Hacker News new | past | comments | ask | show | jobs | submit login
How to lose a fortune with one bad click (krebsonsecurity.com)
355 points by todsacerdoti 6 days ago | hide | past | favorite | 364 comments





I had these people call me the other day. I got a text message alerting me of a potential Google account security issue they had blocked and they I should expect a call. I also got one of those emails and an automated phone call. The automated phone call had me dial 1 if I wanted a call back from support to help recover my account.

I got a call from a very professional sounding woman assuring me she was with Google and they had discovered some potentially fraudulent activity with my Google account in Frankfurt. They said they had locked down my account to protect it but they would walk me through recovering it.

I knew this was impossible, because the Google account in question doesn't have passwords. It has a couple of passkeys which are all physical hardware tokens in my home. But I wanted to see how pushy they would get.

Turned into a half hour phone call with me playing dumb (was watching my kid's sports practice, nothing to do for a half hour but cheer him on). Eventually when I was done with it I let them know I was in the process of filing the report with the federal cybercrime department. Immediately hung up from that.


> I knew this was impossible, because…

There’s an easier tell. It’s impossible because you can’t to get Google to help you at all about any account issues, never mind them being as proactive as to call you.

In other words if Google call you, it’s not Google.

It’s slightly depressing that there are probably more fake Google support staff than real ones.


I feel Google, Facebook, etc. all need to setup actual phone numbers and chat rooms, and make them rank highly on searches for "Google support phone number", "Google fraud department", "Google account recovery department", "Google Live Support Chat" etc.

Then those numbers should simply play a message that this is the only official phone number, and no human will ever call from or answer this number, and the company does not offer customer support or appeals to account problems.

They also need to make searching for fraud phone numbers return anti-fraud messaging rather than what it currently does. Seems like the entire 844-906 exchange is fraudulent [1].

I had a family member that just got scammed because they panicked after their Facebook account got banned, basically exactly like [2].

[1] https://www.google.com/search?q=844-906

[2] https://www.npr.org/sections/alltechconsidered/2017/01/31/51...


“If you receive a calling from Google, ask them for your issue ID, hung up and call 1-1-GOO”

1-1-GOO: “Google never contacts customers directly and has no way to let customers contact them. Hace a nice day”


Or, hear me out: provide actual customer support.

To 4+ billion customers. Not possible at any realistic company size.

If you or any person figured out how to do such a thing you’d be the next trillion $ company.


If your scaling requires you to ignore some laws and regulations, maybe your scaling is just a wet dream that should not become reality, and still attempting it should be punished. It's just the cost of doing business.

No laws or regulations were broken. If your desire to punish things which anger you means you ignore laws, maybe the problem isn’t the company.

Considering their profit is on the order of 100 billion, providing proper customer support does actually seem entirely realistic.

Meta net profit 2023 was $40B. Revenue is not profit.

AT&T has 100M customers, 40k customer service reps, avg wage $20/hr full time, i.e., $40k/year each.

If you simply scale this 5B customers would need 2M customer service reps. That’s $80B in wages. With no legal need, and since people use their services more by choice more than just about any other company’s product on the planet, it would seem they’re doing just fine.


Are they really customers if they don’t pay?

If they're not customers then there's really no need for customer support, right? So why would they complain? :)

The corps want you to believe that but it's not true.

India requires direct customer support by law.


It’s math. They don’t need me to believe anything.

They provide support in India to meet local laws.


Nonsense. It's (moderately) expensive, it's a cost. It's far from impossible, the proof of that being that huge companies did and do provide customer support.

Big tech loves "stripping unnecessary fluff" and "being efficient". Turns out the "unnecessary" stuff is there for a reason. The automatic management + zero customer support is dystopian to say the least.


Do the math (which I did for another in this post).

Saying nonsense to basic arithmetic is ignorant.

Don’t like the service, don’t use it. Same as every company.


How many billions do they make an hour? How many human hours of Indian and Philippine wages can they pay?

Users in low wage countries with minimal profit per customer doesn’t preclude US / Canadian tech support where they get 20+x the revenue per user.

They are making 10+$/month per user for a few hundred million, and have a large profit margin that easily pays for basic tech support.


That's a consequence of growth they should have thought of and a basic part of running any business.

At least in the US Attorneys General are being forced to do this work for them. It's essentially the only way to get a hacked Facebook/Instagram account recovered.

https://www.engadget.com/41-state-attorneys-general-tell-met...


No, attny generals chase things that raise their political stature. They’re political. Every single one of the 50 are dem or republican: 0 independent.

They’ll make noise about this because it riles a loud minority. If they really wanted it fixed then pass laws. They don’t, because they also like business.


"We’re the search company. We don’t care ; we don’t have to".

Where do you think Google would rank its own support, help, etc., contact pages and info if not at the top of searches like the ones you mentioned?

The problem is the subjunctive here.

It's not where the _would_ rank ... it's where they currently _do_ rank.

In my test, the AI Overview produced accurate information ("Google does not offer phone support for account recovery") but none of the other hits on the first page say anything like "Phone support calls are always fraud. Google will not call you."


I think the point they are making is that google will let the fraudsters pay to place higher than the warnings because it's profitable to do so.

If there is only one time they would honor their fair market obligations and not raise their own rankings, it would be on a cost center like free tech support to consumers.

In case you would like a concrete example to ground the cynicism about corporate trade offs around customer support, I recommend watching Jill Bearup's 10 minute video [0] about this week's demonetization. For example, she has to deal with some form that she "can't submit", a customer service contact 12 time zones away (so email replies are 12 hours delayed), and an account manager who is non-responsive. In her court, are some unaffiliated google employees giving guidance, but only because they were already part of her youtube watching audience.

[0] https://www.youtube.com/watch?v=6RZHajVV9PA


> For example, she has to deal with some form that she "can't submit", a customer service contact 12 time zones away (so email replies are 12 hours delayed),

At that point I'd set up an LLM agent to reply for me. Big Tech are no longer the only ones who can pretend to be a human.


I smell a product idea...

If it weren't for the routine ex-Googler postmortem blog post shared on HN I'd think Google doesn't even have human employees.

The greatest mystery of my life is what is a "Google Product Expert" on their community forums whom I assume:

1. isn't an employee speaking as the company.

2. is someone given the title by the company.

3. spends a lot of time answering questions despite not being paid for it.

4. can contact Google employees somehow.

The only perks for this that Google lists is that you can join a secret club of Google Product Experts. It feels like gig economy applied to customer support.


several huge companies do this. here's one

https://discussions.apple.com

so frustrating


Apple isn’t a good example to use here because you can contact a human at Apple very easily:

https://support.apple.com/contact

They will even remote into your device and walk you through how to do something.


But if you have a problem and you need to show that you own appleid xxxx@xxx.com, can’t you go to an Apple Store and they will help you? I believe the frustration with Google is that there is not an actual human the regular person can talk to.

I don't live within 200 miles of a apple store

I had Google call me once :) It was when I was riding in a Waymo and one of the screens in the vehicle was lagging a little bit. They made the surprising choice of calling my phone, rather than ringing the car itself, and I didn't pick up because... who picks up when your phone says, "Call from Google" :) They called the car shortly afterward to reassure me that the lagging screen wasn't an indicator that the car would underperform.

Being guaranteed to be able to talk to a human would be great, but I just don't see how it can possibly scale to over 1 billion users that aren't paying like gmail has.

Years ago, my brother used to work for XBox Live Tech Support, and he said that easily over half the calls he got were for things that customers could easily self-service, like a password reset. Many tech issues were fixed by the most basic troubleshooting step: Power cycling.

Meanwhile, my uncle works XFinity tech support, and he'll frequently get calls when a website has an outage, not to mention how many non-technical people think any internet-related issue, such as a forgotten Google password, means calling your ISP.

This doesn't even begin to talk about bad actors calling tech support to try to break into someone else's account. Google accounts are high-value targets. Once you've gotten in, there's a really good chance you could easily pivot to all of that person's other accounts.

To handle the call volume that a service like Google would have, if they offered phone tech support, the amount of staff they would need would be in the hundreds of thousands, and so many of the calls they take would be wastes of time. There are a lot of non-technical people that have no idea how things work and basically think that Google IS the Internet.


> but I just don't see how it can possibly scale to over 1 billion users that aren't paying like gmail has.

Why not charge for support?

You bet your ass I would pay a support fee if my Gmail account was having issues.


> Why not charge for support?

They do. And when you actually pay for support, they answer the phone. At least in my experiences.

The only times they've left me high and dry is when I didn't have any actual paid support contract or subscription for whatever the question was about.

They have a Gmail support contract. You signing up?


I'm sorry - where can I buy support for Gmail? Do you mean Google Workspace?

I did used to have a Google workspace account, for several years, but administering it was a lot more work than just having a Gmail account. It's certainly not something that my mom could do.

I'm talking about something more oriented toward consumers, and ideally pay-per-use.


Google One has a contact us support benefit.

> As a Google One member, you can reach out to Google One support for help via chat, a phone call or email.

https://support.google.com/googleone/answer/9003266?hl=en_DE...


Yup

$19.95 per incident to talk to someone who could ACTUALLY resolve an issue would be totally worth it, especially for people who suddenly find themselves locked out for no known reason. A fee would also filter out most the silly calls, and if not, and they can resolve a password reset in 2 minutes, it is way worth it for both the caller and Google.


That exists - it’s called Google Workspace.

I don't understand. How do I use Google Workspace to pay $19.95 to solve a problem with my Gmail account?

What can a human do that the automated processes for account recovery/etc. can't?

I talked to a human Apple support person once and we had quite a long chat but ultimately his conclusion was basically "I can't know anything you don't already know and there's no way to resolve the problem."


Did you escalate to more senior support? They have the ability to pull in engineers when something’s weirdly broken.

It wasn't really a bug. Long before I had any Apple devices, some stranger used my email address as their recovery address. I clicked "OK" for fun. Then I got an iPhone and realized my main email address was blacklisted because it "belonged" to somebody else.

Ah, I’ve heard of that blacklisting, and that it’s impossible to get reversed once it happens and that they refuse to discuss it. That stinks.

