How to lose a fortune with one bad click

320 points
1/21/1970
3 days ago
by todsacerdoti

Comments


vel0city

I had these people call me the other day. I got a text message alerting me of a potential Google account security issue they had blocked and they I should expect a call. I also got one of those emails and an automated phone call. The automated phone call had me dial 1 if I wanted a call back from support to help recover my account.

I got a call from a very professional sounding woman assuring me she was with Google and they had discovered some potentially fraudulent activity with my Google account in Frankfurt. They said they had locked down my account to protect it but they would walk me through recovering it.

I knew this was impossible, because the Google account in question doesn't have passwords. It has a couple of passkeys which are all physical hardware tokens in my home. But I wanted to see how pushy they would get.

Turned into a half hour phone call with me playing dumb (was watching my kid's sports practice, nothing to do for a half hour but cheer him on). Eventually when I was done with it I let them know I was in the process of filing the report with the federal cybercrime department. Immediately hung up from that.

a day ago

thebruce87m

> I knew this was impossible, because…

There’s an easier tell. It’s impossible because you can’t to get Google to help you at all about any account issues, never mind them being as proactive as to call you.

In other words if Google call you, it’s not Google.

It’s slightly depressing that there are probably more fake Google support staff than real ones.

a day ago

avidiax

I feel Google, Facebook, etc. all need to setup actual phone numbers and chat rooms, and make them rank highly on searches for "Google support phone number", "Google fraud department", "Google account recovery department", "Google Live Support Chat" etc.

Then those numbers should simply play a message that this is the only official phone number, and no human will ever call from or answer this number, and the company does not offer customer support or appeals to account problems.

They also need to make searching for fraud phone numbers return anti-fraud messaging rather than what it currently does. Seems like the entire 844-906 exchange is fraudulent [1].

I had a family member that just got scammed because they panicked after their Facebook account got banned, basically exactly like [2].

[1] https://www.google.com/search?q=844-906

[2] https://www.npr.org/sections/alltechconsidered/2017/01/31/51...

a day ago

andrepd

Or, hear me out: provide actual customer support.

3 hours ago

SideQuark

To 4+ billion customers. Not possible at any realistic company size.

If you or any person figured out how to do such a thing you’d be the next trillion $ company.

3 hours ago

ben-schaaf

Considering their profit is on the order of 100 billion, providing proper customer support does actually seem entirely realistic.

7 minutes ago

HeatrayEnjoyer

The corps want you to believe that but it's not true.

India requires direct customer support by law.

an hour ago

mafuy

If your scaling requires you to ignore some laws and regulations, maybe your scaling is just a wet dream that should not become reality, and still attempting it should be punished. It's just the cost of doing business.

an hour ago

4oo4

That's a consequence of growth they should have thought of and a basic part of running any business.

At least in the US Attorneys General are being forced to do this work for them. It's essentially the only way to get a hacked Facebook/Instagram account recovered.

https://www.engadget.com/41-state-attorneys-general-tell-met...

2 hours ago

Retric

Users in low wage countries with minimal profit per customer doesn’t preclude US / Canadian tech support where they get 20+x the revenue per user.

They are making 10+$/month per user for a few hundred million, and have a large profit margin that easily pays for basic tech support.

2 hours ago

andrepd

Nonsense. It's (moderately) expensive, it's a cost. It's far from impossible, the proof of that being that huge companies did and do provide customer support.

Big tech loves "stripping unnecessary fluff" and "being efficient". Turns out the "unnecessary" stuff is there for a reason. The automatic management + zero customer support is dystopian to say the least.

14 minutes ago

otteromkram

Where do you think Google would rank its own support, help, etc., contact pages and info if not at the top of searches like the ones you mentioned?

16 hours ago

dustyventure

If there is only one time they would honor their fair market obligations and not raise their own rankings, it would be on a cost center like free tech support to consumers.

an hour ago

fn-mote

The problem is the subjunctive here.

It's not where the _would_ rank ... it's where they currently _do_ rank.

In my test, the AI Overview produced accurate information ("Google does not offer phone support for account recovery") but none of the other hits on the first page say anything like "Phone support calls are always fraud. Google will not call you."

14 hours ago

Super_Jambo

I think the point they are making is that google will let the fraudsters pay to place higher than the warnings because it's profitable to do so.

10 hours ago

Nzen

In case you would like a concrete example to ground the cynicism about corporate trade offs around customer support, I recommend watching Jill Bearup's 10 minute video [0] about this week's demonetization. For example, she has to deal with some form that she "can't submit", a customer service contact 12 time zones away (so email replies are 12 hours delayed), and an account manager who is non-responsive. In her court, are some unaffiliated google employees giving guidance, but only because they were already part of her youtube watching audience.

[0] https://www.youtube.com/watch?v=6RZHajVV9PA

a day ago

maeil

> For example, she has to deal with some form that she "can't submit", a customer service contact 12 time zones away (so email replies are 12 hours delayed),

At that point I'd set up an LLM agent to reply for me. Big Tech are no longer the only ones who can pretend to be a human.

a day ago

HeyLaughingBoy

I smell a product idea...

21 hours ago

SeanAnderson

I had Google call me once :) It was when I was riding in a Waymo and one of the screens in the vehicle was lagging a little bit. They made the surprising choice of calling my phone, rather than ringing the car itself, and I didn't pick up because... who picks up when your phone says, "Call from Google" :) They called the car shortly afterward to reassure me that the lagging screen wasn't an indicator that the car would underperform.

18 hours ago

Sohcahtoa82

Being guaranteed to be able to talk to a human would be great, but I just don't see how it can possibly scale to over 1 billion users that aren't paying like gmail has.

Years ago, my brother used to work for XBox Live Tech Support, and he said that easily over half the calls he got were for things that customers could easily self-service, like a password reset. Many tech issues were fixed by the most basic troubleshooting step: Power cycling.

Meanwhile, my uncle works XFinity tech support, and he'll frequently get calls when a website has an outage, not to mention how many non-technical people think any internet-related issue, such as a forgotten Google password, means calling your ISP.

This doesn't even begin to talk about bad actors calling tech support to try to break into someone else's account. Google accounts are high-value targets. Once you've gotten in, there's a really good chance you could easily pivot to all of that person's other accounts.

To handle the call volume that a service like Google would have, if they offered phone tech support, the amount of staff they would need would be in the hundreds of thousands, and so many of the calls they take would be wastes of time. There are a lot of non-technical people that have no idea how things work and basically think that Google IS the Internet.

19 hours ago

foxglacier

What can a human do that the automated processes for account recovery/etc. can't?

I talked to a human Apple support person once and we had quite a long chat but ultimately his conclusion was basically "I can't know anything you don't already know and there's no way to resolve the problem."

8 hours ago

hamandcheese

> but I just don't see how it can possibly scale to over 1 billion users that aren't paying like gmail has.

Why not charge for support?

You bet your ass I would pay a support fee if my Gmail account was having issues.

19 hours ago

vel0city

> Why not charge for support?

They do. And when you actually pay for support, they answer the phone. At least in my experiences.

The only times they've left me high and dry is when I didn't have any actual paid support contract or subscription for whatever the question was about.

They have a Gmail support contract. You signing up?

17 hours ago

toss1

Yup

$19.95 per incident to talk to someone who could ACTUALLY resolve an issue would be totally worth it, especially for people who suddenly find themselves locked out for no known reason. A fee would also filter out most the silly calls, and if not, and they can resolve a password reset in 2 minutes, it is way worth it for both the caller and Google.

18 hours ago

dmd

That exists - it’s called Google Workspace.

18 hours ago

immibis

I don't understand. How do I use Google Workspace to pay $19.95 to solve a problem with my Gmail account?

11 hours ago

throaway920181

I had a weird security alert on my Google account the other night after trying to do a "Sign in with Google" to a service I've used for years. Trying to view my account/security info kept redirecting me to a page instructing me on how to clear cookies.

I clicked support and was able to get a call right away. But I pay $20/year for Google One.

16 hours ago

coliveira

Somehow Google and other tech companies are not required to have a customer service that actually solves the legitimate problems customers have with their services. I wonder how they are allowed to do this not just in the US but across the world.

21 hours ago

cj

I pay for Google Workspace for my personal Gmail account. It’s billed per user (with no minimums) so it’s actually very cheap even for the “enterprise” version.

The support is excellent. I can get a human on a live chat and request a screenshare and phone call session with a few clicks in under 10 minutes.

But of course that’s only available to me because I pay for the business version of Google albeit for personal use.

20 hours ago

thephyber

Software is not considered a “product”, so it doesn’t come with the government protections against companies that sell defective or dangerous products.

Also, you don’t pay for Google. It’s a free search engine and a free email service. You get tech support if you pay for the enterprise workspace features.

17 hours ago

coliveira

So, if it's not a product it shouldn't be sold or leased, and people shouldn't be hired to build it.

5 hours ago

bad_haircut72

They will reach put to try and help sell you more ad spend. If that was a scam its very good cause they set up my adwords campaign for me.

a day ago

thanksgiving

I have a similar anecdote which isn't very relevant except it felt like googlers now care about how they can help make google more money. I would have never expected engineers at Google to care about how to make more money for google like doesn't the money just flow in...

a day ago

derangedHorse

> It’s slightly depressing that there are probably more fake Google support staff than real ones.

I've never thought of it that way but you're right! Dealing with support at most tech companies is a horrible experience and is usually something I research before using a product where a failure in service provision could lead to catastrophic results.

5 hours ago

AlienRobot

If it weren't for the routine ex-Googler postmortem blog post shared on HN I'd think Google doesn't even have human employees.

The greatest mystery of my life is what is a "Google Product Expert" on their community forums whom I assume:

1. isn't an employee speaking as the company.

2. is someone given the title by the company.

3. spends a lot of time answering questions despite not being paid for it.

4. can contact Google employees somehow.

The only perks for this that Google lists is that you can join a secret club of Google Product Experts. It feels like gig economy applied to customer support.

a day ago

nox101

several huge companies do this. here's one

https://discussions.apple.com

so frustrating

a day ago

rawgabbit

But if you have a problem and you need to show that you own appleid xxxx@xxx.com, can’t you go to an Apple Store and they will help you? I believe the frustration with Google is that there is not an actual human the regular person can talk to.

a day ago

lotsofpulp

Apple isn’t a good example to use here because you can contact a human at Apple very easily:

https://support.apple.com/contact

They will even remote into your device and walk you through how to do something.

a day ago

lockyc

Unless their salespeople are calling you

20 hours ago

samlinnfer

I had a legit call come from Google Maps and I called them a scammer and various other names.

19 hours ago

TacticalCoder

> There’s an easier tell. It’s impossible because you can’t to get Google to help you at all about any account issues, ...

Paying Google apps / GSuite users can call a number and it's real humans answering (and they're very helpful).

But indeed I don't think they proactively call you.

15 hours ago

ChrisClark

I got one of the same calls (didn't believe them). Afterwards I phoned Google support and they said the same thing, they will never call you. I had them confirm nothing was wrong with my account, just in case.

