as possible before the account was automatically locked down.
The next day, I got a call from "Bank of America" telling me that I'd been had. Fortunately they just credited the money back into my account. About $5000.
The main difference is that the first call wanted me to give them information, while the second call advised only "go into a bank branch in person."
The article's advice is correct. If someone asks you for info, tell them you'll call them back. It is almost certainly a scam. Calling back the possibly spoofed number at worst wastes a little time being on hold, and at best saves you or the bank a lot of money.
> Calling back the possibly spoofed number
Don't call back the number possibly being spoofed (i.e. using your Caller ID as the source of the callback number). Call an independently-listed number for the company, such as the phone number on the back of a credit or debit card. Using an independent number prevents any failures where the Caller ID correctly reports an attacker-controlled but plausible-sounding number.
For extra paranoia and safety, perform the callback from a separate phone line. That would avoid at least some of the more-targeted attacks involving a compromise of the victim's phone connection, which could potentially allow the attacker to redirect outgoing calls.
"Hang up, look up, call back"
> The main difference is that the first call wanted me to give them information, while the second call advised only "go into a bank branch in person."
Unfortunately physical branches are expensive to maintain, so a lot of banks have been closing them down. There are even plenty of banks with zero physical branches now. All contact is via phone or email, so there is no scam-proof way for them to contact you.
They don't have to have a scam-proof way to contact me. They just need to give me a way to contact them.
That way, any phone call or email to me can be immediately ended with me saying "Thanks, I'll call the number on the back of my card," and hanging up.
How were they able to use an ATM without having your card?
I recommend not calling back the incoming number even if you think it's real and spoofed, always look it up on the bank's website.
My understanding is that they had a programmable card. This might have been just before chips became widespread in America. Or, maybe there's still a way to withdraw with only the information visible on the card.
Here's a thing that is enraging, though: when a bank has SMS 2FA (insecure if you're being targeted but better than nothing) and they keep having you enter that into third-party websites. I mean going to a legitimate business, making a purchase with a credit card, and then the bank wants 2FA to validate a purchase instead of a login? Fuck off, I'll use a different card, then.
If it weren't for bullshit FICO calculations I would drop that account entirely.
If some bank calls you about compromised accounts, the recommended action should be to hang up, find the official phone number for your bank, wait one minute[1], then call back.
[1] You have to wait or call from a different phone, because the call might not terminate immediately, and the scammer might still be listening on the line.
Banks are pretty good at doing an impression of phishing scams, unfortunately. Almost every red flag for a scammer has also been done by a bank, legitimately.
There was a comment on Hacker News, which alas I can no longer locate, where a guy said he'd been called by his bank and the bank wanted him to answer various security questions. He said he was happy to do so, but firstly needed the bank to verify who they were, or to call the bank back on a telephone number on their website. The bank refused, so he refused to give them any details. The bank then blocked his bank account, meaning he couldn't pay his university tuition on time, meaning his student visa was no longer valid as he was no longer "studying", meaning he had to leave the country.
A bank blocked an account because they called someone and that person didn't provide them with personal data? That sounds unlikely.
This.
Also healthcare providers, though they seem to have finally wised up. They would call me from poorly configured phone systems (so unrecognizable caller id) and the first thing they would ask is to confirm full name and date of birth.
Patterns like this do a great deal of damage in desensitizing folks and making them accept dangerous patterns that get exploited by scams.
Even if you recognized it, the number shown by Caller ID is easy for the caller to spoof -- or at least it was a few years ago (the last time I paid attention).
I have had my telephone company ask me to give them a code sent to my device. It is presumably to prove to the company that the representative is talking to me so that bad actors low in the company cannot start randomly messing with peopleās accounts. It is the equivalent of the bad click here. The only real defense is to know the difference between a mechanism meant to authorize someone a the company and a mechanism to authorize you. Confuse the latter for the former like the victim did here and bad things will happen.
Banks maybe, but Google? Google only has "AI" support and that doesn't call us yet. So it's safe to assume that any call from Google is fake.
Sometimes there are good reasons for a bank to call you. The infuriating part is that not every bank has a quickly accessible number to call back if you don't trust the caller. Caller ID may be useless, but me calling the official number for my bank is pretty hard to fake (unless my carrier is part of the scam).
My bank has a button inside the app that will confirm that a real bank representative is calling you, or provides a button to call the bank's emergency line if they're not. It's a simple and effective way of preventing scams that I think more banks should implement.
A ss7 attack could make your carrier part of the scam without their knowledge, such that calling back the number will connect you to the scammer and not the bank.
Get a daily email with the the top stories from Hacker News. No spam, unsubscribe at any time.