I had a weird security alert on my Google account the other night after trying to do a "Sign in with Google" to a service I've used for years. Trying to view my account/security info kept redirecting me to a page instructing me on how to clear cookies.

I clicked support and was able to get a call right away. But I pay $20/year for Google One.


They will reach put to try and help sell you more ad spend. If that was a scam its very good cause they set up my adwords campaign for me.

I have a similar anecdote which isn't very relevant except it felt like googlers now care about how they can help make google more money. I would have never expected engineers at Google to care about how to make more money for google like doesn't the money just flow in...

Somehow Google and other tech companies are not required to have a customer service that actually solves the legitimate problems customers have with their services. I wonder how they are allowed to do this not just in the US but across the world.

I pay for Google Workspace for my personal Gmail account. It’s billed per user (with no minimums) so it’s actually very cheap even for the “enterprise” version.

The support is excellent. I can get a human on a live chat and request a screenshare and phone call session with a few clicks in under 10 minutes.

But of course that’s only available to me because I pay for the business version of Google albeit for personal use.


Software is not considered a “product”, so it doesn’t come with the government protections against companies that sell defective or dangerous products.

Also, you don’t pay for Google. It’s a free search engine and a free email service. You get tech support if you pay for the enterprise workspace features.


So, if it's not a product it shouldn't be sold or leased, and people shouldn't be hired to build it.

To be clear, I was talking about the legal regime.

Your snark should be directed towards legislators, not commenters on HN.


I got one of the same calls (didn't believe them). Afterwards I phoned Google support and they said the same thing, they will never call you. I had them confirm nothing was wrong with my account, just in case.

So it's very possible to phone Google support, just don't believe anyone who calls you.


> There’s an easier tell. It’s impossible because you can’t to get Google to help you at all about any account issues, ...

Paying Google apps / GSuite users can call a number and it's real humans answering (and they're very helpful).

But indeed I don't think they proactively call you.


Unless their salespeople are calling you

> It’s slightly depressing that there are probably more fake Google support staff than real ones.

I've never thought of it that way but you're right! Dealing with support at most tech companies is a horrible experience and is usually something I research before using a product where a failure in service provision could lead to catastrophic results.


I had a legit call come from Google Maps and I called them a scammer and various other names.

Right? "Google support" calling is an obvious tell.

> I got a call from a very professional sounding woman

That's usually the tell, right there.

Legit support operations tend to sound unprofessional as hell. Heavy accents, scratchy lines, scripts referencing the wrong OS, etc.


Depends heavily on the company. Fidelity, for example, has super friendly, local sounding support employees. They will sometimes call you directly, too, for things like "checking in on your retirement goals". If someone called sounding professional, it would not be a tell that it isn't actually fidelity.

Plus, most of the weird "customer support" scams I've gotten in the past are people with thick accents on a garbage connection.


> They will sometimes call you directly, too, for things like "checking in on your retirement goals". If someone called sounding professional, it would not be a tell that it isn't actually fidelity.

Sounds like although they might not be 100% scammer, you can be assured it's marketing and not customer support.


Yeah, it was a joke.

However, these scammers tend to come across as the platonic ideal of a perfect support rep.

My wife almost got taken by one, several years ago.


here’s what I don’t understand - why isn’t all education related to this kind of shit very simple. never answer a call (or return a call from voicemail) and never open/respond to an email. being in this industry for 2.5+ decades the first thing I thought my wife was exactly this. and my daughter as soon as she was of age where she started her digital life. 100% no exceptions. never ever answer a call from anyone you don’t know and if you get a voicemail that says whatever never callback. same on the email side, SMS side. no one will be calling you, no one will be emailing you… except scammers, no exceptions.

"no one will be emailing you… except scammers, no exceptions."

Might be, because I was travelling a lot, but I got lots of unknown numbers calling me that turned out to be friends with a new number. Now I surely could have locked myself up in a cage then there would be no risk, but also not reward.

Calling a unknown number back - no. But taking a call and saying hello did never cost me anything. I also don't just send money away or would install weird things on my computer because someone on the phone says so, so what is the danger?


Have you ever answered a robocall, and the first thing they ask is "Can you hear me OK?" or "My Bluetooth is acting up. Can you hear me?"

They want to record your voice, saying "yes."

I always say "I can hear you." I never say "yes," or anything like that, during the short time I'm on the line with them.

However, that is probably not valid, anymore, because they just need to record a fairly short segment of your voice, to generate a deepfake.


If it is a robocall, I would hang up and not say yes. Otherwise "I can hear you" and avoiding saying yes is good advice.

And as for deepfakes, I assume they become good and widespread enough soon, that no telephone contracts become enforcable.


friends with a new number can leave a voicemail saying they are who they are (or text or hit you up on social or…)

taking a call from unknown number, never under any circumstance. people calling you do this for a living, you pick up and your odds are stacked against you. maybe not yours or mine but my Father’s for sure :)


Well, I allmost did fell for a phone scam once, but due to weird circumstances I believed it was official Microsoft support as I expected them. Still, I won't install shady things from shady sites on request from a phone, so it did not got far.

You think people remember half of the shit they learned in their middle school or high school classes?

The number of times I've had someone ask "how do you know this stuff" when it's something I learned in 7th grade or similar is astounding.


It is pretty easy to remember and follow things if you keep it simple. with this it is remarkably simple.

- never answer unknown number calls - never answer unknown number texts - never open any emails from anyone you don’t know or do anything that email tells you to do if curiosity gets the best of ya and you open it.

ALL communication with any “business” or “government” (state/local/federal) is in one direction, YOU contact THEM. That’s it, can’t be any simpler


It's not like phishing trainings don't exist, but almost all of them are just wrong. They tell you things like "look out for spelling mistakes and sketchy looking URLs".

How will you get business done if you never answer a call or open an email, no exceptions?

Because the advice is actually

* Don't respond to any unsolicited communications. Period.

* If some business you have a pre-existing relationship reaches out to you unsolicited and you suspect it might be real, still don't respond. Go reach out to them via their posted customer support channel.

I have complicated feelings about phishing training because while it's good they're teaching you about common manipulation tactics and scams, trying to sus out from vibes the legitness of an email is the wrong approach. Just don't do anything.


wow, the scammer tried to steal your wife?

Maybe. She said he had “a golden voice.”

I've gotten real support calls where the audio was so bad it was hard to understand anything they said. And/Or the standby music fidelity was so awful it's like pounding a spike in my ears. (Or maybe that's intentional so I hang up and don't bother with them.)

You'd think they'd have equipment newer than the 1960's.


Yeah, hah, it is funny that "Google offering phone support" is so unthinkable to me that it's a red flag for a scam.

Yeah, that was also another big red flag for me.

I do have paid services on other Google accounts and have dealt with their support before, but the account they were trying to break into was an ancient one I made as a teenager and don't use for much of anything anymore. If Google Support were to call me about anything (unfathomably unlikely, and never about a security issue like this), it wouldn't be from a free account that has never given Google a dime.

I have received calls from Google associates before. Almost always some account manager looking to find yet another product to sell me. Never proactively to any kind of account issue.


I get lots of helpful emails from my mail administrator telling me I have some sort of problem I need to log in/revalidate/release pending messages etc.

Urgently!

(I run my own mail server and I am the admin)


Sounds as urgent as legit :)

> I got a call from a very professional sounding woman assuring me she was with Google

A customer support person from google? Scamers really tell the craziest stories.


You should have recorded the whole thing

Frankfurt of all places!

Frankfurt is actually notorious in Germany for their issues with drugs. Going outta the train station you can see ppl passed out with literal needles in their arms, taking a shit in public view etc

Doesn't really transfer to cyber crime, but it's definitely one of the more "criminal" places in Germany. Still super tame compared to actual slums etc though


Notorious on social media perhaps. I am yet to see someone in Frankfurt passed out with a needle in their arm. I've been to Frankfurt several times in the last years -- slept once in a hotel near the train station, spent a couple hours until 2-3am at and around the train station because of a missed train, spent a lot of time waiting for my next train connection etc.

The last time I was in Frankfurt was maybe 20 years ago. I suppose things have declined quite a bit since then.

They called from Bahnhof Viertel ;)

The glaring common denominator here is that the attacker has the ability to send an unprompted, unblockable request to the victim's phone. Pressing the safe-looking green button that shows up, even accidentally, is digital suicide.

Google Prompt is supposed to be a safety feature. The account recovery process lets a hostile actor turn Google Prompt into a loaded gun, and Google puts it directly into the victim's hand, aimed straight at their own head.

There's absolutely no way to shut off Google Prompt that doesn't involve removing every Google app from your mobile devices.


This is called MFA bombing. Just send prompts until the user accidentally accepts one.

Microsoft’s authentication has protection against this, requiring you to manually enter a 2 digit number in your phone, matching what you see on your other device. Very simple, there is no excuse for Google to not have similar.


Hmm. I remember using a code like this with google, too. Seems like they had something similar in the past.

You used to have to click the correct two-digit number out of 3 options, but now it's just "way this you? (yes/no)"

That quickly becomes tedious when you need to do it multiple times a day - e.g. logging in to different customer environments. Much prefer the one-click approval.

Yeah, it's all a balance though. Personally, I'm fine with sacrificing a couple seconds here and there, maybe a minute a day at most to help the rest of the population not have their life destroyed. I do admit though that if we calculated out all the time across all the people it would probably be a less rosy picture. But even the authentication we have now still takes some time, we could save seconds of each person's life if we just rid it altogether. I think i'd need some statistics on time spent vs catastrophes avoided to make a solid determination. Presumably Google has this data?

Google allowing OTP codes to be generated from the cloud is also insane to me. I've known about this feature for a little while, but it never ceases to amaze me how careless Google is with security.

> Unbeknownst to him at the time, Google Authenticator by default also makes the same codes available in one’s Google account online.

This sounded absolutely crazy to me so I went to open Authenticator on my phone and lo and behold it offered me the option of linking to my account and "backing up my codes in the cloud" to which I declined.

But I had never seen this behavior before, so is this new? It did not seem to be enabled by default in my case.