So it's very possible to phone Google support, just don't believe anyone who calls you.

17 hours ago

eschneider

Right? "Google support" calling is an obvious tell.

19 hours ago

ChrisMarshallNY

> I got a call from a very professional sounding woman

That's usually the tell, right there.

Legit support operations tend to sound unprofessional as hell. Heavy accents, scratchy lines, scripts referencing the wrong OS, etc.

a day ago

foobarchu

Depends heavily on the company. Fidelity, for example, has super friendly, local sounding support employees. They will sometimes call you directly, too, for things like "checking in on your retirement goals". If someone called sounding professional, it would not be a tell that it isn't actually fidelity.

Plus, most of the weird "customer support" scams I've gotten in the past are people with thick accents on a garbage connection.

20 hours ago

fn-mote

> They will sometimes call you directly, too, for things like "checking in on your retirement goals". If someone called sounding professional, it would not be a tell that it isn't actually fidelity.

Sounds like although they might not be 100% scammer, you can be assured it's marketing and not customer support.

14 hours ago

ChrisMarshallNY

Yeah, it was a joke.

However, these scammers tend to come across as the platonic ideal of a perfect support rep.

My wife almost got taken by one, several years ago.

19 hours ago

bdangubic

here’s what I don’t understand - why isn’t all education related to this kind of shit very simple. never answer a call (or return a call from voicemail) and never open/respond to an email. being in this industry for 2.5+ decades the first thing I thought my wife was exactly this. and my daughter as soon as she was of age where she started her digital life. 100% no exceptions. never ever answer a call from anyone you don’t know and if you get a voicemail that says whatever never callback. same on the email side, SMS side. no one will be calling you, no one will be emailing you… except scammers, no exceptions.

19 hours ago

vel0city

You think people remember half of the shit they learned in their middle school or high school classes?

The number of times I've had someone ask "how do you know this stuff" when it's something I learned in 7th grade or similar is astounding.

17 hours ago

leni536

It's not like phishing trainings don't exist, but almost all of them are just wrong. They tell you things like "look out for spelling mistakes and sketchy looking URLs".

4 hours ago

bdangubic

It is pretty easy to remember and follow things if you keep it simple. with this it is remarkably simple.

- never answer unknown number calls - never answer unknown number texts - never open any emails from anyone you don’t know or do anything that email tells you to do if curiosity gets the best of ya and you open it.

ALL communication with any “business” or “government” (state/local/federal) is in one direction, YOU contact THEM. That’s it, can’t be any simpler

16 hours ago

lukan

"no one will be emailing you… except scammers, no exceptions."

Might be, because I was travelling a lot, but I got lots of unknown numbers calling me that turned out to be friends with a new number. Now I surely could have locked myself up in a cage then there would be no risk, but also not reward.

Calling a unknown number back - no. But taking a call and saying hello did never cost me anything. I also don't just send money away or would install weird things on my computer because someone on the phone says so, so what is the danger?

18 hours ago

ChrisMarshallNY

Have you ever answered a robocall, and the first thing they ask is "Can you hear me OK?" or "My Bluetooth is acting up. Can you hear me?"

They want to record your voice, saying "yes."

I always say "I can hear you." I never say "yes," or anything like that, during the short time I'm on the line with them.

However, that is probably not valid, anymore, because they just need to record a fairly short segment of your voice, to generate a deepfake.

16 hours ago

lukan

If it is a robocall, I would hang up and not say yes. Otherwise "I can hear you" and avoiding saying yes is good advice.

And as for deepfakes, I assume they become good and widespread enough soon, that no telephone contracts become enforcable.

11 hours ago

bdangubic

friends with a new number can leave a voicemail saying they are who they are (or text or hit you up on social or…)

taking a call from unknown number, never under any circumstance. people calling you do this for a living, you pick up and your odds are stacked against you. maybe not yours or mine but my Father’s for sure :)

18 hours ago

lukan

Well, I allmost did fell for a phone scam once, but due to weird circumstances I believed it was official Microsoft support as I expected them. Still, I won't install shady things from shady sites on request from a phone, so it did not got far.

6 hours ago

immibis

How will you get business done if you never answer a call or open an email, no exceptions?

11 hours ago

Spivak

Because the advice is actually

* Don't respond to any unsolicited communications. Period.

* If some business you have a pre-existing relationship reaches out to you unsolicited and you suspect it might be real, still don't respond. Go reach out to them via their posted customer support channel.

I have complicated feelings about phishing training because while it's good they're teaching you about common manipulation tactics and scams, trying to sus out from vibes the legitness of an email is the wrong approach. Just don't do anything.

11 hours ago

asddubs

wow, the scammer tried to steal your wife?

5 hours ago

ChrisMarshallNY

Maybe. She said he had “a golden voice.”

5 hours ago

WalterBright

I've gotten real support calls where the audio was so bad it was hard to understand anything they said. And/Or the standby music fidelity was so awful it's like pounding a spike in my ears. (Or maybe that's intentional so I hang up and don't bother with them.)

You'd think they'd have equipment newer than the 1960's.

21 hours ago

mavamaarten

Yeah, hah, it is funny that "Google offering phone support" is so unthinkable to me that it's a red flag for a scam.

a day ago

vel0city

Yeah, that was also another big red flag for me.

I do have paid services on other Google accounts and have dealt with their support before, but the account they were trying to break into was an ancient one I made as a teenager and don't use for much of anything anymore. If Google Support were to call me about anything (unfathomably unlikely, and never about a security issue like this), it wouldn't be from a free account that has never given Google a dime.

I have received calls from Google associates before. Almost always some account manager looking to find yet another product to sell me. Never proactively to any kind of account issue.

a day ago

m463

I get lots of helpful emails from my mail administrator telling me I have some sort of problem I need to log in/revalidate/release pending messages etc.

Urgently!

(I run my own mail server and I am the admin)

15 hours ago

semking

Sounds as urgent as legit :)

12 hours ago

onemoresoop

You should have recorded the whole thing

3 hours ago

baxtr

Frankfurt of all places!

a day ago

ffsm8

Frankfurt is actually notorious in Germany for their issues with drugs. Going outta the train station you can see ppl passed out with literal needles in their arms, taking a shit in public view etc

Doesn't really transfer to cyber crime, but it's definitely one of the more "criminal" places in Germany. Still super tame compared to actual slums etc though

a day ago

WalterBright

The last time I was in Frankfurt was maybe 20 years ago. I suppose things have declined quite a bit since then.

21 hours ago

locallost

Notorious on social media perhaps. I am yet to see someone in Frankfurt passed out with a needle in their arm. I've been to Frankfurt several times in the last years -- slept once in a hotel near the train station, spent a couple hours until 2-3am at and around the train station because of a missed train, spent a lot of time waiting for my next train connection etc.

20 hours ago

packtreefly

The glaring common denominator here is that the attacker has the ability to send an unprompted, unblockable request to the victim's phone. Pressing the safe-looking green button that shows up, even accidentally, is digital suicide.

Google Prompt is supposed to be a safety feature. The account recovery process lets a hostile actor turn Google Prompt into a loaded gun, and Google puts it directly into the victim's hand, aimed straight at their own head.

There's absolutely no way to shut off Google Prompt that doesn't involve removing every Google app from your mobile devices.

a day ago

Too

This is called MFA bombing. Just send prompts until the user accidentally accepts one.

Microsoft’s authentication has protection against this, requiring you to manually enter a 2 digit number in your phone, matching what you see on your other device. Very simple, there is no excuse for Google to not have similar.

10 hours ago

panstromek

Hmm. I remember using a code like this with google, too. Seems like they had something similar in the past.

6 hours ago

franga2000

You used to have to click the correct two-digit number out of 3 options, but now it's just "way this you? (yes/no)"

25 minutes ago

derangedHorse

Google allowing OTP codes to be generated from the cloud is also insane to me. I've known about this feature for a little while, but it never ceases to amaze me how careless Google is with security.

6 hours ago

nytesky

It does feel like the security protocols necessary to secure $100k to $Ms of crypto which transfers instantly and non-reversibly is a challenge for the average user.

Even as a fairly tech enabled GenX, I have forgotten passwords and had to reset them (usually accounts I haven’t used in a while), had files corrupted without a good backup, lost a Yubikey somewhere in the house (I think at least).

From what I can tell I would need to have my crypto seed laser etched into titanium, and then treat that talisman as if it was made of pure platinum as far as securing and tracking it.

Versus keeping my money in SIPC and FDIC protected accounts.

I will say, the BTC appreciation is a big attraction of course, but long term I don’t see how it becomes widely adopted with so much logistics risk, and appreciation… well who knows about that.

a day ago

ashleyn

1) if you don't exclusively have the private key (wallet), you don't own the crypto. if someone else gets the private key unwittingly, they now own the crypto

2) split cumulative funds into two wallets, a "hot" wallet and a "cold" wallet. keep the funds in the "hot" wallet to no more than for which total unintentional loss is tolerable. keep the private key to the "cold" wallet off any internet connected device except for the minimum duration required to transfer funds to the hot wallet.

3) print the recovery phrase for the cold wallet and store it in a physically secure location

4) if an ideally secure physical location is not possible, split risk across multiple "cold" wallets

19 hours ago

thousand_nights

that sounds tedious af and still prone to error, i'd rather literally pay someone to handle all of this for me, let's say, some kind of institution which specializes in storing and handling money

18 hours ago

bb88

It would also be cool if it were guaranteed up to a certain amount, very much like FDIC does for amounts smaller than $250k.

11 hours ago

hatthew

Hey, what if there was a way to get paid to have someone else handle this for you? That would be crazy right

15 hours ago

dullcrisp

While practically that’s true of course, I think a hardware appliance that did this that you had to physically interact with to release the funds from would be cyberpunk and cool. Imagine exchanging a handful of currency chips for like a flying motorcycle or something.

13 hours ago

stouset

And when that hardware fails?

The problem with crypto is that every problem requires additional layers of complication which each have their own failure modes which then need to be further addressed. And the complication itself adds yet more ways to breed failure.

This is the fundamental challenge with a system where any mistake or error results in the instantaneous and irrevocable loss of unbounded funds.

8 hours ago

dullcrisp

If it fails, you can’t retrieve the money of course. Don’t put more than you can afford to lose on one chip.

an hour ago

stouset

You understand this is insane right?

17 minutes ago

mmaunder

SIPC and FDIC don’t protect against fraud.

2 hours ago

ForHackernews

> I will say, the BTC appreciation is a big attraction of course

What are the other desirable features of BTC?

a day ago

lotu

It’s great for laundering money.

21 hours ago

berkes

It is not.

It's not anonymous, but pseudononymous. It's a public ledger, for everyone to copy and analyze. It's a public ledger that's mathematically proven to not have mistakes in it.

Exchanges are highly regulated. KYC is rediculously tight.

Sure, Bitcoin allows one to flee/fly to some criminals' paradise with their entire wealth stored in their brain (or on a napkin). And as long as they keep the money in crypto or black, it's unstoppable, really.

But it's a terrible medium to turn black money into white money. One of the worst of all options, really. And that's what laundering is.

Now, it's used for laundering. But that's more because its a great and easy store of value in itself. Not because a public, tracable ledger without any anonymity other than pseudonimity is a great system for laundering, because it's the exact opposite of that.

And certainly, if you mix in monero, defi, otc-trades and -there they are- "corrupt bankers", crypto as a whole can turn black money into white, circumvent blockades, fund terrorism and whatnot. But hardly easier or simpler than paper-money, gold, and corrupt bankers already can.

20 hours ago

Sohcahtoa82

> But it's a terrible medium to turn black money into white money.

Isn't that what NFTs are for?

Create a stupid image, sell it on Open Sea as an NFT, bam, you've cleaned the money. Just claim it on your taxes similar to selling art and you're in the clear.

18 hours ago

bronson

So why is basically all ransomware paid in Bitcoin?

18 hours ago

berkes

That's not laundering. That's getting paid.

If you want to transfer money in a way that's unblockable, unceasable, and pseudonomic, Bitcoin is a good system.

If you want to then convert that into dollars, it's not.

Ransomware is paid in Bitcoin despite it being terrible to launder.

7 hours ago

bb88

Nobody wants some silly digital "coin". Everyone wants US greenbacks.

11 hours ago

berkes

Nobody wants US greenbacks. You can't even use them to stay warm for long.

What people want is the value it represents in a way they can manage that value.

I don't want fictional numbers in some asset fund that say I own zero point not not not 1 percent of some company in stocks either. Or even numbers that say I have money on an account. I don't want gold in my sock-drawer, either. It's the value this represents (and the trust that this value will give me real stuff that I actually need, like a pizza, in future).

Bitcoin, to many, over the years, has acquired this too. There's real and obvious proof that people trust that Bitcoin has value. Not all people. But enough.

7 hours ago

tugu77

Yeah, especially the people scamming others.

7 hours ago

derangedHorse

It isn't, banks are way better and cash is still king:

https://www.cnn.com/2024/10/10/investing/td-bank-settlement-...

https://www.icij.org/investigations/fincen-files/global-bank...

https://www.investopedia.com/stock-analysis/2013/investing-n...

https://www.coinbase.com/blog/fact-check-crypto-is-increasin...

Even from SWIFT: "Identified cases of laundering through cryptocurrencies remain relatively small compared to the volumes of cash laundered through traditional methods" https://www.swift.com/sites/default/files/files/swift_bae_re...

What you're saying is simply unsubstantiated.

6 hours ago

amelius

It's great for transferring ransoms. Basically a criminal's dream coming true.

20 hours ago

berkes

It is unstoppable, permissionless and pseudomic. All but the last is indeed this criminals dream.

But cash isn't pseudonomic, it's actually anonymous. It's even (practically) untracable. Cash is also unstoppable and permissionless. So it's far more a criminal's dream. Cash, however, isn't easy to transfer, especially larger values. It gets harder even if that transfer is internationally. Bitcoin solves that.

Bitcoin's upside of being very easy to transfer, sometimes outweigh its downside of being hard to launder, being tracable. But let's stop the myth that it's so much better than all existing systems to move criminal assets around, because it's not. It's complementary, not a holy grail. It really has a lot of weaknesses, especially to criminals' needs.

7 hours ago

dahart

What is making you think criminals are scared of pseudonyms, or that pseudonyms don’t provide all the real and practical benefits of anonymity most of the time? It’s not a myth that a lot of crime involves BTC right now, it’s a fact, regardless of the theoretical underpinnings or hypothetical weaknesses.

Cash comes with serial numbers, and occasionally gets traced. It’s about as effective as tracing pseudonyms, most of the time.

2 hours ago

henry2023

Non centralized proof of ownership is pretty cool.

21 hours ago

Analemma_

How is it non-centralized? Basically everybody actually using crypto uses exchanges.

20 hours ago

zaik

You don't have to.

19 hours ago

okanat

Then how would you exchange it with real money? There are few things that accept cryptographic coins as currency.

8 hours ago

berkes

Depending on how you use it, you mightn't need to exchange it often, or at all.

Companies that use it as hedge, or diversification, just need to "hold" it. Investors (not traders, there's a big difference) also commonly just "hodl" it. Also no need to exchange it. And several more such use-cases.

Sure, after a while, they might want to exchange it for something they "need". Like housing, healthcare, food, materials, etc. But often that's a one-time after years of not exchanging. And we still don't know how the future may look. Some believe Bitcoin is what we'll be paying with in a few decades (I don't, not really). I'm pretty sure I can buy almost any house for a few bitcoin, especially if that's "overpriced" in dollar-terms, today already.

6 hours ago

lolinder

> Companies that use it as hedge, or diversification, just need to "hold" it. Investors (not traders, there's a big difference) also commonly just "hodl" it. Also no need to exchange it.

In both of these cases the only value to "holding" it comes from the possibility of being able to exchange it if needed. While you might go a very long time without interacting with a centralized exchange, the Bitcoin is worthless for these use cases if there's no acceptable path to trading it for something else.

5 hours ago

bdangubic

he said “basically everyone” which is true. I don’t have to eat this large apple pie that is front me now but I’m about to :)

19 hours ago

TacticalCoder

> From what I can tell I would need to have my crypto seed laser etched into titanium, and then treat that talisman as if it was made of pure platinum as far as securing and tracking it.

Not sufficient. You'd also need someone you trust 100% to have another seed protected as if it was the gold of Fort Knox. And then you'd only only use "multisig" to sign transfers.

And that other person needs to live on another continent.

And you both need a backup plan in case you die if you plan to leave these 0.1 Bitcoin to your heirs.

This makes the $5 wrench attack impossible to succeed. As to whether the attacker is willing to add gratuitous (because it's impossible it'd succeed) torture/killing to its list of crime is something else though.

> I will say, the BTC appreciation is a big attraction of course, but long term I don’t see how it becomes widely adopted...

I think mid-term to long-term people simply buy a Bitcoin ETF or stocks from a company holding shitloads of Bitcoins like MicroStrategy. Just like I buy SLV (paper silver) or the ZKB silver ETF (physical replication, in vaults in Switzerland).

Keeping your own Bitcoins is not unlike keeping physical gold coins. It's doable but risky. Multisig really helps a lot but buying a Bitcoin ETF is simply easier. Open bank or broker website, click click. Done.

I'm not saying Satoshi's dream or the Bitcoin maximalists' dream is good old Wall Street manipulating Bitcoin's price using paper Bitcoin (silver ETFs were in big trouble in 2021) but what I'm saying is I think that's how it's going to end.

15 hours ago

itsoktocry

>I think mid-term to long-term people simply buy a Bitcoin ETF or stocks from a company holding shitloads of Bitcoins like MicroStrategy. Just like I buy SLV (paper silver) or the ZKB silver ETF (physical replication, in vaults in Switzerland).

But what's the inherent value of BTC if it doesn't do the things it claims? What value does Michael Saylor owning a bunch of bitcoin, of which I have a pretend share, even have?

This is the paradox of Bitcoin. It's a really cool technology that's really hard for normies to use.

4 hours ago

derangedHorse

I partially agree, although I can see more companies offering these kinds of services in the future. Block already has a system with Bitkey, custody companies like Casa and Unchained are providing services as signers, and AnchorWatch is stepping in as both a custody and insurance provider at the institutional level. Despite the government's best efforts to limit participation from existing banks[1], other services are jumping through the arduous hoops of regulation to fill in the void.

[1] https://www.swanbitcoin.com/politics/biden-s-sab121-veto-sta...

6 hours ago

nytesky

I feel that crypto offers a different risk profile than say the gold ETF. There certainly is significant risk and expense to storing and securing the physical gold backing the ETF. I think it also needed to be audited as matching expected reserves occasionally?

But crypto has similar it and physical security costs at a minimum, though physical storage will be cheaper. Auditing maybe similar costs, I’m not quite sure how you confirm ownership of an address or pile of BTC without transactions?

The big risk is that these big holding companies of bitcoin become targets of state-scale cybercrime hacking armies. Can you imagine an adversary deploying constant attack on every facet of you IT infrastructure, from accessing the private keys presumably stored in hot wallets to support active trading to the interface where they may try interfere with client functions to all sorts of ends from theft to market manipulation.

14 hours ago

logifail

> Just like I buy SLV (paper silver) or the ZKB silver ETF (physical replication, in vaults in Switzerland)

I'd suggest that holding precious metals without actually having physical metal under your exclusive control is essentially as flawed as holding crypto without exclusively holding the private key.

10 hours ago

ToucanLoucan

I have no doubt that at least some especially in the early days envisioned crypto as a legitimate alternative to fiat currency. That being said, in it's mature state as a technology, it amounts to nothing more than a clone of the modern financial system with a different set of oligarchs, except that it has far fewer consumer protections, and the nature of it makes implementing said protections in any way extremely difficult.

That combined with the extreme volatility of value that is not only endemic to any coin with meaningful usage, but is generally a goal of most coins, makes it only really useful as a speculative vehicle, and those same properties also make it uniquely bad in terms of a store of value to be used in commerce unless the seller also plans to speculate on the value.

And, even if you're good with all of that: Yes, the tech itself is decentralized, but if you don't have at least some background in basic software development or scripting, you're almost certainly going to end up using some product or another to manage your wallets and transactions, and while the wallet is anonymous, the accounts you connect the wallet to are often quite the opposite, and because of the structure of the chains, your entire transaction history is visible to everyone on the network, at all times. So it's private by default, but basically any casual user is immediately and forever doxxable.

a day ago

f33d5173

Xmr aims to be a digital cash, and basically achieves that. Btc has goals more akin to digital gold, hence being more useful to speculators than people buying things is somewhat intentional.

I don't know who the oligarchs you're talking about are. Buterin? Bankman Fried? In either case, their position is quite different from that of a banking titan.

5 hours ago

c22

> Unbeknownst to him at the time, Google Authenticator by default also makes the same codes available in one’s Google account online.

This sounded absolutely crazy to me so I went to open Authenticator on my phone and lo and behold it offered me the option of linking to my account and "backing up my codes in the cloud" to which I declined.

But I had never seen this behavior before, so is this new? It did not seem to be enabled by default in my case.

2 days ago

Tester4675

What's crazy to me is that Google would allow access to a foreign device from a single click. It would be easy for a person to accidentally click it, or for a kid playing on their parents advice to click it when it popped up. I really can't understand why they wouldn't send a code that would have to be entered instead; it would be far less prone to those kinds of problems.

a day ago

vel0city

"foreign device" based on IP geolocation is pretty tricky and annoying.

My home in Texas had an IP address which a lot of databases had as supposedly being in Montreal. It was like that for years. Gotta love so many sites trying to default to French.

a day ago

UltraSane

As a network admin I have found that whitelisting only US address space for my companies IPs drastically reduces how many attacks we get.

a day ago

vel0city

As a person who had to deal with clients, I have found whitelisting to only "US address space" lead to lots of clients being unable to access the services until they were whitelisted.