What's crazy to me is that Google would allow access to a foreign device from a single click. It would be easy for a person to accidentally click it, or for a kid playing on their parents advice to click it when it popped up. I really can't understand why they wouldn't send a code that would have to be entered instead; it would be far less prone to those kinds of problems.

"foreign device" based on IP geolocation is pretty tricky and annoying.

My home in Texas had an IP address which a lot of databases had as supposedly being in Montreal. It was like that for years. Gotta love so many sites trying to default to French.


As a network admin I have found that whitelisting only US address space for my companies IPs drastically reduces how many attacks we get.

As a person who had to deal with clients, I have found whitelisting to only "US address space" lead to lots of clients being unable to access the services until they were whitelisted.

As a person who had to deal with other associates, I also found whitelisting only US address space led to a number of people being unable to connect from their homes.

As a person who had this happen to them, I had quite a lot of frustrations with services insisting they couldn't provide me service because Texas is in Canada apparently.


of course before implementing this I log all IPs and verify that we don't have any legitimate traffic coming from non-US IPs. and whitelisting a few IPs isn't a big deal. Of course a medium sized manufacturing company in the Midwest isn't going to have much need for people connecting to use outside the US.

I'm actually working to get rid of any public IPs that isn't a VPN access point.


> any legitimate traffic coming from non-US IPs.

If it's not actually reaching you to log in and what not, how do you know it's legit or not?

How do you know it's US traffic or not in the end?

I'm not saying it's not something anyone can reasonably do, but I've both been the gatekeeper required to implement/support such a policy and been someone burned by it. It shouldn't be assumed the block lists are actually that good.


This is an argument over the accuracy of georeferencing IP addresses and in my experience it is adequate for my needs.

Je suppose que le Texas est au Québec.

What was the point of replying in French?

> My home in Texas had an IP address which a lot of databases had as supposedly being in Montreal.

J'ai dû apprendre le français parce que les bases de données géo-IP sont des déchets.

So many sites defaulted to French due to shit geo-ip databases. So many account lockouts because of fears credentials got hijacked due to shit geo-ip databases. So many "sorry this isn't available in your country" messages because of shit geo-ip databases. So many stores defaulting to Canadian dollars because of shit geo-ip databases.

They're so annoying to be on the receiving end.


How would a code help? The victim has already bought into the social engineering. If the person on the phone asks the user to read out a code, they will. If the person on the phone asks them to enter a code (i.e. the version of this kind of prompt where the user needs to enter a code on the phone matching the one showing on the login page), they will.

Every step you make someone who is being socially engineered jumo through, is an extra chance for them to realize what is happening, especially if those steps contain warnings.

Google only added this feature recently. I am really conflicted about this feature. Without it you need to either save every TOTP code when you first set up the account or manually disable 2FA on every account and then enable it again so you can enroll it on a new phone. I used it when migrating to my most recent cell phone but then disabled it. Of course you have to trust that Google actually deletes the codes from your account.

Same with me, I had setup MFA using Google Auth for an important account I use.

Next day the phone broke, and I lost that account forever. I had not written the backup codes down anywhere.


Generating and storing your passwords, OTPs, and passkeys in a fully E2EE system like 1Password is effectively a root of trust, although you also have to trust (a) the password manager company, (b) whatever third-party systems and devices they use to build and deliver their software, (c) the quality of their cryptosystem, and (d) whatever device you use to decrypt/access secrets in your vault.

I trust 1Password. They are very open about how they encrypt data and how the key is derived. I like how they store your encrypted data locally in a SQLite DB. My only real concern is with storing passkeys because they cannot be stored locally yet and you are granting 1Password control over your access to any site you need a passkey stored with them. They are working on a passkey exporting process. I would feel better if I could have the same Passkey stored by 1Password and Azure and Google.

What is the advantage of passkeys compared to managing unique passwords with 1pw? Is there any tangible benefit to switching, besides that Google et al will stop hounding you to do so?

Passkeys are asymmetric keys so a hacked site cannot leak the hash or even the plaintext of a passkey. And the private key is never exported to insecure hardware. Funny how so many Linux gurus have been shitting on using passwords for SSH for decades in favor of using SSH keys and now that there is an actually effort to use what are essentially SSH keys tied to a specific domain they are rejecting it.

Sorry, I'm still not clear what the advantage is, compared to storing unique passwords in 1pw. If a site is hacked, the only thing at risk is my data on that specific site, which would be the case either way. I definitely understand how they would be easier and more secure for people who don't use a pw manager, but that's not my question.

There are some obvious, significant benefits I can think of off the top of my head:

- Passkeys give the website no secret to keep.

Breach of the passkey public key is not an event worthy of credential rotation.

- Passkey authentication is submitted via a rigorously-defined mechanism intended for machine-to-machine communication.

Ever had your password manager try to fill the wrong field with your login credentials? Passkeys cannot make that mistake. There's no heuristic mechanism at play trying to figure out where to insert the passkey.

- Passkeys are immune to credential theft via MITM

Sure the MITM could hijack the session, but not the credential. (I know this one is a stretch, but you asked for anything)


a actual API to use when authenticating is a real advantage for Passkeys I hadn't considered.

They aren't that much more secure than a random 256 bit unique password for every site stored in a secure password manager. They are designed to raise the security for the average user, not the most security conscious.

https://www.computest.nl/en/knowledge-platform/blog/advantag...


This is a weird take. The passkey can be up to 1400 bits in length which makes it significantly more difficult to brute force than a 256 bit password. Not to mention some sites won’t even let you type in a password that long, and then ofc rainbow tables.

Passkeys are significantly more secure for everybody.


a truly random 256 bit password would require more energy to brute force than the sun will emit during its entire lifetime. a 1400 bit long random password is not any more secure in practice.

Passkeys are normally 256 bit ECC keys.


I don’t trust 1Password, but not for technical reasons. They like to play subscription games and hold accounts hostage. I’m moving to apple passwords myself.

I'm going to try running vaultwarden myself.

Yup. If you DON'T have this feature, you're depending on every user who has TOTP 2FA to actually save their backup codes somewhere they can retrieve ~years later or back up their TOTP some other way manually. Naturally, most users will fail to do this, so you'll have to deal with how to securely reset the accounts of people whose phones got lost or destroyed.

But then if you DO have it, you have to deal with the situation in this story, where if you can compromise their one key account, you get all of their TOTP codes too.


There is a big gap in the greater security landscape here. I personally use hardware authenticators for this reason, but I have to manually enrol each security key for each account.

Really what I would like is a root of trust which maybe is a cipher text which I can store in several physical locations, and then my security keys are derived from that root of trust. Then when I set up 2fa with a service it is using the root of trust and seeing that my security keys are is derived from that root of trust. This allows me to register the root of trust only once and then I can use any key derived from it.


Some cryptocurrency hardware wallets such as Trezor's are usable exactly how you want: they support fido2/webauthn and derive their keys from the recovery seed phrase. You can write down the recovery seed phrase, initialize other hardware wallets with the same recovery seed later on, and they will present to a computer as the same fido2/webauthn token.

If it's hardware it can break or be lost or stolen.

As I said, you can write down the recovery seed and initialize other security keys from it, so you're able to deal with a hardware wallet breaking, unlike most fido2/webauthn security keys. Hardware wallets also require a pin to be entered, so they're more secure against being lost or stolen too than security keys that don't need a pin.

Just checked and Google authenticator seems to be synced to my account, which is a huge SPOF and not what I want. It's possible that I did this without realising, but does anyone know of a way to revert authenticator to local-only? I don't see anything obvious.

> It's possible that I did this without realising

IIRC on my platform, when they added the feature they turned it on by default, as an auto-installed update.

And if you're logged into the gmail app on the same device that also logs you into authenticator.

You didn't do anything wrong.


FWIW, I still remember recoiling in horror when I was asked whether I wanted to sync my Google Authenticator stuff.

I remember getting prompted for it on iOS when they added it. I still have it turned off.

Better option is to not use Google's TOTP app. Use something else

> does anyone know of a way to revert authenticator to local-only?

To answer my own question: tap the profile pic (top right on Android) and choose the Use Without an Account option. Removes codes from cloud storage and any _other_ devices. Mentioned in TFA.


I am literally mind f** by the wording “Use Authenticator without an Account”. This is one of the most tortured and cryptic phrases I have seen. Government legalese is more straightforward than Google.

You can't revert, they keys are sent, they have them. They can't un have them. You'll need to rotate your MFA.

> You can't revert, they keys are sent, they have them. They can't un have them. You'll need to rotate your MFA.

Not true. See https://news.ycombinator.com/item?id=42471459


You've missed the point entirely. The point is not that you can't recover the codes. The point is that if you are concerned about uploading codes due to the security implications (which most people on here are) then you need to do more than just disabling uploading, you also have to go rotate all the secrets that were uploaded.

I understood the point, thanks. But I'm concerned about the scenario in the article, where someone did a device recovery and got access to the cloud synced auth codes.

I don't particularly like that my codes were apparently synced to Google's cloud without my being aware, or the ux that prevented me from noticing. But I'm pretty confident that, having disabled the cloud sync, Google no longer has my codes

(And in fact I verified this by installing the authenticator on a tablet before turning off sync on my phone. The codes vanished from the tablet.)

In principle, yes I should rotate all the secrets. Because google may have borked their data retention, or is just outright lying and keeping my secrets. In practice, though, for my personal account, I'm content that nothing has been compromised.


> But I'm pretty confident that, having disabled the cloud sync, Google no longer has my codes

Based on just your intuition. Since you don't have access to the backend specs or code, assuming this isn't a responsible security practice. It is a shortcut you can choose to take personally but should never take with any professional credentials.

I'm going to point out that you responded "Not true." instead of adding a caveat about how you personally choose to ignore security best practices for personal accounts.


> I'm going to point out that you responded "Not true."

I could have been clearer, but that was in response to the asserion of "you can't revert".


I use Authy and it does this too. I like that I can get the code on my phone or tablet. I also keep paper copies of the original QR codes in a safe place.