As a person who had to deal with other associates, I also found whitelisting only US address space led to a number of people being unable to connect from their homes.

As a person who had this happen to them, I had quite a lot of frustrations with services insisting they couldn't provide me service because Texas is in Canada apparently.

a day ago

UltraSane

of course before implementing this I log all IPs and verify that we don't have any legitimate traffic coming from non-US IPs. and whitelisting a few IPs isn't a big deal. Of course a medium sized manufacturing company in the Midwest isn't going to have much need for people connecting to use outside the US.

I'm actually working to get rid of any public IPs that isn't a VPN access point.

21 hours ago

vel0city

> any legitimate traffic coming from non-US IPs.

If it's not actually reaching you to log in and what not, how do you know it's legit or not?

How do you know it's US traffic or not in the end?

I'm not saying it's not something anyone can reasonably do, but I've both been the gatekeeper required to implement/support such a policy and been someone burned by it. It shouldn't be assumed the block lists are actually that good.

18 hours ago

UltraSane

This is an argument over the accuracy of georeferencing IP addresses and in my experience it is adequate for my needs.

16 hours ago

vel0city

Je suppose que le Texas est au Québec.

16 hours ago

jsnell

How would a code help? The victim has already bought into the social engineering. If the person on the phone asks the user to read out a code, they will. If the person on the phone asks them to enter a code (i.e. the version of this kind of prompt where the user needs to enter a code on the phone matching the one showing on the login page), they will.

a day ago

shkkmo

Every step you make someone who is being socially engineered jumo through, is an extra chance for them to realize what is happening, especially if those steps contain warnings.

a day ago

UltraSane

Google only added this feature recently. I am really conflicted about this feature. Without it you need to either save every TOTP code when you first set up the account or manually disable 2FA on every account and then enable it again so you can enroll it on a new phone. I used it when migrating to my most recent cell phone but then disabled it. Of course you have to trust that Google actually deletes the codes from your account.

a day ago

ufmace

Yup. If you DON'T have this feature, you're depending on every user who has TOTP 2FA to actually save their backup codes somewhere they can retrieve ~years later or back up their TOTP some other way manually. Naturally, most users will fail to do this, so you'll have to deal with how to securely reset the accounts of people whose phones got lost or destroyed.

But then if you DO have it, you have to deal with the situation in this story, where if you can compromise their one key account, you get all of their TOTP codes too.

3 hours ago

emmelaich

Same with me, I had setup MFA using Google Auth for an important account I use.

Next day the phone broke, and I lost that account forever. I had not written the backup codes down anywhere.

19 hours ago

TimTheTinker

Generating and storing your passwords, OTPs, and passkeys in a fully E2EE system like 1Password is effectively a root of trust, although you also have to trust (a) the password manager company, (b) whatever third-party systems and devices they use to build and deliver their software, (c) the quality of their cryptosystem, and (d) whatever device you use to decrypt/access secrets in your vault.

20 hours ago

UltraSane

I trust 1Password. They are very open about how they encrypt data and how the key is derived. I like how they store your encrypted data locally in a SQLite DB. My only real concern is with storing passkeys because they cannot be stored locally yet and you are granting 1Password control over your access to any site you need a passkey stored with them. They are working on a passkey exporting process. I would feel better if I could have the same Passkey stored by 1Password and Azure and Google.

15 hours ago

tempestn

What is the advantage of passkeys compared to managing unique passwords with 1pw? Is there any tangible benefit to switching, besides that Google et al will stop hounding you to do so?

10 hours ago

UltraSane

Passkeys are asymmetric keys so a hacked site cannot leak the hash or even the plaintext of a passkey. And the private key is never exported to insecure hardware. Funny how so many Linux gurus have been shitting on using passwords for SSH for decades in favor of using SSH keys and now that there is an actually effort to use what are essentially SSH keys tied to a specific domain they are rejecting it.

7 hours ago

__turbobrew__

There is a big gap in the greater security landscape here. I personally use hardware authenticators for this reason, but I have to manually enrol each security key for each account.

Really what I would like is a root of trust which maybe is a cipher text which I can store in several physical locations, and then my security keys are derived from that root of trust. Then when I set up 2fa with a service it is using the root of trust and seeing that my security keys are is derived from that root of trust. This allows me to register the root of trust only once and then I can use any key derived from it.

a day ago

AgentME

Some cryptocurrency hardware wallets such as Trezor's are usable exactly how you want: they support fido2/webauthn and derive their keys from the recovery seed phrase. You can write down the recovery seed phrase, initialize other hardware wallets with the same recovery seed later on, and they will present to a computer as the same fido2/webauthn token.

20 hours ago

emmelaich

If it's hardware it can break or be lost or stolen.

19 hours ago

andyjohnson0

Just checked and Google authenticator seems to be synced to my account, which is a huge SPOF and not what I want. It's possible that I did this without realising, but does anyone know of a way to revert authenticator to local-only? I don't see anything obvious.

a day ago

michaelt

> It's possible that I did this without realising

IIRC on my platform, when they added the feature they turned it on by default, as an auto-installed update.

And if you're logged into the gmail app on the same device that also logs you into authenticator.

You didn't do anything wrong.

a day ago

tasuki

FWIW, I still remember recoiling in horror when I was asked whether I wanted to sync my Google Authenticator stuff.

a day ago

dmonitor

I remember getting prompted for it on iOS when they added it. I still have it turned off.

a day ago

andyjohnson0

> does anyone know of a way to revert authenticator to local-only?

To answer my own question: tap the profile pic (top right on Android) and choose the Use Without an Account option. Removes codes from cloud storage and any _other_ devices. Mentioned in TFA.

a day ago

rawgabbit

I am literally mind f** by the wording “Use Authenticator without an Account”. This is one of the most tortured and cryptic phrases I have seen. Government legalese is more straightforward than Google.

a day ago

from-nibly

You can't revert, they keys are sent, they have them. They can't un have them. You'll need to rotate your MFA.

a day ago

andyjohnson0

> You can't revert, they keys are sent, they have them. They can't un have them. You'll need to rotate your MFA.

Not true. See https://news.ycombinator.com/item?id=42471459

a day ago

shkkmo

You've missed the point entirely. The point is not that you can't recover the codes. The point is that if you are concerned about uploading codes due to the security implications (which most people on here are) then you need to do more than just disabling uploading, you also have to go rotate all the secrets that were uploaded.

a day ago

andyjohnson0

I understood the point, thanks. But I'm concerned about the scenario in the article, where someone did a device recovery and got access to the cloud synced auth codes.

I don't particularly like that my codes were apparently synced to Google's cloud without my being aware, or the ux that prevented me from noticing. But I'm pretty confident that, having disabled the cloud sync, Google no longer has my codes

(And in fact I verified this by installing the authenticator on a tablet before turning off sync on my phone. The codes vanished from the tablet.)

In principle, yes I should rotate all the secrets. Because google may have borked their data retention, or is just outright lying and keeping my secrets. In practice, though, for my personal account, I'm content that nothing has been compromised.

18 hours ago

shkkmo

> But I'm pretty confident that, having disabled the cloud sync, Google no longer has my codes

Based on just your intuition. Since you don't have access to the backend specs or code, assuming this isn't a responsible security practice. It is a shortcut you can choose to take personally but should never take with any professional credentials.

I'm going to point out that you responded "Not true." instead of adding a caveat about how you personally choose to ignore security best practices for personal accounts.

17 hours ago

andyjohnson0

> I'm going to point out that you responded "Not true."

I could have been clearer, but that was in response to the asserion of "you can't revert".

8 hours ago

mkbkn

Better option is to not use Google's TOTP app. Use something else

a day ago

criddell

I use Authy and it does this too. I like that I can get the code on my phone or tablet. I also keep paper copies of the original QR codes in a safe place.

a day ago

jeroenhd

The trick with Authy is to disable multi-device access unless you're in the process of adding another device, so hackers and scammers can't add their own devices to your account without your aid. If you leave the setting enabled, someone may get your TOTP secrets from Authy before you can stop them.

a day ago

mannykannot

If there is a trick to doing something securely, then that is already an automatic fail.

a day ago

tasuki

No. That's not "the trick". As soon as it's in the cloud, it's over, it's gone, you've lost the game.

a day ago

criddell

I've been using Authy for around ten years now, so I lost the game a decade ago and the consequences have been nothing and the benefits have been something. Not a bad loss IMHO.

a day ago

Natfan

You can just decode the QR code and use whatever secret is in there to generate the OTP codes. TOTP isn't that complicated, it's really just a second password that the system generates.

a day ago

nilamo

While true, I haven't yet seen an authenticator app that let's you just dump the topt code yet...

a day ago

kibibyte

1Password can show the whole URI with the seed, and I have used it in the past to tediously restore seeds to my other 2FA apps.

21 hours ago

acdha

It is at least relatively new. Years ago I had to try the Google “hard landing” account recovery process because it wasn’t happening, which is how I learned that they had that form going to an email address which had been deleted. Fortunately I had paper recovery codes in my safe.

a day ago

te0006

Google rolled out that hare-brained "improvement" in an update to Google Authenticator a few months ago, with the nice extra that for some users, when you dared unselecting the new cloud backup checkbox, the secrets stored in the app were instantly corrupted in some way, so you were locked out of your Google accounts immediately as a bonus <chef's kiss>. Happened to a family member, luckily they had a working emergency access method. We will never use Google Authenticator again.

Recommended alternative: 2FAS (https://play.google.com/store/apps/details?id=com.twofasapp) which allows you to import the secrets from Google Authenticator via QR codes, and has a local backup feature (e.g. to a USB drive).

a day ago

kibibyte

I was one of the fools who installed the iOS 7 beta onto a phone that I depended on with Google Authenticator. The app had a compatibility issue with that beta release that caused it to disappear all my 2FA seeds except, very fortunately, for my Gmail. There was a bit of a ruckus about this here https://news.ycombinator.com/item?id=6112077.

Since then, I always use at least two 2FA apps at the same time.

21 hours ago

aftbit

I used andOTP for years, until the author stopped working on it. While it still likely works fine, I've switched to Stratum, which likewise supports import from the Google Authenticator export QR codes as well as from andOTP, authy, and others.

a day ago

bsder

As a side question: How do I, as a novice, vet a 2FA?

This has all the "looks nice", but I have no reason to trust this recommendation over any other social engineering.

a day ago

te0006

My first impulse after ruling out Google Authenticator was to simply switch to Microsoft's Authenticator app (which I already had to use for a work-related thing anyway), thinking "of course MS would not make the same stupid mistake". Turns out they would, and they did. So alternatives from smaller vendors were the only option. In evaluating them, I focused on popular open-source solutions that had the features I deemed important (notably, local backup), and looked into the history, provenance and reputation of their vendors. Nevertheless, some risk will always remain.

18 hours ago

deathanatos

Ugh, yeah, that update.

You didn't have to do anything, either, the update just instantly corrupted some 2FAs. How can an app not do a TOTP? It's literally just math.

I had to recover a few MFAs from backup codes due to that.

21 hours ago

Symbiote

I'm shocked how often one of my ~50 colleagues asks me to reset their 2FA. It's every 6-8 weeks or so.

Their personal accounts will be affected in the same way (lost phone, new phone etc).

a day ago

Charon77

Was about to say this but yeah.

Big brains at google didn't understand the number '2' in 2FA

a day ago

karel-3d

They added this recently, because lots of people complained to Google that they lose their tokens; Authy and others started to gain traction because they did synchronization. Google was pretty much forced.

I know, 2FA loses the entire point when it's synchronized. But, well. People lose their stuff all the time!

a day ago

aftbit

I've had customers tell me that they cannot use email verification to meet a 2FA compliance requirement because it's not a second factor, but somehow SMS is. I always push back with "why not just good old TOTP" and the answer is that it's too easy for a customer to lose because it is only on their device. Like yeah... that's what makes it a real second factor.

a day ago

eadmund

It’s possible to synchronise secrets without sharing them with a third party: just encrypt them locally, transmit to third party, download to other device, decrypt.

This could be made easy for users by having each device share a public key with the third party (Google, in this case), then the authenticator app on one device could encrypt secrets for the other devices.

This would be vulnerable to Google lying about what a device’s public key is, of course, but enduring malice is less likely (and potentially more detectable) than one-time misbehaviour.

a day ago

michaelt

> It’s possible to synchronise secrets without sharing them with a third party

Sadly the problem Google is actually trying to solve is providing security for the dumbest people you've ever met. Dumbasses are entitled to security too!

I'm talking people who've lost access to their e-mail, and their phone number, and their 2FA all at once. Then they've also forgotten their password.

No password manager, no backup phone, no yubikeys, no printed codes, no recovery contacts, nothing.

a day ago

rawgabbit

You're describing the majority of my extended family. Some of whom are well educated and tech illiterate.

a day ago

naniwaduni

The active ingredient in 2FA as practically implemented for nearly everyone has never been the 2. It's mostly just not letting humans choose their entire password.

a day ago

marcosdumay

It's because everybody wants to put everything in 2FA protocols, because people just can't use passwords...

And the fact that one of those doesn't lead to the other passes way over their heads.

a day ago

mavhc

Most people wouldn't realise they can't recover their TOTP codes. But the hacker would still need to know your password surely

a day ago

poincaredisk

...so you agree that this is missing the '2' in 2FA?

a day ago

buran77

For "something you have" to be true to its purpose it has to be something that has one and only one copy - so either only you have it, or you don't, but nothing in between. The second you have "cloud backup", or activate an additional device, or "transfer to a new device" then you turn the attack into "phishing with extra steps".

a day ago

kibwen

You can support transferring to a new device without increasing the phishing risk, the transferral just needs to be done via a physical cable rather than via the cloud.

a day ago

buran77

I'll grant you that it's a better option but by no means good if you want to stand on the 2FA hill and put security first (only?). That "just" does a lot of heavy lifting.

The only time I'd consider transferring a secret like this is secure is within an HSM cluster. But these are exceptionally hardened devices, operating in very secure environments, managed by professionals.

Your TOTP seed on the other hand is stored on any of the thousands of types of phones, most of which can be (and are) outdated and about as secure as a sieve. These devices also have no standard protocol to transfer. Allowing the extraction via cable is still allowing the extraction, the cable "helps" with the transfer. Once you have the option to extract, as I said, you add some extra steps to an attack. Many if not most attacks would maybe be thwarted but a motivated attacker (and a potential payoff in the millions is a hell of a motivator) will find ways to exfiltrate the copy of the keys from the device even without a cable.

This is plain security vs. convenience. The backup to cloud exists because people lose/destroy the phones and with that their access to everything. The contactless transfer exists because there's no interoperability between phones, they used different connectors, etc. No access to the phone is a more pressing risk than phishing for most people, hence the convenience over security.

a day ago

crote

I think this is also the main drawback of physical U2F/FIDO2/Webauthn tokens: security-wise they are by far the best 2FA option out there, but in practice it quickly becomes quite awkward to use because it assumes you only own a single token which you permanently carry around.

Sure, when I make a new account I can easily enroll the token hanging on my keychain, but what about the backup token lying in my safe? Why can't I easily enroll that one as well? It's inconvenient enough that I don't think I could really recommend it to the average user...

a day ago

vel0city

I don't quite get this "I need to add every possible authenticator I have at account creation or I'm not doing it" kind of mentality I see a lot.

When I make an account, if I have at least two authenticators around me, I'll set up the hardware authenticators or make sure it's got a decent recovery set up. As time goes on I'll add the rest of them when it's convenient. If I don't have at least two at account creation or I don't trust their recovery workflow, I guess I'll just wait to add them. No big deal.

If I'm out and I make an account with $service but I only have my phone, I'll probably wait to add any authenticators. When I'm with my keys, I'll add my phone and my keyring authenticator to it. When I sit down at my desktop sometime in the next few days and I use $service I'll add my desktop and the token in my desk drawer to it. Next time I sit down with my laptop and use $service, I'll add that device too. Now I've got a ton of hardware authenticators to the account in question.

It's not like I want to make an account to $service, gotta run home and have all my devices around so I can set this up only this one time!

a day ago

poincaredisk

>When I make an account, if I have at least two authenticators around me

If you do, you're in a tiny minority of users. Well, even if you have one you're in a tiny minority, but having two laying around is extremely unusual.

a day ago

vel0city

Only because I bothered to buy a few. If they're making a new account they're probably on a device which can be an authenticator, i.e. a passkey. Is it rare for people to be far away from their keyring where they potentially have a car key and a house key and what not?

Do most people with hardware authenticators not also have laptops, desktops, or phones? They just have an authenticator, no other computers?

This person I replied to already has two hardware tokens. They probably also have a phone that can be used with passkeys, they probably also have a laptop which can be used with passkeys, they might also have a tablet or desktop which can be used with passkeys. That person probably has 3-6 authenticators, and is probably with two of them often if they carry keys regularly.

a day ago

plagiarist

I don't understand the existence of an HSM cluster. I thought HSM was meant to be a very "chain-of-custody" object, enabling scenarios like: cryptographically guarantee one can only publish firmware updates via the company processes.

a day ago

buran77

The HSM is more generic than that - a Hardware Security Module. It's just a hardware (usually, software... Hardware security modules exist...) device that securely stores your secret cryptographic material, like certificate private keys. The devices are exceptionally hardened both physically and the running software. In theory any attempts to attack them (physically open, or even turn them upside down to investigate them, or leave them unpowered for longer than some hours, attempt too many wrong passwords, etc.) results in the permanent deletion of all the cryptographic material inside. These can be server sized, or pocket sized, the concept is the same.

Their point is to ensure the private keys cannot be extracted, not even by the owner. So when you need to sign that firmware update, or log into a system, or decrypt something, you don't use a certificate (private key) file lying around that someone can just copy, you have the HSM safely handling that for you without the key ever leaving the HSM.

You can already guess the point of a cluster now. With only one HSM there's a real risk that a maintenance activity, malfunction, accident, or malicious act will lead to temporary unavailability or permanently losing all the keys. So you have many more HSMs duplicating the functionality and keys. So by design there must be a way to extract a copy and sync it to the other HSMs in the cluster. But again, these are exceptionally hardened HW and SW so this in incomparably more secure than any other transfer mechanism you'd run into day to day.

a day ago

plagiarist

Ah, got it. So in the event someone managed to get access, they are limited to signing things in that moment on that infrastructure. I can see how that would reduce the blast radius of a hack.

a day ago

crote

Ideally this would destroy the initial copy too - but forcing physical access would indeed be a great start.

a day ago

buran77

Even so, if you have a copy even for a fraction of a second then you can have two copies, or skip the deletion, or keep the temporary copy that was used during the transfer. Even the transfer process could fail and leave a temporary file behind with your secrets.

a day ago

radicality

I quite like Apple’s Advanced Data Protection, I set it up with two physical yubikeys recently. To login to iCloud/Apple on a new device that’s not part of your trusted devices, you must use the hardware token.

a day ago

mavhc

They'd have to know your password, and get you to click your 2FA accept button, that's 2 factors still

a day ago

donatj

About a year ago I got an email from an actual Coinbase email address telling me that my account had been compromised. It included a case number.

Trying to log in with my username and password did not work. Moments later I get a phone call, the caller id says that it is Coinbase. Guy on the phone with a thick German accent tells me he's calling about my account and gives me the case number from the email. I know damn well never to trust a phone call you did not initiate, so I'm kind of just stringing the dude along on the phone.

I remember that I had set up a passkey, and try it. I get in with that and immediately run to the emergency "lock my account" button. I tell the guy on the phone that I have clicked it and after a bit of "uhmmm..."-ing and "hmmm..."-ing he just hangs up.

I call Coinbase support and they verify some recent transactions and ask me to forward them the email, and that's that. I still have no idea what the actual attack was or how they changed or invalidated my password. Best I can tell they did not manage to actually get in to my account.

I ended up changing my password to just about everything out of caution.

a day ago

cute_boi

Last time I called boss money transfer, i called them and their real agents told me they must call me to verify. I was like, how would I know if it is boss money transfer or scammer. At the end I had to trust because voice was same.

a day ago

imp0cat

     how they changed or invalidated my password. 
Probably just too many invalid login attempts.
21 hours ago

bdndndndbve

I wonder if people who are "invested" in cryptocurrency are more susceptible to these kind of scams. There's a strong aspect of FOMO in getting people to buy imaginary internet money, and also in getting them to panic and fumble said internet money.

a day ago

chimen

One of the reasons I stay away from it is that, at least in recent years, every scam that I see taking place involves crypto. I have a lot of acquaintances and I can almost draw a line at this stage: the higher the "shadyness" of the person, the more they are invested or talking about crypto. I am yet, even tho I owned, to have had the need to use crypto in my daily/weekly/monthly/yearly life.

It is very easy to destroy lives with it as we can see in this case, and, making it harder to do so will work against the vary nature of this tech. This is a tough nut to crack but I think the space will remain filled with predators constantly baiting prey into the system with the promise of a big reward.

a day ago

mrguyorama

"You can't undo a transaction" is a core feature of crypto. This is hilarious, because in actual payment networks, it literally only benefits scammers.

Every consumer ever has at one point or another wanted or needed to reverse a transaction. Chargebacks are a FEATURE of credit cards.

a day ago

yokem55

Reversibility is great for consumers who are sending money in exchange for products and services. It can be a nightmare for people who receive the money and are providing the products and services.

And it isn't just businesses who carry this risk. If a business was depending on a large inflow to make payroll, and that inflow gets reversed, the people who are expecting payment for their labor also are subject to a payment reversal.

There's definitely a lot of benefits to reversibility, but it has very real costs and tradeoffs.

2 hours ago

BobaFloutist

You know how in old crime fiction there was often an episode with "bearer's bonds" where up top they define bearers bonds as "this just belongs to whoever holds it, so be very careful" and you just know they're going to get stolen immediately?