The trick with Authy is to disable multi-device access unless you're in the process of adding another device, so hackers and scammers can't add their own devices to your account without your aid. If you leave the setting enabled, someone may get your TOTP secrets from Authy before you can stop them.

If there is a trick to doing something securely, then that is already an automatic fail.

No. That's not "the trick". As soon as it's in the cloud, it's over, it's gone, you've lost the game.

I've been using Authy for around ten years now, so I lost the game a decade ago and the consequences have been nothing and the benefits have been something. Not a bad loss IMHO.

Good for you. Just wait and see...

You can just decode the QR code and use whatever secret is in there to generate the OTP codes. TOTP isn't that complicated, it's really just a second password that the system generates.

While true, I haven't yet seen an authenticator app that let's you just dump the topt code yet...

1Password can show the whole URI with the seed, and I have used it in the past to tediously restore seeds to my other 2FA apps.

It is at least relatively new. Years ago I had to try the Google “hard landing” account recovery process because it wasn’t happening, which is how I learned that they had that form going to an email address which had been deleted. Fortunately I had paper recovery codes in my safe.

Google rolled out that hare-brained "improvement" in an update to Google Authenticator a few months ago, with the nice extra that for some users, when you dared unselecting the new cloud backup checkbox, the secrets stored in the app were instantly corrupted in some way, so you were locked out of your Google accounts immediately as a bonus <chef's kiss>. Happened to a family member, luckily they had a working emergency access method. We will never use Google Authenticator again.

Recommended alternative: 2FAS (https://play.google.com/store/apps/details?id=com.twofasapp) which allows you to import the secrets from Google Authenticator via QR codes, and has a local backup feature (e.g. to a USB drive).


As a side question: How do I, as a novice, vet a 2FA?

This has all the "looks nice", but I have no reason to trust this recommendation over any other social engineering.


My first impulse after ruling out Google Authenticator was to simply switch to Microsoft's Authenticator app (which I already had to use for a work-related thing anyway), thinking "of course MS would not make the same stupid mistake". Turns out they would, and they did. So alternatives from smaller vendors were the only option. In evaluating them, I focused on popular open-source solutions that had the features I deemed important (notably, local backup), and looked into the history, provenance and reputation of their vendors. Nevertheless, some risk will always remain.

I was one of the fools who installed the iOS 7 beta onto a phone that I depended on with Google Authenticator. The app had a compatibility issue with that beta release that caused it to disappear all my 2FA seeds except, very fortunately, for my Gmail. There was a bit of a ruckus about this here https://news.ycombinator.com/item?id=6112077.

Since then, I always use at least two 2FA apps at the same time.


I used andOTP for years, until the author stopped working on it. While it still likely works fine, I've switched to Stratum, which likewise supports import from the Google Authenticator export QR codes as well as from andOTP, authy, and others.

Ugh, yeah, that update.

You didn't have to do anything, either, the update just instantly corrupted some 2FAs. How can an app not do a TOTP? It's literally just math.

I had to recover a few MFAs from backup codes due to that.


I'm shocked how often one of my ~50 colleagues asks me to reset their 2FA. It's every 6-8 weeks or so.

Their personal accounts will be affected in the same way (lost phone, new phone etc).


Was about to say this but yeah.

Big brains at google didn't understand the number '2' in 2FA


They added this recently, because lots of people complained to Google that they lose their tokens; Authy and others started to gain traction because they did synchronization. Google was pretty much forced.

I know, 2FA loses the entire point when it's synchronized. But, well. People lose their stuff all the time!


I've had customers tell me that they cannot use email verification to meet a 2FA compliance requirement because it's not a second factor, but somehow SMS is. I always push back with "why not just good old TOTP" and the answer is that it's too easy for a customer to lose because it is only on their device. Like yeah... that's what makes it a real second factor.

It’s possible to synchronise secrets without sharing them with a third party: just encrypt them locally, transmit to third party, download to other device, decrypt.

This could be made easy for users by having each device share a public key with the third party (Google, in this case), then the authenticator app on one device could encrypt secrets for the other devices.

This would be vulnerable to Google lying about what a device’s public key is, of course, but enduring malice is less likely (and potentially more detectable) than one-time misbehaviour.


> It’s possible to synchronise secrets without sharing them with a third party

Sadly the problem Google is actually trying to solve is providing security for the dumbest people you've ever met. Dumbasses are entitled to security too!

I'm talking people who've lost access to their e-mail, and their phone number, and their 2FA all at once. Then they've also forgotten their password.

No password manager, no backup phone, no yubikeys, no printed codes, no recovery contacts, nothing.


You're describing the majority of my extended family. Some of whom are well educated and tech illiterate.

The active ingredient in 2FA as practically implemented for nearly everyone has never been the 2. It's mostly just not letting humans choose their entire password.

Most people wouldn't realise they can't recover their TOTP codes. But the hacker would still need to know your password surely

...so you agree that this is missing the '2' in 2FA?

For "something you have" to be true to its purpose it has to be something that has one and only one copy - so either only you have it, or you don't, but nothing in between. The second you have "cloud backup", or activate an additional device, or "transfer to a new device" then you turn the attack into "phishing with extra steps".

You can support transferring to a new device without increasing the phishing risk, the transferral just needs to be done via a physical cable rather than via the cloud.

I'll grant you that it's a better option but by no means good if you want to stand on the 2FA hill and put security first (only?). That "just" does a lot of heavy lifting.

The only time I'd consider transferring a secret like this is secure is within an HSM cluster. But these are exceptionally hardened devices, operating in very secure environments, managed by professionals.

Your TOTP seed on the other hand is stored on any of the thousands of types of phones, most of which can be (and are) outdated and about as secure as a sieve. These devices also have no standard protocol to transfer. Allowing the extraction via cable is still allowing the extraction, the cable "helps" with the transfer. Once you have the option to extract, as I said, you add some extra steps to an attack. Many if not most attacks would maybe be thwarted but a motivated attacker (and a potential payoff in the millions is a hell of a motivator) will find ways to exfiltrate the copy of the keys from the device even without a cable.

This is plain security vs. convenience. The backup to cloud exists because people lose/destroy the phones and with that their access to everything. The contactless transfer exists because there's no interoperability between phones, they used different connectors, etc. No access to the phone is a more pressing risk than phishing for most people, hence the convenience over security.


I think this is also the main drawback of physical U2F/FIDO2/Webauthn tokens: security-wise they are by far the best 2FA option out there, but in practice it quickly becomes quite awkward to use because it assumes you only own a single token which you permanently carry around.

Sure, when I make a new account I can easily enroll the token hanging on my keychain, but what about the backup token lying in my safe? Why can't I easily enroll that one as well? It's inconvenient enough that I don't think I could really recommend it to the average user...


I don't quite get this "I need to add every possible authenticator I have at account creation or I'm not doing it" kind of mentality I see a lot.

When I make an account, if I have at least two authenticators around me, I'll set up the hardware authenticators or make sure it's got a decent recovery set up. As time goes on I'll add the rest of them when it's convenient. If I don't have at least two at account creation or I don't trust their recovery workflow, I guess I'll just wait to add them. No big deal.

If I'm out and I make an account with $service but I only have my phone, I'll probably wait to add any authenticators. When I'm with my keys, I'll add my phone and my keyring authenticator to it. When I sit down at my desktop sometime in the next few days and I use $service I'll add my desktop and the token in my desk drawer to it. Next time I sit down with my laptop and use $service, I'll add that device too. Now I've got a ton of hardware authenticators to the account in question.

It's not like I want to make an account to $service, gotta run home and have all my devices around so I can set this up only this one time!


>When I make an account, if I have at least two authenticators around me

If you do, you're in a tiny minority of users. Well, even if you have one you're in a tiny minority, but having two laying around is extremely unusual.


Only because I bothered to buy a few. If they're making a new account they're probably on a device which can be an authenticator, i.e. a passkey. Is it rare for people to be far away from their keyring where they potentially have a car key and a house key and what not?

Do most people with hardware authenticators not also have laptops, desktops, or phones? They just have an authenticator, no other computers?

This person I replied to already has two hardware tokens. They probably also have a phone that can be used with passkeys, they probably also have a laptop which can be used with passkeys, they might also have a tablet or desktop which can be used with passkeys. That person probably has 3-6 authenticators, and is probably with two of them often if they carry keys regularly.


I don't understand the existence of an HSM cluster. I thought HSM was meant to be a very "chain-of-custody" object, enabling scenarios like: cryptographically guarantee one can only publish firmware updates via the company processes.

The HSM is more generic than that - a Hardware Security Module. It's just a hardware (usually, software... Hardware security modules exist...) device that securely stores your secret cryptographic material, like certificate private keys. The devices are exceptionally hardened both physically and the running software. In theory any attempts to attack them (physically open, or even turn them upside down to investigate them, or leave them unpowered for longer than some hours, attempt too many wrong passwords, etc.) results in the permanent deletion of all the cryptographic material inside. These can be server sized, or pocket sized, the concept is the same.

Their point is to ensure the private keys cannot be extracted, not even by the owner. So when you need to sign that firmware update, or log into a system, or decrypt something, you don't use a certificate (private key) file lying around that someone can just copy, you have the HSM safely handling that for you without the key ever leaving the HSM.

You can already guess the point of a cluster now. With only one HSM there's a real risk that a maintenance activity, malfunction, accident, or malicious act will lead to temporary unavailability or permanently losing all the keys. So you have many more HSMs duplicating the functionality and keys. So by design there must be a way to extract a copy and sync it to the other HSMs in the cluster. But again, these are exceptionally hardened HW and SW so this in incomparably more secure than any other transfer mechanism you'd run into day to day.


Ah, got it. So in the event someone managed to get access, they are limited to signing things in that moment on that infrastructure. I can see how that would reduce the blast radius of a hack.

Ideally this would destroy the initial copy too - but forcing physical access would indeed be a great start.

Even so, if you have a copy even for a fraction of a second then you can have two copies, or skip the deletion, or keep the temporary copy that was used during the transfer. Even the transfer process could fail and leave a temporary file behind with your secrets.

I quite like Apple’s Advanced Data Protection, I set it up with two physical yubikeys recently. To login to iCloud/Apple on a new device that’s not part of your trusted devices, you must use the hardware token.