That's how I feel about crypto.

a day ago

nine_k

While "Nigerian spam" scams profit off simple-minded gullible people, cryptocurrency scams profit off sophisticated gullible people.

a day ago

Hilift

100%. It's been that way forever too. I've caught numerous people setting up mining crap, it's everywhere and anyone that shouldn't be trusted but is probably will be a vector.

3 hours ago

rs999gti

Traditional banks and the financial industry are generally sub-optimal, but at least if you are scammed, they will do their best to either recover your money or return you whole.

To have this safety, money and finances have to be centralized, regulated, and governed, all of which crypto doesn't have and doesn't want.

a day ago

cesarb

> they will do their best to either recover your money or return you whole.

And if they don't, the courts can force them to do it and give you some extra money for the trouble.

a day ago

foxglacier

No they won't. If you bank transfer money to a scammer, the bank won't refund you, nor can they recover it. If you give a scammer your bank access credentials, they also won't refund you because you broke the TOS.

a day ago

frereubu

9 hours ago

foxglacier

Wow

7 hours ago

Symbiote

They may well block the transaction before it's made, for cases like this.

19 hours ago

flooow

It's obviously going to be much much more difficult to steal $450K from an actual bank account and get clean away - you're going to need a lot more proof of identity than a google login. From that POV, owning a lot of cryptocurrency is painting a target on your back.

a day ago

nytesky

How do they identify their marks? A random firefighter seems like an odd target.

a day ago

derangedHorse

I found this video, titled 'To Catch a Scammer: How a real-life criminal steals your bitcoin' pretty informative. An employee is able to go into detail on how scammers find their marks: https://youtu.be/pskUt4ZjM4M

The video linked in the article by Junseth also goes over some of this.

6 hours ago

PleasureBot

Could just be people talking about crypto on social media directly saying that they own some. Would not be too hard to find accounts where you can clearly identify the person behind the twitter handle, facebook profile, instragram account or whatever talking about that online. We're only hearing about people who happened to lose a huge amount of money but lots of people probably fell for this scam and lost money on the scale of $100 or $1000.

21 hours ago

hn_user82179

that's a good point. People who follow crypto accounts on social media probably own some amount, so it's pretty easy to go from there.

19 hours ago

plagiarist

I wonder if it is just harder to give away several million dollars of government currency without being able to recover it? This is only an interesting story because it is so much money and because they are able to narrow the suspects down to a small group.

Cryptocurrencies are like speedrunning the discovery of why finance is regulated, though, that is certainly true.

a day ago

acdha

I think you’re saying the same thing from the other side: it’s definitely true that it’s harder to get or transfer large amounts of real money because the system has layers of protection due to past fraud, but those fraud protections also mean that most people can’t get the kind of paper profits which lure people to cryptocurrencies. This gives scammers the appealing target of a self-selected group of financially unsophisticated people who have chosen a system designed to make large scale theft easy and safe.

a day ago

namaria

I wonder if there's any one legitimate instance of a company calling you about compromised accounts and requiring your action. It seems to me that anyone reaching out and lighting a fire under your ass can be assumed to me a malicious actor.

Any notification asking you to confirm your identity that is not initiated by your actions should be immediately dismissed with a "no" and that should be all there is to such things, no?

2 days ago

MathMonkeyMan

Yes, but you have to know that.

I got a call from "Bank of America," and they smoothly talked me into giving them my debit card PIN. The trick was they had gotten into my online banking beforehand. "We've detected possibly fraudulent activity on your account." Then they read me real transactions from my actual account. "To be safe, let's lock down the account. For this we need more information for authentication, though." Probably started from a phishing thing that I fell for online without noticing. It was pretty clever of them. Not so easy to steal from a checking account without leaving a trail, unless you have the PIN. Then the main risk is to whomever was on camera at the ATM withdrawing as much cash as possible before the account was automatically locked down.

The next day, I got a call from "Bank of America" telling me that I'd been had. Fortunately they just credited the money back into my account. About $5000.

The main difference is that the first call wanted me to give them information, while the second call advised only "go into a bank branch in person."

The article's advice is correct. If someone asks you for info, tell them you'll call them back. It is almost certainly a scam. Calling back the possibly spoofed number at worst wastes a little time being on hold, and at best saves you or the bank a lot of money.

a day ago

Majromax

> Calling back the possibly spoofed number

Don't call back the number possibly being spoofed (i.e. using your Caller ID as the source of the callback number). Call an independently-listed number for the company, such as the phone number on the back of a credit or debit card. Using an independent number prevents any failures where the Caller ID correctly reports an attacker-controlled but plausible-sounding number.

For extra paranoia and safety, perform the callback from a separate phone line. That would avoid at least some of the more-targeted attacks involving a compromise of the victim's phone connection, which could potentially allow the attacker to redirect outgoing calls.

a day ago

01HNNWZ0MV43FF

"Hang up, look up, call back"

a day ago

crote

> The main difference is that the first call wanted me to give them information, while the second call advised only "go into a bank branch in person."

Unfortunately physical branches are expensive to maintain, so a lot of banks have been closing them down. There are even plenty of banks with zero physical branches now. All contact is via phone or email, so there is no scam-proof way for them to contact you.

a day ago

pavel_lishin

They don't have to have a scam-proof way to contact me. They just need to give me a way to contact them.

That way, any phone call or email to me can be immediately ended with me saying "Thanks, I'll call the number on the back of my card," and hanging up.

a day ago

vel0city

Exactly this. Send me a call or text message that maybe I should go look at my account. If I log in through my normal trusted process and everything looks OK, then I can assume it's not legit.

Most banks seem to have some kind of internal message center within the application that is just for bank to client communications. That's the place to authoritatively tell me something needs to happen and what potential next steps would be.

a day ago

crtasm

How were they able to use an ATM without having your card?

I recommend not calling back the incoming number even if you think it's real and spoofed, always look it up on the bank's website.

a day ago

vel0city

Depends on the time frame and the ATMs being used.

I don't think all ATMs require chipped cards yet, and its still common to have a debit card issued with a magstripe. If the GP used their debit card to pay for things it could have easily been duped. My bank issued me a new card for an account a few years ago; it still has a magstripe and I assume can still be used at magstripe-only ATMs.

If it was even a few years ago, a lot of ATMs would have still worked with just a stripe. It's a bit more difficult to find these days, but old ATMs still running OS/2 WARP are still around and kicking.

Its frustrating so many banks and what not are still issuing cards with magstripes. These days wipe the cards I use most with a magnet to try and mess up the magstripe. I don't want to ever use it. Generally speaking, if they can't take chipped cards, tap to pay, or cash I'm not doing business with them.

a day ago

crtasm

Yeah I get that the magstripe can be copied, but GP was referring to a phishing attack.

17 hours ago

vel0city

They probably copied the magstripe, but couldn't do a straight at withdraw without stripe+pin.

Far easier to track/reverse a debit transaction done as a credit card network than debit requiring PIN.

16 hours ago

MathMonkeyMan

My understanding is that they had a programmable card. This might have been just before chips became widespread in America. Or, maybe there's still a way to withdraw with only the information visible on the card.

a day ago

plagiarist

Here's a thing that is enraging, though: when a bank has SMS 2FA (insecure if you're being targeted but better than nothing) and they keep having you enter that into third-party websites. I mean going to a legitimate business, making a purchase with a credit card, and then the bank wants 2FA to validate a purchase instead of a login? Fuck off, I'll use a different card, then.

If it weren't for bullshit FICO calculations I would drop that account entirely.

a day ago

rcxdude

Banks are pretty good at doing an impression of phishing scams, unfortunately. Almost every red flag for a scammer has also been done by a bank, legitimately.

a day ago

adrianmsmith

There was a comment on Hacker News, which alas I can no longer locate, where a guy said he'd been called by his bank and the bank wanted him to answer various security questions. He said he was happy to do so, but firstly needed the bank to verify who they were, or to call the bank back on a telephone number on their website. The bank refused, so he refused to give them any details. The bank then blocked his bank account, meaning he couldn't pay his university tuition on time, meaning his student visa was no longer valid as he was no longer "studying", meaning he had to leave the country.

a day ago

namaria

A bank blocked an account because they called someone and that person didn't provide them with personal data? That sounds unlikely.

a day ago

rcxdude

I've definitely experienced the first half of the story: banks really will do dumb things like this and then be surprised when someone is upset by it (anti-fraud protection tends to be the worst: a text-message from a random unaffiliated number with another unaffiliated number to call, where you must then provide account details in order to get your card unblocked, and trying to call the official number and go through the phone tree does in fact, eventually, tell you that it was legitimate, but only after hours of being batted between departments).

a day ago

namaria

That's not the half I have trouble believing.

7 hours ago

adrianmsmith

Banks do have obligations under AML and KYC laws to get information from their customers. I mean I know a single phone call sounds extreme, but I could believe it.

My bank (in the EU) wrote to me a while back (post, no copy to email, no sms, no phone call, etc.) saying if I didn't provide info on certain recent transactions (my salary) they'd block my account in two weeks. Thankfully I wasn't on vacation and saw the letter and answered and it was all OK.

a day ago

namaria

Having information about you (that you provide when opening the account) is entirely different from calling you out of the blue after you already have an active account for long enough that you trust and depend on it for your migration status. Refusing then is in no way breaching AML/KYC requirements. They would ask them to validate the identity on the call, not to gather regulatory data on their client. If they didn't have any info and were to "call as ask" how would they know it's the right person and data anyway?

How is a bank not validating one phone call grounds for freezing funds?

7 hours ago

ryao

I am not surprised. I know of a bank that disabled a credit card following a single missed payment for the crime of failing to answer a phone call.

a day ago

ElevenLathe

This is one of the reasons I use a local credit union with a handful of branches only in my region. I can always re-establish trust by just walking into a branch to do business, and likewise they can always just ask me to walk in with my driver's license if they need to verify that I'm really me.

a day ago

michaelt

A reasonable decision in your case, no doubt.

But the mentions of "his student visa was no longer valid [...] meaning he had to leave the country" make me think walking to a local bank branch might not have been an easy option in the post adrianmsmith recalls.

a day ago

ElevenLathe

Absolutely agree! I only brought it up because it seems like, in our quest for efficiency, we are rapidly heading for a world where we try to delegate trust to outside entities (like tech companies, megabanks, or far-off government departments in Washington, D.C.) but, fundamentally, what makes financial transactions work (with anything other than physical currency), is actual real trust between parties. This is how the great banking houses of Europe began, it's how remittance networks still work in much of the global south, and its how the Jimmy Stewart-style small town bank once functioned. National banks with lots of local branches are an approximation of this, but the "branches" keep getting less and less bank-like: there is no "president" at the BoA branch inside Kroger, just somebody with a pulse who can technically pass a background check far enough to get bonded. Finally, many of the big banks are just closing these far-flung branches altogether. Bank of America &co. may get many advantages from their enormous scale, but they may be undermining their own foundations in the name of cost savings by trying to cheap out on "customer service" as if banking were just another kind of retailing and trust wasn't central to their entire business.