They'd have to know your password, and get you to click your 2FA accept button, that's 2 factors still

It's because everybody wants to put everything in 2FA protocols, because people just can't use passwords...

And the fact that one of those doesn't lead to the other passes way over their heads.


It does feel like the security protocols necessary to secure $100k to $Ms of crypto which transfers instantly and non-reversibly is a challenge for the average user.

Even as a fairly tech enabled GenX, I have forgotten passwords and had to reset them (usually accounts I haven’t used in a while), had files corrupted without a good backup, lost a Yubikey somewhere in the house (I think at least).

From what I can tell I would need to have my crypto seed laser etched into titanium, and then treat that talisman as if it was made of pure platinum as far as securing and tracking it.

Versus keeping my money in SIPC and FDIC protected accounts.

I will say, the BTC appreciation is a big attraction of course, but long term I don’t see how it becomes widely adopted with so much logistics risk, and appreciation… well who knows about that.


1) if you don't exclusively have the private key (wallet), you don't own the crypto. if someone else gets the private key unwittingly, they now own the crypto

2) split cumulative funds into two wallets, a "hot" wallet and a "cold" wallet. keep the funds in the "hot" wallet to no more than for which total unintentional loss is tolerable. keep the private key to the "cold" wallet off any internet connected device except for the minimum duration required to transfer funds to the hot wallet.

3) print the recovery phrase for the cold wallet and store it in a physically secure location

4) if an ideally secure physical location is not possible, split risk across multiple "cold" wallets


that sounds tedious af and still prone to error, i'd rather literally pay someone to handle all of this for me, let's say, some kind of institution which specializes in storing and handling money

Hey, what if there was a way to get paid to have someone else handle this for you? That would be crazy right

It would also be cool if it were guaranteed up to a certain amount, very much like FDIC does for amounts smaller than $250k.

While practically that’s true of course, I think a hardware appliance that did this that you had to physically interact with to release the funds from would be cyberpunk and cool. Imagine exchanging a handful of currency chips for like a flying motorcycle or something.

And when that hardware fails?

The problem with crypto is that every problem requires additional layers of complication which each have their own failure modes which then need to be further addressed. And the complication itself adds yet more ways to breed failure.

This is the fundamental challenge with a system where any mistake or error results in the instantaneous and irrevocable loss of unbounded funds.


If it fails, you can’t retrieve the money of course. Don’t put more than you can afford to lose on one chip.

You understand this is insane right?

i would argue crypto isn't meant to straight replace the banking system. only substitute for it where certain privacy is required

Except it is explicitly not private?

I’m not offering financial advice.

> 1) if you don't exclusively have the private key (wallet), you don't own the crypto. if someone else gets the private key unwittingly, they now own the crypto

That's not how the legal system works, and they're the ones who decide who owns things.


> From what I can tell I would need to have my crypto seed laser etched into titanium, and then treat that talisman as if it was made of pure platinum as far as securing and tracking it.

Not sufficient. You'd also need someone you trust 100% to have another seed protected as if it was the gold of Fort Knox. And then you'd only only use "multisig" to sign transfers.

And that other person needs to live on another continent.

And you both need a backup plan in case you die if you plan to leave these 0.1 Bitcoin to your heirs.

This makes the $5 wrench attack impossible to succeed. As to whether the attacker is willing to add gratuitous (because it's impossible it'd succeed) torture/killing to its list of crime is something else though.

> I will say, the BTC appreciation is a big attraction of course, but long term I don’t see how it becomes widely adopted...

I think mid-term to long-term people simply buy a Bitcoin ETF or stocks from a company holding shitloads of Bitcoins like MicroStrategy. Just like I buy SLV (paper silver) or the ZKB silver ETF (physical replication, in vaults in Switzerland).

Keeping your own Bitcoins is not unlike keeping physical gold coins. It's doable but risky. Multisig really helps a lot but buying a Bitcoin ETF is simply easier. Open bank or broker website, click click. Done.

I'm not saying Satoshi's dream or the Bitcoin maximalists' dream is good old Wall Street manipulating Bitcoin's price using paper Bitcoin (silver ETFs were in big trouble in 2021) but what I'm saying is I think that's how it's going to end.


>I think mid-term to long-term people simply buy a Bitcoin ETF or stocks from a company holding shitloads of Bitcoins like MicroStrategy. Just like I buy SLV (paper silver) or the ZKB silver ETF (physical replication, in vaults in Switzerland).

But what's the inherent value of BTC if it doesn't do the things it claims? What value does Michael Saylor owning a bunch of bitcoin, of which I have a pretend share, even have?

This is the paradox of Bitcoin. It's a really cool technology that's really hard for normies to use.


I feel that crypto offers a different risk profile than say the gold ETF. There certainly is significant risk and expense to storing and securing the physical gold backing the ETF. I think it also needed to be audited as matching expected reserves occasionally?

But crypto has similar it and physical security costs at a minimum, though physical storage will be cheaper. Auditing maybe similar costs, I’m not quite sure how you confirm ownership of an address or pile of BTC without transactions?

The big risk is that these big holding companies of bitcoin become targets of state-scale cybercrime hacking armies. Can you imagine an adversary deploying constant attack on every facet of you IT infrastructure, from accessing the private keys presumably stored in hot wallets to support active trading to the interface where they may try interfere with client functions to all sorts of ends from theft to market manipulation.


I partially agree, although I can see more companies offering these kinds of services in the future. Block already has a system with Bitkey, custody companies like Casa and Unchained are providing services as signers, and AnchorWatch is stepping in as both a custody and insurance provider at the institutional level. Despite the government's best efforts to limit participation from existing banks[1], other services are jumping through the arduous hoops of regulation to fill in the void.

[1] https://www.swanbitcoin.com/politics/biden-s-sab121-veto-sta...


> Just like I buy SLV (paper silver) or the ZKB silver ETF (physical replication, in vaults in Switzerland)

I'd suggest that holding precious metals without actually having physical metal under your exclusive control is essentially as flawed as holding crypto without exclusively holding the private key.


I have no doubt that at least some especially in the early days envisioned crypto as a legitimate alternative to fiat currency. That being said, in it's mature state as a technology, it amounts to nothing more than a clone of the modern financial system with a different set of oligarchs, except that it has far fewer consumer protections, and the nature of it makes implementing said protections in any way extremely difficult.

That combined with the extreme volatility of value that is not only endemic to any coin with meaningful usage, but is generally a goal of most coins, makes it only really useful as a speculative vehicle, and those same properties also make it uniquely bad in terms of a store of value to be used in commerce unless the seller also plans to speculate on the value.

And, even if you're good with all of that: Yes, the tech itself is decentralized, but if you don't have at least some background in basic software development or scripting, you're almost certainly going to end up using some product or another to manage your wallets and transactions, and while the wallet is anonymous, the accounts you connect the wallet to are often quite the opposite, and because of the structure of the chains, your entire transaction history is visible to everyone on the network, at all times. So it's private by default, but basically any casual user is immediately and forever doxxable.


Xmr aims to be a digital cash, and basically achieves that. Btc has goals more akin to digital gold, hence being more useful to speculators than people buying things is somewhat intentional.

I don't know who the oligarchs you're talking about are. Buterin? Bankman Fried? In either case, their position is quite different from that of a banking titan.


> I will say, the BTC appreciation is a big attraction of course

What are the other desirable features of BTC?


It’s great for laundering money.

It is not.

It's not anonymous, but pseudononymous. It's a public ledger, for everyone to copy and analyze. It's a public ledger that's mathematically proven to not have mistakes in it.

Exchanges are highly regulated. KYC is rediculously tight.

Sure, Bitcoin allows one to flee/fly to some criminals' paradise with their entire wealth stored in their brain (or on a napkin). And as long as they keep the money in crypto or black, it's unstoppable, really.

But it's a terrible medium to turn black money into white money. One of the worst of all options, really. And that's what laundering is.

Now, it's used for laundering. But that's more because its a great and easy store of value in itself. Not because a public, tracable ledger without any anonymity other than pseudonimity is a great system for laundering, because it's the exact opposite of that.

And certainly, if you mix in monero, defi, otc-trades and -there they are- "corrupt bankers", crypto as a whole can turn black money into white, circumvent blockades, fund terrorism and whatnot. But hardly easier or simpler than paper-money, gold, and corrupt bankers already can.


> But it's a terrible medium to turn black money into white money.

Isn't that what NFTs are for?

Create a stupid image, sell it on Open Sea as an NFT, bam, you've cleaned the money. Just claim it on your taxes similar to selling art and you're in the clear.


So why is basically all ransomware paid in Bitcoin?

That's not laundering. That's getting paid.

If you want to transfer money in a way that's unblockable, unceasable, and pseudonomic, Bitcoin is a good system.

If you want to then convert that into dollars, it's not.

Ransomware is paid in Bitcoin despite it being terrible to launder.


Nobody wants some silly digital "coin". Everyone wants US greenbacks.

Nobody wants US greenbacks. You can't even use them to stay warm for long.

What people want is the value it represents in a way they can manage that value.

I don't want fictional numbers in some asset fund that say I own zero point not not not 1 percent of some company in stocks either. Or even numbers that say I have money on an account. I don't want gold in my sock-drawer, either. It's the value this represents (and the trust that this value will give me real stuff that I actually need, like a pizza, in future).

Bitcoin, to many, over the years, has acquired this too. There's real and obvious proof that people trust that Bitcoin has value. Not all people. But enough.


The US greenback is defended by a country with a very strong defense that includes a nuclear weapon arsenal.

How does bitcoin defend itself?


Yeah, especially the people scamming others.

It's great for transferring ransoms. Basically a criminal's dream coming true.

It is unstoppable, permissionless and pseudomic. All but the last is indeed this criminals dream.

But cash isn't pseudonomic, it's actually anonymous. It's even (practically) untracable. Cash is also unstoppable and permissionless. So it's far more a criminal's dream. Cash, however, isn't easy to transfer, especially larger values. It gets harder even if that transfer is internationally. Bitcoin solves that.