They probably know this and don't care because it won't happen this quarter or likely even this fiscal year, so it doesn't matter to anyone in charge. But it does matter to ordinary people trying to conduct their lives without being irreversibly de-personed by a flakey customer service bot.

a day ago

throwway120385

I understand the desire to be skeptical, but maybe you should give individuals the benefit of the doubt and the giant multinational corporation the skepticism.

a day ago

namaria

I'm being skeptical about something someone wrote online about something the read online. Don't make this about ethics.

7 hours ago

athenot

This.

Also healthcare providers, though they seem to have finally wised up. They would call me from poorly configured phone systems (so unrecognizable caller id) and the first thing they would ask is to confirm full name and date of birth.

Patterns like this do a great deal of damage in desensitizing folks and making them accept dangerous patterns that get exploited by scams.

a day ago

hollerith

Even if you recognized it, the number shown by Caller ID is easy for the caller to spoof -- or at least it was a few years ago (the last time I paid attention).

a day ago

athenot

Thankfully that part has vastly improved with STIR/SHAKEN, combined with number reputation management.

a day ago

ipython

The problem with that, at least on my experience with iPhone, is you can only get the authentication signal after you’ve already hung up. The only thing I see is a small checkmark next to the “location” of the call in my recent call log. I can’t find any indication of a stir/shaken status in the active call screen.

So asking people to take the step to confirm the call is legitimate won’t work- they can’t tell until they’ve already terminated the call. It’s useless for purpose imo.

a day ago

vel0city

On my Pixel some calls just get auto-rejected. Others will get through but be marked with a red caution symbol for the picture and say "Scam Likely". Then finally sometimes the call will come through with just the number but still have that red caution symbol.

I imagine it is doing something with STIR/SHAKEN along with how many other times similar calls have been flagged as spam calls.

a day ago

ipython

My carrier has a similar “scam likely” feature but afaik that is not directly tied to stir/shaken. I’ve also signed up to have calls rejected and can see them in the carrier app.

I have reported at least a thousand different scam calls over the past two years and so my blocked number list is so large it freezes the phone for a minute or so while it loads. Still the scammers persist…

a day ago

ryao

I remember when I used Ting, I could specify what would appear as caller id. If I had wanted to abuse this, I could easily have had it display whatever number I wanted instead of my name. Since a number of phones would display the caller id instead of the number when caller id was available, nobody would know that the number was not real. I am not sure if this has changed at all.

a day ago

ryao

I have had my telephone company ask me to give them a code sent to my device. It is presumably to prove to the company that the representative is talking to me so that bad actors low in the company cannot start randomly messing with people’s accounts. It is the equivalent of the bad click here. The only real defense is to know the difference between a mechanism meant to authorize someone a the company and a mechanism to authorize you. Confuse the latter for the former like the victim did here and bad things will happen.

a day ago

braveyellowtoad

Interesting. Was that after you called them or they called you?

15 hours ago

ryao

It was when I called them.

5 hours ago

nottorp

Banks maybe, but Google? Google only has "AI" support and that doesn't call us yet. So it's safe to assume that any call from Google is fake.

a day ago

SoftTalker

Yeah Google will never call you about your free gmail account, just as Microsoft will never call you about a virus on your home computer.

12 hours ago

benhurmarcel

I’ve had my bank call me because of dubious online purchases, asking if it was me. The call was legitimate and my card number had been skimmed.

2 hours ago

omoikane

If some bank calls you about compromised accounts, the recommended action should be to hang up, find the official phone number for your bank, wait one minute[1], then call back.

[1] You have to wait or call from a different phone, because the call might not terminate immediately, and the scammer might still be listening on the line.

https://security.stackexchange.com/a/100342

a day ago

jeroenhd

Sometimes there are good reasons for a bank to call you. The infuriating part is that not every bank has a quickly accessible number to call back if you don't trust the caller. Caller ID may be useless, but me calling the official number for my bank is pretty hard to fake (unless my carrier is part of the scam).

My bank has a button inside the app that will confirm that a real bank representative is calling you, or provides a button to call the bank's emergency line if they're not. It's a simple and effective way of preventing scams that I think more banks should implement.

a day ago

ryao

A ss7 attack could make your carrier part of the scam without their knowledge, such that calling back the number will connect you to the scammer and not the bank.

a day ago

yorer

Ideally yes no one would fall for that. But these type of attacks doesn't just rely on solely ignorance. They introduced urgency, the fight or flight situation. Plus the first guy in the article got caught up in bad timing where his mental condition aren't right with his kid crying, his wife yelling etc.

a day ago

simonw

The defining feature of crypto - decentralized, irreversible, no "higher power" you can go to in order to get your money back - turns out to be the thing that burns people ALL the time.

20 hours ago

derangedHorse

Surprisingly, there's also no "higher power" to get your money back from scams using traditional banking rails as well. I have family members who have lost thousands from bank transfers to legally registered companies that establish legitimacy through having a business bank account. It usually takes forever to shut them down, even after hundreds of thousands of reports from people like me who recognize what they are early on.

Many haven't actually lost money in significant ways through bank transfers, but when it does happen, the disillusionment of institutional security really falls away. Additionally, governments are slow and ineffective, so when these companies do get caught with class action lawsuits, they usually don't have anything to return.

5 hours ago

mouse_

Lots of people still don't quite understand their debit card. No way they're going to learn how private keys work.

Still might some sense as an institutional store of value though I guess.

19 hours ago

stouset

Maybe but this shit is hard for institutions too. There are so many sharp edges.

Even in a well-respected fintech with responsible, talented people I’ve seen: safe deposit boxes get lost (literally no idea where in the world they actually are), go missing (the bank relocates or closes and disposes of them without notification) or become destroyed (fire, flood). I have seen industrial-grade hardware security modules spontaneously corrupt all the internal keys, happily continuing to produce “encrypted” output which can never be decrypted.

Building crypto offerings at scale that can survive the myriad unknown unknowns of real world and hardware failures that can affect both paper and hardware wallets is a really difficult problem. Not impossible, but the stakes are extreme and getting one thing wrong that leads to the loss of a cold wallet can easily lead to total ruin.

Even if “only” a hot wallet gets popped, the instantaneous and irrevocable loss of those funds needs to be offset by a comparatively large amount of operating profit.

At least with the traditional banking system there are a lot of safeguards in place.

8 hours ago

101008

I couldn't find it from the article, but how the scammer got access to the Gmail account? How he triggered that prompt in the victim's phone, and what did it mean?

It feels something is missing here?

Edit: Well, I learnt about Google Prompts today: https://support.google.com/accounts/answer/7026266?hl=en&co=...

Basically someone can request access to your account and if you click Yes, they do access it.

This part from a Reddit thread [1] scared me a bit:

> The notification pops up on my screen over whatever I am doing, and if I'm using my phone, I worry that I might accidentally hit YES (it almost happened today).

1: https://www.reddit.com/r/techsupport/comments/ccd304/someone...

16 hours ago

layman51

I had read of this attack back in September[1]. It seems very sophisticated because they spoof a phone number that at first glance is associated with Google, but is really just the “uncanny-valley” Google Assistant service that can check wait times or make reservations on your behalf.

Does Google even offer live-person support if you’re not their Workspace customer?

Also, one other difference is that apparently the attackers may have been using Salesforce to send the emails. Maybe they were using a trial or developer edition? I believe those can send out emails too, but they are very limited. So this must be a very targeted kind of attack. The scary part is that the attacker’s emails pass SPF, DKIM, and DMARC. There’s a technical write-up I found about this aspect of the attack.[2]

[1]: https://sammitrovic.com/infosec/gmail-account-takeover-super...

[2]: https://docs.google.com/document/d/1xrJsRBcGj9x2mMvRoKLG4ANS...

21 hours ago

darknavi

> Does Google even offer live-person support if you’re not their Workspace customer?

Not really. That's the giant red flag behind committing to a gmail, outlook, etc. account. If it gets messed up you're at the whim of "on-rail" support and if you need anything more all you can do is shout into social media and hope a stray employee feels bad for you.

21 hours ago

smoothgrammer

Yes they do. If you subscribe to Google One.

https://support.google.com/googleone/

19 hours ago

buttercraft

“In Soundcloud’s instance, part of declaring your innocence is you have to give them your home address and everything else, and it says right on there, ‘this will be provided to the person making the copyright claim.'”

Good job helping the scammers, SoundCloud. WTF

a day ago

can16358p

While this is devastating, the lesson that we should all remember:

Never, ever, no matter the circumstances, store private keys (or seed phrases) on photos. Especially if those photos are synchronized to the cloud.

Hand-write them, store them in a safe and secure PHYSICAL location.

Of course we're humans, we make mistakes, and we usually start with small amounts of money that we can lose where it would be unnecessary to take all these precautions, but we still need to regularly remind ourselves to avoid disasters like this in the self-custody world.

13 hours ago

ufmace

I think a lot of people bought some crypto early on when it was really cheap, were kind of sloppy about the security of things, and then left it alone and ignored everything while it went up by 10,000x in value. Now when their account is worth hundreds of thousands of dollars, their security is pretty inadequate for something with that actual value.

34 minutes ago

shusaku

Honestly, that part of the story seemed completely unbelievable. I mean I get that someone might stare such a photo in the cloud, but hackers are really going to run a scam on him and then sift through photos thinking “maybe?”

9 hours ago

panstromek

I'd assume there's some model for finding those kinds of photos

6 hours ago

zem

or store them in some encrypted form that you know how to reverse easily but which would take an attacker more trouble than it was worth to break.

10 hours ago

ipython

Ok but you have to balance that with the risk that your PHYSICAL item will be lost, stolen, or destroyed. What happens then?

The problem is that the security protocols required to keep cryptocurrency safe are simply untenable for any mere mortal. But hey, we keep blaming the victims… because they didn’t know the one simple trick to keep their Bitcoin safe!

13 hours ago

the__alchemist

The start of the article and comments thus far focus on the authenticator/Google account scam. I think a separate topic of note is taking a photo of the wallet recovery words [on an internet-connectable device]. This was, IMO, the primary mistake the user made. (And an easy one to make if you don't consider its consequences)

a day ago

andrewflnr

What I want to know is if the attackers knew that the photo was there, and if so, how. Or were they just planning to get into the victim's gmail and exploit whatever they found?

a day ago

_heimdall

I hadn't considered that use of Google Forms to send emails from a Google domain. That's a pretty huge security risk, technically it doesn't risk your zgiogle account but the phishing and impersonation risks for Google are huge.