Bitcoin's upside of being very easy to transfer, sometimes outweigh its downside of being hard to launder, being tracable. But let's stop the myth that it's so much better than all existing systems to move criminal assets around, because it's not. It's complementary, not a holy grail. It really has a lot of weaknesses, especially to criminals' needs.


What is making you think criminals are scared of pseudonyms, or that pseudonyms don’t provide all the real and practical benefits of anonymity most of the time? It’s not a myth that a lot of crime involves BTC right now, it’s a fact, regardless of the theoretical underpinnings or hypothetical weaknesses.

Cash comes with serial numbers, and occasionally gets traced. It’s about as effective as tracing pseudonyms, most of the time.


pseudonyms are fine until the moment they can be linked to real identities.

At which point, because of the public, mathematical provable, ledger, the pseudonyms become concrete evidence, often in a "viral" way, i.e. through transactions a pseudonym can be linked to other pseudonyms and events.

In crypto, pseudonyms are a real and high risk threat. Not all, e.g. Monero internally "launders the coins" for you (technically not at all correct term, but you get the point...) so diminishes that risk. But even there, its there.

Edit: and while cash comes with serial numbers that can be used to trace transactions, crypto is only serial numbers that are precisely there to trace all transactions publically.


It isn't, banks are way better and cash is still king:

https://www.cnn.com/2024/10/10/investing/td-bank-settlement-...

https://www.icij.org/investigations/fincen-files/global-bank...

https://www.investopedia.com/stock-analysis/2013/investing-n...

https://www.coinbase.com/blog/fact-check-crypto-is-increasin...

Even from SWIFT: "Identified cases of laundering through cryptocurrencies remain relatively small compared to the volumes of cash laundered through traditional methods" https://www.swift.com/sites/default/files/files/swift_bae_re...

What you're saying is simply unsubstantiated.


Non centralized proof of ownership is pretty cool.

How is it non-centralized? Basically everybody actually using crypto uses exchanges.

You don't have to.

Then how would you exchange it with real money? There are few things that accept cryptographic coins as currency.

Depending on how you use it, you mightn't need to exchange it often, or at all.

Companies that use it as hedge, or diversification, just need to "hold" it. Investors (not traders, there's a big difference) also commonly just "hodl" it. Also no need to exchange it. And several more such use-cases.

Sure, after a while, they might want to exchange it for something they "need". Like housing, healthcare, food, materials, etc. But often that's a one-time after years of not exchanging. And we still don't know how the future may look. Some believe Bitcoin is what we'll be paying with in a few decades (I don't, not really). I'm pretty sure I can buy almost any house for a few bitcoin, especially if that's "overpriced" in dollar-terms, today already.


> Companies that use it as hedge, or diversification, just need to "hold" it. Investors (not traders, there's a big difference) also commonly just "hodl" it. Also no need to exchange it.

In both of these cases the only value to "holding" it comes from the possibility of being able to exchange it if needed. While you might go a very long time without interacting with a centralized exchange, the Bitcoin is worthless for these use cases if there's no acceptable path to trading it for something else.


> of being able to exchange it if needed

yes. But my point is that "being able to exchange it" is what gives all assets value. From gold, via bonds to dollars.

So 1) this isn't unique to crypto and 2) we should avoid narrowing this definition to "exchange crypto for dollars" because that's not true today and possibly even less in future - if only because there are other currencies already. Exchanging it for goods (i.e. buying stuff) is a killer feature of crypto only in very small niches. And exchanging it for other valuable assets isn't common either (yet? I doubt it, but don't see clear reasons why not)


he said “basically everyone” which is true. I don’t have to eat this large apple pie that is front me now but I’m about to :)

SIPC and FDIC don’t protect against fraud.

I wonder if people who are "invested" in cryptocurrency are more susceptible to these kind of scams. There's a strong aspect of FOMO in getting people to buy imaginary internet money, and also in getting them to panic and fumble said internet money.

One of the reasons I stay away from it is that, at least in recent years, every scam that I see taking place involves crypto. I have a lot of acquaintances and I can almost draw a line at this stage: the higher the "shadyness" of the person, the more they are invested or talking about crypto. I am yet, even tho I owned, to have had the need to use crypto in my daily/weekly/monthly/yearly life.

It is very easy to destroy lives with it as we can see in this case, and, making it harder to do so will work against the vary nature of this tech. This is a tough nut to crack but I think the space will remain filled with predators constantly baiting prey into the system with the promise of a big reward.


"You can't undo a transaction" is a core feature of crypto. This is hilarious, because in actual payment networks, it literally only benefits scammers.

Every consumer ever has at one point or another wanted or needed to reverse a transaction. Chargebacks are a FEATURE of credit cards.


You know how in old crime fiction there was often an episode with "bearer's bonds" where up top they define bearers bonds as "this just belongs to whoever holds it, so be very careful" and you just know they're going to get stolen immediately?

That's how I feel about crypto.


Reversibility is great for consumers who are sending money in exchange for products and services. It can be a nightmare for people who receive the money and are providing the products and services.

And it isn't just businesses who carry this risk. If a business was depending on a large inflow to make payroll, and that inflow gets reversed, the people who are expecting payment for their labor also are subject to a payment reversal.

There's definitely a lot of benefits to reversibility, but it has very real costs and tradeoffs.


While "Nigerian spam" scams profit off simple-minded gullible people, cryptocurrency scams profit off sophisticated gullible people.

Traditional banks and the financial industry are generally sub-optimal, but at least if you are scammed, they will do their best to either recover your money or return you whole.

To have this safety, money and finances have to be centralized, regulated, and governed, all of which crypto doesn't have and doesn't want.


> they will do their best to either recover your money or return you whole.

And if they don't, the courts can force them to do it and give you some extra money for the trouble.


No they won't. If you bank transfer money to a scammer, the bank won't refund you, nor can they recover it. If you give a scammer your bank access credentials, they also won't refund you because you broke the TOS.


Wow

They may well block the transaction before it's made, for cases like this.

It's obviously going to be much much more difficult to steal $450K from an actual bank account and get clean away - you're going to need a lot more proof of identity than a google login. From that POV, owning a lot of cryptocurrency is painting a target on your back.

How do they identify their marks? A random firefighter seems like an odd target.

Could just be people talking about crypto on social media directly saying that they own some. Would not be too hard to find accounts where you can clearly identify the person behind the twitter handle, facebook profile, instragram account or whatever talking about that online. We're only hearing about people who happened to lose a huge amount of money but lots of people probably fell for this scam and lost money on the scale of $100 or $1000.

that's a good point. People who follow crypto accounts on social media probably own some amount, so it's pretty easy to go from there.

I found this video, titled 'To Catch a Scammer: How a real-life criminal steals your bitcoin' pretty informative. An employee is able to go into detail on how scammers find their marks: https://youtu.be/pskUt4ZjM4M

The video linked in the article by Junseth also goes over some of this.


I wonder if it is just harder to give away several million dollars of government currency without being able to recover it? This is only an interesting story because it is so much money and because they are able to narrow the suspects down to a small group.

Cryptocurrencies are like speedrunning the discovery of why finance is regulated, though, that is certainly true.


I think you’re saying the same thing from the other side: it’s definitely true that it’s harder to get or transfer large amounts of real money because the system has layers of protection due to past fraud, but those fraud protections also mean that most people can’t get the kind of paper profits which lure people to cryptocurrencies. This gives scammers the appealing target of a self-selected group of financially unsophisticated people who have chosen a system designed to make large scale theft easy and safe.

100%. It's been that way forever too. I've caught numerous people setting up mining crap, it's everywhere and anyone that shouldn't be trusted but is probably will be a vector.

About a year ago I got an email from an actual Coinbase email address telling me that my account had been compromised. It included a case number.

Trying to log in with my username and password did not work. Moments later I get a phone call, the caller id says that it is Coinbase. Guy on the phone with a thick German accent tells me he's calling about my account and gives me the case number from the email. I know damn well never to trust a phone call you did not initiate, so I'm kind of just stringing the dude along on the phone.

I remember that I had set up a passkey, and try it. I get in with that and immediately run to the emergency "lock my account" button. I tell the guy on the phone that I have clicked it and after a bit of "uhmmm..."-ing and "hmmm..."-ing he just hangs up.

I call Coinbase support and they verify some recent transactions and ask me to forward them the email, and that's that. I still have no idea what the actual attack was or how they changed or invalidated my password. Best I can tell they did not manage to actually get in to my account.

I ended up changing my password to just about everything out of caution.


Last time I called boss money transfer, i called them and their real agents told me they must call me to verify. I was like, how would I know if it is boss money transfer or scammer. At the end I had to trust because voice was same.

     how they changed or invalidated my password. 
Probably just too many invalid login attempts.

I wonder if there's any one legitimate instance of a company calling you about compromised accounts and requiring your action. It seems to me that anyone reaching out and lighting a fire under your ass can be assumed to me a malicious actor.

Any notification asking you to confirm your identity that is not initiated by your actions should be immediately dismissed with a "no" and that should be all there is to such things, no?


Yes, but you have to know that.

I got a call from "Bank of America," and they smoothly talked me into giving them my debit card PIN. The trick was they had gotten into my online banking beforehand. "We've detected possibly fraudulent activity on your account." Then they read me real transactions from my actual account. "To be safe, let's lock down the account. For this we need more information for authentication, though." Probably started from a phishing thing that I fell for online without noticing. It was pretty clever of them. Not so easy to steal from a checking account without leaving a trail, unless you have the PIN. Then the main risk is to whomever was on camera at the ATM withdrawing as much cash as possible before the account was automatically locked down.

The next day, I got a call from "Bank of America" telling me that I'd been had. Fortunately they just credited the money back into my account. About $5000.

The main difference is that the first call wanted me to give them information, while the second call advised only "go into a bank branch in person."

The article's advice is correct. If someone asks you for info, tell them you'll call them back. It is almost certainly a scam. Calling back the possibly spoofed number at worst wastes a little time being on hold, and at best saves you or the bank a lot of money.


> Calling back the possibly spoofed number

Don't call back the number possibly being spoofed (i.e. using your Caller ID as the source of the callback number). Call an independently-listed number for the company, such as the phone number on the back of a credit or debit card. Using an independent number prevents any failures where the Caller ID correctly reports an attacker-controlled but plausible-sounding number.

For extra paranoia and safety, perform the callback from a separate phone line. That would avoid at least some of the more-targeted attacks involving a compromise of the victim's phone connection, which could potentially allow the attacker to redirect outgoing calls.


"Hang up, look up, call back"

> The main difference is that the first call wanted me to give them information, while the second call advised only "go into a bank branch in person."

Unfortunately physical branches are expensive to maintain, so a lot of banks have been closing them down. There are even plenty of banks with zero physical branches now. All contact is via phone or email, so there is no scam-proof way for them to contact you.


They don't have to have a scam-proof way to contact me. They just need to give me a way to contact them.

That way, any phone call or email to me can be immediately ended with me saying "Thanks, I'll call the number on the back of my card," and hanging up.


Exactly this. Send me a call or text message that maybe I should go look at my account. If I log in through my normal trusted process and everything looks OK, then I can assume it's not legit.

Most banks seem to have some kind of internal message center within the application that is just for bank to client communications. That's the place to authoritatively tell me something needs to happen and what potential next steps would be.


How were they able to use an ATM without having your card?

I recommend not calling back the incoming number even if you think it's real and spoofed, always look it up on the bank's website.


Depends on the time frame and the ATMs being used.

I don't think all ATMs require chipped cards yet, and its still common to have a debit card issued with a magstripe. If the GP used their debit card to pay for things it could have easily been duped. My bank issued me a new card for an account a few years ago; it still has a magstripe and I assume can still be used at magstripe-only ATMs.

If it was even a few years ago, a lot of ATMs would have still worked with just a stripe. It's a bit more difficult to find these days, but old ATMs still running OS/2 WARP are still around and kicking.

Its frustrating so many banks and what not are still issuing cards with magstripes. These days wipe the cards I use most with a magnet to try and mess up the magstripe. I don't want to ever use it. Generally speaking, if they can't take chipped cards, tap to pay, or cash I'm not doing business with them.


Yeah I get that the magstripe can be copied, but GP was referring to a phishing attack.

They probably copied the magstripe, but couldn't do a straight at withdraw without stripe+pin.

Far easier to track/reverse a debit transaction done as a credit card network than debit requiring PIN.


My understanding is that they had a programmable card. This might have been just before chips became widespread in America. Or, maybe there's still a way to withdraw with only the information visible on the card.

Here's a thing that is enraging, though: when a bank has SMS 2FA (insecure if you're being targeted but better than nothing) and they keep having you enter that into third-party websites. I mean going to a legitimate business, making a purchase with a credit card, and then the bank wants 2FA to validate a purchase instead of a login? Fuck off, I'll use a different card, then.

If it weren't for bullshit FICO calculations I would drop that account entirely.


Banks are pretty good at doing an impression of phishing scams, unfortunately. Almost every red flag for a scammer has also been done by a bank, legitimately.

There was a comment on Hacker News, which alas I can no longer locate, where a guy said he'd been called by his bank and the bank wanted him to answer various security questions. He said he was happy to do so, but firstly needed the bank to verify who they were, or to call the bank back on a telephone number on their website. The bank refused, so he refused to give them any details. The bank then blocked his bank account, meaning he couldn't pay his university tuition on time, meaning his student visa was no longer valid as he was no longer "studying", meaning he had to leave the country.

That doesn't add up; you're free to call the bank at the telephone number on their website whether the representative who just called you wants you to do that or not.

A bank blocked an account because they called someone and that person didn't provide them with personal data? That sounds unlikely.

I've definitely experienced the first half of the story: banks really will do dumb things like this and then be surprised when someone is upset by it (anti-fraud protection tends to be the worst: a text-message from a random unaffiliated number with another unaffiliated number to call, where you must then provide account details in order to get your card unblocked, and trying to call the official number and go through the phone tree does in fact, eventually, tell you that it was legitimate, but only after hours of being batted between departments).

That's not the half I have trouble believing.

Banks do have obligations under AML and KYC laws to get information from their customers. I mean I know a single phone call sounds extreme, but I could believe it.

My bank (in the EU) wrote to me a while back (post, no copy to email, no sms, no phone call, etc.) saying if I didn't provide info on certain recent transactions (my salary) they'd block my account in two weeks. Thankfully I wasn't on vacation and saw the letter and answered and it was all OK.


Having information about you (that you provide when opening the account) is entirely different from calling you out of the blue after you already have an active account for long enough that you trust and depend on it for your migration status. Refusing then is in no way breaching AML/KYC requirements. They would ask them to validate the identity on the call, not to gather regulatory data on their client. If they didn't have any info and were to "call as ask" how would they know it's the right person and data anyway?

How is a bank not validating one phone call grounds for freezing funds?


I am not surprised. I know of a bank that disabled a credit card following a single missed payment for the crime of failing to answer a phone call.

This is one of the reasons I use a local credit union with a handful of branches only in my region. I can always re-establish trust by just walking into a branch to do business, and likewise they can always just ask me to walk in with my driver's license if they need to verify that I'm really me.

A reasonable decision in your case, no doubt.

But the mentions of "his student visa was no longer valid [...] meaning he had to leave the country" make me think walking to a local bank branch might not have been an easy option in the post adrianmsmith recalls.


Absolutely agree! I only brought it up because it seems like, in our quest for efficiency, we are rapidly heading for a world where we try to delegate trust to outside entities (like tech companies, megabanks, or far-off government departments in Washington, D.C.) but, fundamentally, what makes financial transactions work (with anything other than physical currency), is actual real trust between parties. This is how the great banking houses of Europe began, it's how remittance networks still work in much of the global south, and its how the Jimmy Stewart-style small town bank once functioned. National banks with lots of local branches are an approximation of this, but the "branches" keep getting less and less bank-like: there is no "president" at the BoA branch inside Kroger, just somebody with a pulse who can technically pass a background check far enough to get bonded. Finally, many of the big banks are just closing these far-flung branches altogether. Bank of America &co. may get many advantages from their enormous scale, but they may be undermining their own foundations in the name of cost savings by trying to cheap out on "customer service" as if banking were just another kind of retailing and trust wasn't central to their entire business.

They probably know this and don't care because it won't happen this quarter or likely even this fiscal year, so it doesn't matter to anyone in charge. But it does matter to ordinary people trying to conduct their lives without being irreversibly de-personed by a flakey customer service bot.


I understand the desire to be skeptical, but maybe you should give individuals the benefit of the doubt and the giant multinational corporation the skepticism.

I'm being skeptical about something someone wrote online about something the read online. Don't make this about ethics.

This.

Also healthcare providers, though they seem to have finally wised up. They would call me from poorly configured phone systems (so unrecognizable caller id) and the first thing they would ask is to confirm full name and date of birth.

Patterns like this do a great deal of damage in desensitizing folks and making them accept dangerous patterns that get exploited by scams.


Even if you recognized it, the number shown by Caller ID is easy for the caller to spoof -- or at least it was a few years ago (the last time I paid attention).

Thankfully that part has vastly improved with STIR/SHAKEN, combined with number reputation management.

The problem with that, at least on my experience with iPhone, is you can only get the authentication signal after you’ve already hung up. The only thing I see is a small checkmark next to the “location” of the call in my recent call log. I can’t find any indication of a stir/shaken status in the active call screen.

So asking people to take the step to confirm the call is legitimate won’t work- they can’t tell until they’ve already terminated the call. It’s useless for purpose imo.


On my Pixel some calls just get auto-rejected. Others will get through but be marked with a red caution symbol for the picture and say "Scam Likely". Then finally sometimes the call will come through with just the number but still have that red caution symbol.

I imagine it is doing something with STIR/SHAKEN along with how many other times similar calls have been flagged as spam calls.


My carrier has a similar “scam likely” feature but afaik that is not directly tied to stir/shaken. I’ve also signed up to have calls rejected and can see them in the carrier app.

I have reported at least a thousand different scam calls over the past two years and so my blocked number list is so large it freezes the phone for a minute or so while it loads. Still the scammers persist…


I remember when I used Ting, I could specify what would appear as caller id. If I had wanted to abuse this, I could easily have had it display whatever number I wanted instead of my name. Since a number of phones would display the caller id instead of the number when caller id was available, nobody would know that the number was not real. I am not sure if this has changed at all.

I have had my telephone company ask me to give them a code sent to my device. It is presumably to prove to the company that the representative is talking to me so that bad actors low in the company cannot start randomly messing with people’s accounts. It is the equivalent of the bad click here. The only real defense is to know the difference between a mechanism meant to authorize someone a the company and a mechanism to authorize you. Confuse the latter for the former like the victim did here and bad things will happen.

Interesting. Was that after you called them or they called you?

It was when I called them.

Banks maybe, but Google? Google only has "AI" support and that doesn't call us yet. So it's safe to assume that any call from Google is fake.

Yeah Google will never call you about your free gmail account, just as Microsoft will never call you about a virus on your home computer.

I called a bank to increase my ATM limit. The agent sent me an SMS code to verify my identity and wanted me to read it back to him. The message said not to give the code to any human. Sigh.

If some bank calls you about compromised accounts, the recommended action should be to hang up, find the official phone number for your bank, wait one minute[1], then call back.

[1] You have to wait or call from a different phone, because the call might not terminate immediately, and the scammer might still be listening on the line.

https://security.stackexchange.com/a/100342


Sometimes there are good reasons for a bank to call you. The infuriating part is that not every bank has a quickly accessible number to call back if you don't trust the caller. Caller ID may be useless, but me calling the official number for my bank is pretty hard to fake (unless my carrier is part of the scam).

My bank has a button inside the app that will confirm that a real bank representative is calling you, or provides a button to call the bank's emergency line if they're not. It's a simple and effective way of preventing scams that I think more banks should implement.


A ss7 attack could make your carrier part of the scam without their knowledge, such that calling back the number will connect you to the scammer and not the bank.