3 hours ago

vouaobrasil

I feel like attacks like this would be much harder if we had never adopted HTML emails. Then it would make more intuitive sense (for the user) for an institution to write:

(1) Go to our website

(2) Login and check your account

Of course, leigitimate emails do that now, but because of the way we've been trained to "click" (such as "click to verify your email"), this conditioning carries over to phishing and other attacks, whereas that would be impossible with plain text. With plain text, the email verification would have to be "paste this code into a box".

a day ago

MathMonkeyMan

Email clients would probably still parse URLs into links. People would click them. Then people would prefer links that didn't look like gobbledygook, so email clients would start supporting extensions like parsing of [markdown-style links](https://gobbledygook.com/ddkf878dfjlsfd). And then we would arrive at HTML.

a day ago

mdaniel

> Then people would prefer links that didn't look like gobbledygook

Well, I can say with relative confidence that people prefer those links but _marketers_ prefer hxxps://awsmail.me/b64trustmebro/8675309== that leads who fucking knows where

15 hours ago

duckmysick

My favorite bit:

> More importantly, Tony recognized the voice of “Daniel from Google” when it was featured in an interview by Junseth, a podcaster who covers cryptocurrency scams. The same voice that had coaxed Tony out of his considerable cryptocurrency holdings just days earlier also had tried to phish Junseth, who played along for several minutes before revealing he knew it was a scam.

> [...]

> Daniel told Junseth he and his co-conspirators had just scored a $1.2 million theft that was still pending on the bitcoin investment platform SwanBitcoin. In response, Junseth tagged SwanBitcoin in a post about his podcast on Twitter/X, and the CEO of Swan quickly replied that they caught the $1.2 million transaction that morning.

> Apparently, Daniel didn’t appreciate having his voice broadcast to the world (or his $1.2 million bitcoin heist disrupted) because according to Junseth someone submitted a baseless copyright infringement claim about it to Soundcloud, which was hosting the recording.

> The complaint alleged the recording included a copyrighted song, but that wasn’t true: Junseth later posted a raw version of the recording to Telegram, and it clearly had no music in the background. Nevertheless, Soundcloud removed the audio file.

DMCA enabling bad actors to cover their tracks was not on my bingo list.

a day ago

dessimus

Are there examples of DMCA being used in a positive manner?

a day ago

andrewflnr

You mean besides literally all the times when people upload raw copyrighted movies and music to YouTube? DMCA is boring and un-newsworthy when it's working properly. (Unless you're the type who thinks copyright is inherently wrong, but it would then be very silly to ask if DMCA was ever "used in a manner".)

a day ago

Dansvidania

I am maybe missing something obvious here, but isn't it suspicious that these attacks "affecting a small number of google users" happened to "hit" two people with significant cryptocurrency holdings?

a day ago

tantalor

Maybe the attackers already knew through some other means that they had large crypto holdings, i.e., spear phishing.

a day ago

psychoslave

How stressful it must be as an experience to go through.

Having nothing to be robbed from is such an underrated means to live in serenity.

a day ago

pico303

I always tell people to take control of the situation and stay calm. If “Google” or someone contacts you about a problem, simply hang up or ignore the email, look up the company’s info online, and contact the company directly.

16 hours ago

SMAAART

45 BTC (as in the screenshots) is not 500K, it's 4.5M

3 hours ago

o999

Almost all scammers use more or less the same trick, they try to trigger a fear or greed rush with their message/call, so you don't get a chance to question authenticity of what you read or hear.

That is also what many salespersons do to get you to buy what you don't need nor even want, you cannot miss this limited time discount.

Always stop for a moment and be skeptical, caller ID can be spoofed, email addresd can have ä or ē in the domain that you won't notice if you don't look carefully.

17 hours ago

ryao

I have a simple defense against this. I use a special email account for financial information that only my email provider, myself and my financial institutions know to exist. Even if I tap yes instead of no by mistake on a prompt like this, my financial accounts are safe unless the attacker breaches my bank to find out the email account I use with them first.

a day ago

pavel_lishin

> my financial accounts are safe unless the attacker breaches my bank to find out the email account I use with them first.

It's entirely possible that someone can accomplish this with a phone call to your financial institution's customer help line.

"Oh gosh, I'm sorry, I forgot whether I used my email address or my wife's for this account - can you tell me what's on file?"

a day ago

ryao

I wonder how that would work if they cannot prove my identity first by telling the representative a code sent to my phone number. I would expect the bank to tell the attacker to go into the local branch with identification.

a day ago

doublerabbit

Social Engineering. You would expect the bank too but not so. These scummy people are good at manipulation.

Humans are very exploitable.

"Im ever so sorry; but I am unable to get to the bank right now, my mother was in an accident and I need to get to the hospital in 30 minutes. Is there any other way?" "No? Can you do it for me".

Playing empathy over the phone gets you places as does wearing a workers Hi-Vis jacket to get in to back stage at festivals.

a day ago

ryao

My bank would happily say too bad. I have had them insist on getting me into the branch for absurd things in the past.

5 hours ago

pjdesno

It seems like the common thread here is that the thefts were of cryptocurrency, rather than real assets in a financial system with safeguards. You can still get robbed of those assets, but it leaves a far stronger paper trail to catch the perpetrators.

a day ago

potato3732842

The difference is that we haven't spent a century building up police organizations, bureaucracies, processes and international working relationships to track down crypto crime the way we have for "normal" financial crimes.

You would track down this crypto in just about the same way you'd track down a fraudulently ordered wire transfer that was cashed out. Records would be requested, IP's and timestamps recorded, more records would be requested from other parties based on those, and so on and so on. The difference is that it's somebody's job to go after those. It's nobody's job to go after this.

a day ago

Vegenoid

It’s the classic tradeoff of freedom vs. security. It’s the biggest reason I can’t foresee myself storing substantial amounts of cryptocurrency. I just want to hand my hard earned money to a financial institution and not have to think about it too much.

a day ago

drcongo

The red-flag he should have spotted was Google "Support".

a day ago

coldcode

The idea that Google would spend money to help a non-business user for anything is beyond unlikely.

a day ago

Atotalnoob

They don’t even support businesses. We pay for whatever the highest tier of support is.

We have been emailing our TAM (or whatever Google calls them) for weeks (and opening tickets)

They keep giving us the same fucking documentation link.

Literally useless.

Another instance we were using code from their docs and they refused to help saying they don’t look at code ever

21 hours ago

MichaelZuo

The highest enterprise support tiers at Google cost millions of dollars per month… you probably mean the highest listed on their website for small to medium businesses.

20 hours ago

Atotalnoob

No, it’s in the millions.

20 hours ago

MichaelZuo

Then it’s pretty suprising considering your company would have a direct line to multiple senior people at Mountain View…

13 hours ago

Dansvidania

I mean, the email says it's from Google Forms. Is that not suspect enough?

a day ago

michaelt

Unfortunately, when a person is getting support from a large corporation it's completely routine and normal for the follow-up e-mail to have random extra branding like "zendesk" or "atlassian" or "salesforce"

It's a clever move by the scammers - I can see how people would fall for it.

a day ago

tdiff

So the attacker has known in advance that the secret was stored in google photos? Is it a common way to store passwords, or is some piece missing here?

a day ago

dmonitor

Likely a common way to store recovery codes. Similar to those bots that scrape github for API keys

a day ago

UltraSane

That is one really nasty aspect of cryptocurrency. They make theft cryptographically irreversible. And you can watch the thieves spend your money!

a day ago

yapyap

Losing a fortune with one bad click is not a new thing or all that rare, stock betting is all the same.

Idk I just think the title is pretty lame and generalizes a pretty informative phishing article, in a bad way.

6 hours ago

tugu77

Easy for me to be a smartass in hindsight, but I can't resist:

> Unfortunately for Griffin, years ago he used Google Photos to store an image of the secret seed phrase that was protecting his cryptocurrency wallet.

Um, duh...

> "[...] I put my seed phrase into a phishing site, and that was it.”

>Almost immediately, all of the funds he was planning to save for retirement and for his children’s college fund were drained from his account.

Um, duh. First mistake to put all eggs in a single basket. Second mistake, this basket was a cryptocurrency. Third mistake, pasting the secret key to that _anywhere_.

7 hours ago

fortran77

How did the scammers know these people were likely to have significant amount of crypto in the first place?

4 hours ago

Zopieux

>ultimately seized control over the account by convincing him to click “yes” to a Google [2FA] prompt on his mobile device

Stopped reading there. What more can we do to protect people from their own stupidity (and I'm not talking about the crypto "investment" part)?

18 hours ago

cute_boi

Never Trust a call you didn't initiate.

a day ago

deathanatos

I wholehearted agree with your mantra. But I need banks and other businesses to learn this. Particularly banks.

My bank has literally called me with what amounts to "ur being haxxor3d", and like … who are you? The representative literally would not tell me who he worked for. I was 210% sure it was a scam, and hung up on him. Turned out, it was legit.¹

Companies need to make sure their own operations don't bear the trappings of fraud.

¹(I don't regret hanging up, though. Calling back to a known, published-by-the-business-itself number is the right thing to do.)

20 hours ago

SoftTalker

Yeah I got a similar call once from someone, maybe a credit card company, and the first question was "to verify your identity we need the last four digits of your social security number" and I was like wait a minute, you called me. What are the last four digits of YOUR social security number?

12 hours ago

plagiarist

> By default, Google Authenticator syncs all one-time codes with a Gmail user’s account, meaning if someone gains access to your Google account, they can then access all of the one-time codes handed out by your Google Authenticator app.

When business guys are involved in a security app. Many of us can easily imagine the "user story" that caused this.

a day ago

vel0city

Just look at the probably hundreds or more comments here through the years of people bashing Google for having their authenticator app not sync TOTP secrets to the cloud. For the longest time it was pulling teeth to get the app to surrender the TOTP secrets saved inside.

Google listened.

a day ago

ht85

The wallet name was exodus, how fitting :D

20 hours ago

VoodooJuJu

If you're so rich, why aren't you so smart? is the burning question here.

It's mind-boggling to me how crypto guys can be simultaneously savvy enough to be involved in crypto, to the tune of millions of dollars, but also retarded enough to fall for stuff like this.

a day ago

jlund-molfese

It's not really a matter of intelligence, and nobody's smart 100% of the time.

Let's take the average person on this forum, who's probably pretty tech savvy. Their odds of falling for a scam on a given day might be 1 in a billion. But when they're exhausted after work, they might be 10X likelier to fall for a scam. Another 10X when they're stressed out about family life, or going through a breakup. Another 10X when they're out drinking with their friends. And so on.

Eventually, whether it's due to age or other factors, everyone gets to be in situations where they're susceptible to scams. And scammers are experts at emotional manipulation, exploiting fear and embarrassment.

18 hours ago

bdangubic

100% - yes - if you follow simple rules

18 hours ago

Fokamul

Holding $500k in hot wallet, this man is braindead...

a day ago

joezydeco

Are these spammers just lucky or is there something that lets them sniff blood in the water and specifically target people holding large amounts of crypto?

a day ago

samatman

It wasn't a hot wallet, he had taken a photo of his seed and then left it in Google photos.

So your conclusion is sound but your premise is invalid.

a day ago

megablast

> Daniel told Tony his account was being accessed by someone in Frankfurt, Germany, and that he could evict the hacker and recover access to the account by clicking “yes” to the prompt that Google was going to send to his phone.

Come on.

13 hours ago