Ideally yes no one would fall for that. But these type of attacks doesn't just rely on solely ignorance. They introduced urgency, the fight or flight situation. Plus the first guy in the article got caught up in bad timing where his mental condition aren't right with his kid crying, his wife yelling etc.

I’ve had my bank call me because of dubious online purchases, asking if it was me. The call was legitimate and my card number had been skimmed.

“In Soundcloud’s instance, part of declaring your innocence is you have to give them your home address and everything else, and it says right on there, ‘this will be provided to the person making the copyright claim.'”

Good job helping the scammers, SoundCloud. WTF


The defining feature of crypto - decentralized, irreversible, no "higher power" you can go to in order to get your money back - turns out to be the thing that burns people ALL the time.

Surprisingly, there's also no "higher power" to get your money back from scams using traditional banking rails as well. I have family members who have lost thousands from bank transfers to legally registered companies that establish legitimacy through having a business bank account. It usually takes forever to shut them down, even after hundreds of thousands of reports from people like me who recognize what they are early on.

Many haven't actually lost money in significant ways through bank transfers, but when it does happen, the disillusionment of institutional security really falls away. Additionally, governments are slow and ineffective, so when these companies do get caught with class action lawsuits, they usually don't have anything to return.


Lots of people still don't quite understand their debit card. No way they're going to learn how private keys work.

Still might some sense as an institutional store of value though I guess.


Maybe but this shit is hard for institutions too. There are so many sharp edges.

Even in a well-respected fintech with responsible, talented people I’ve seen: safe deposit boxes get lost (literally no idea where in the world they actually are), go missing (the bank relocates or closes and disposes of them without notification) or become destroyed (fire, flood). I have seen industrial-grade hardware security modules spontaneously corrupt all the internal keys, happily continuing to produce “encrypted” output which can never be decrypted.

Building crypto offerings at scale that can survive the myriad unknown unknowns of real world and hardware failures that can affect both paper and hardware wallets is a really difficult problem. Not impossible, but the stakes are extreme and getting one thing wrong that leads to the loss of a cold wallet can easily lead to total ruin.

Even if “only” a hot wallet gets popped, the instantaneous and irrevocable loss of those funds needs to be offset by a comparatively large amount of operating profit.

At least with the traditional banking system there are a lot of safeguards in place.


I had read of this attack back in September[1]. It seems very sophisticated because they spoof a phone number that at first glance is associated with Google, but is really just the “uncanny-valley” Google Assistant service that can check wait times or make reservations on your behalf.

Does Google even offer live-person support if you’re not their Workspace customer?

Also, one other difference is that apparently the attackers may have been using Salesforce to send the emails. Maybe they were using a trial or developer edition? I believe those can send out emails too, but they are very limited. So this must be a very targeted kind of attack. The scary part is that the attacker’s emails pass SPF, DKIM, and DMARC. There’s a technical write-up I found about this aspect of the attack.[2]

[1]: https://sammitrovic.com/infosec/gmail-account-takeover-super...

[2]: https://docs.google.com/document/d/1xrJsRBcGj9x2mMvRoKLG4ANS...


> Does Google even offer live-person support if you’re not their Workspace customer?

Not really. That's the giant red flag behind committing to a gmail, outlook, etc. account. If it gets messed up you're at the whim of "on-rail" support and if you need anything more all you can do is shout into social media and hope a stray employee feels bad for you.


Yes they do. If you subscribe to Google One.

https://support.google.com/googleone/


The start of the article and comments thus far focus on the authenticator/Google account scam. I think a separate topic of note is taking a photo of the wallet recovery words [on an internet-connectable device]. This was, IMO, the primary mistake the user made. (And an easy one to make if you don't consider its consequences)

What I want to know is if the attackers knew that the photo was there, and if so, how. Or were they just planning to get into the victim's gmail and exploit whatever they found?

I couldn't find it from the article, but how the scammer got access to the Gmail account? How he triggered that prompt in the victim's phone, and what did it mean?

It feels something is missing here?

Edit: Well, I learnt about Google Prompts today: https://support.google.com/accounts/answer/7026266?hl=en&co=...

Basically someone can request access to your account and if you click Yes, they do access it.

This part from a Reddit thread [1] scared me a bit:

> The notification pops up on my screen over whatever I am doing, and if I'm using my phone, I worry that I might accidentally hit YES (it almost happened today).

1: https://www.reddit.com/r/techsupport/comments/ccd304/someone...


While this is devastating, the lesson that we should all remember:

Never, ever, no matter the circumstances, store private keys (or seed phrases) on photos. Especially if those photos are synchronized to the cloud.

Hand-write them, store them in a safe and secure PHYSICAL location.

Of course we're humans, we make mistakes, and we usually start with small amounts of money that we can lose where it would be unnecessary to take all these precautions, but we still need to regularly remind ourselves to avoid disasters like this in the self-custody world.


I think a lot of people bought some crypto early on when it was really cheap, were kind of sloppy about the security of things, and then left it alone and ignored everything while it went up by 10,000x in value. Now when their account is worth hundreds of thousands of dollars, their security is pretty inadequate for something with that actual value.

Many people have accounts worth hundreds of thousands of dollars of non crypto assets but are relatively safe with the same level of security (or even less) than what crypto demands of its users.

Well yeah. Which shows that, despite the poor understanding of some in tech of how conventional finance actually works, it's dramatically more secure than any type of crypto at securing large amounts of money for actual users.

Honestly, that part of the story seemed completely unbelievable. I mean I get that someone might stare such a photo in the cloud, but hackers are really going to run a scam on him and then sift through photos thinking “maybe?”

I'd assume there's some model for finding those kinds of photos

Ok but you have to balance that with the risk that your PHYSICAL item will be lost, stolen, or destroyed. What happens then?

The problem is that the security protocols required to keep cryptocurrency safe are simply untenable for any mere mortal. But hey, we keep blaming the victims… because they didn’t know the one simple trick to keep their Bitcoin safe!


or store them in some encrypted form that you know how to reverse easily but which would take an attacker more trouble than it was worth to break.

The red-flag he should have spotted was Google "Support".

The idea that Google would spend money to help a non-business user for anything is beyond unlikely.

They don’t even support businesses. We pay for whatever the highest tier of support is.

We have been emailing our TAM (or whatever Google calls them) for weeks (and opening tickets)

They keep giving us the same fucking documentation link.

Literally useless.

Another instance we were using code from their docs and they refused to help saying they don’t look at code ever


The highest enterprise support tiers at Google cost millions of dollars per month… you probably mean the highest listed on their website for small to medium businesses.

No, it’s in the millions.

Then it’s pretty suprising considering your company would have a direct line to multiple senior people at Mountain View…

I mean, the email says it's from Google Forms. Is that not suspect enough?

Unfortunately, when a person is getting support from a large corporation it's completely routine and normal for the follow-up e-mail to have random extra branding like "zendesk" or "atlassian" or "salesforce"

It's a clever move by the scammers - I can see how people would fall for it.


I feel like attacks like this would be much harder if we had never adopted HTML emails. Then it would make more intuitive sense (for the user) for an institution to write:

(1) Go to our website

(2) Login and check your account

Of course, leigitimate emails do that now, but because of the way we've been trained to "click" (such as "click to verify your email"), this conditioning carries over to phishing and other attacks, whereas that would be impossible with plain text. With plain text, the email verification would have to be "paste this code into a box".


Email clients would probably still parse URLs into links. People would click them. Then people would prefer links that didn't look like gobbledygook, so email clients would start supporting extensions like parsing of [markdown-style links](https://gobbledygook.com/ddkf878dfjlsfd). And then we would arrive at HTML.

> Then people would prefer links that didn't look like gobbledygook

Well, I can say with relative confidence that people prefer those links but _marketers_ prefer hxxps://awsmail.me/b64trustmebro/8675309== that leads who fucking knows where


My favorite bit:

> More importantly, Tony recognized the voice of “Daniel from Google” when it was featured in an interview by Junseth, a podcaster who covers cryptocurrency scams. The same voice that had coaxed Tony out of his considerable cryptocurrency holdings just days earlier also had tried to phish Junseth, who played along for several minutes before revealing he knew it was a scam.

> [...]

> Daniel told Junseth he and his co-conspirators had just scored a $1.2 million theft that was still pending on the bitcoin investment platform SwanBitcoin. In response, Junseth tagged SwanBitcoin in a post about his podcast on Twitter/X, and the CEO of Swan quickly replied that they caught the $1.2 million transaction that morning.

> Apparently, Daniel didn’t appreciate having his voice broadcast to the world (or his $1.2 million bitcoin heist disrupted) because according to Junseth someone submitted a baseless copyright infringement claim about it to Soundcloud, which was hosting the recording.

> The complaint alleged the recording included a copyrighted song, but that wasn’t true: Junseth later posted a raw version of the recording to Telegram, and it clearly had no music in the background. Nevertheless, Soundcloud removed the audio file.

DMCA enabling bad actors to cover their tracks was not on my bingo list.


Are there examples of DMCA being used in a positive manner?

You mean besides literally all the times when people upload raw copyrighted movies and music to YouTube? DMCA is boring and un-newsworthy when it's working properly. (Unless you're the type who thinks copyright is inherently wrong, but it would then be very silly to ask if DMCA was ever "used in a manner".)

Someone once took one of my youtube videos and reuploaded it with a link to malware in the description. I took down the video with a copyright claim.

I am maybe missing something obvious here, but isn't it suspicious that these attacks "affecting a small number of google users" happened to "hit" two people with significant cryptocurrency holdings?

Maybe the attackers already knew through some other means that they had large crypto holdings, i.e., spear phishing.

How stressful it must be as an experience to go through.

Having nothing to be robbed from is such an underrated means to live in serenity.


I have a simple defense against this. I use a special email account for financial information that only my email provider, myself and my financial institutions know to exist. Even if I tap yes instead of no by mistake on a prompt like this, my financial accounts are safe unless the attacker breaches my bank to find out the email account I use with them first.

> my financial accounts are safe unless the attacker breaches my bank to find out the email account I use with them first.

It's entirely possible that someone can accomplish this with a phone call to your financial institution's customer help line.

"Oh gosh, I'm sorry, I forgot whether I used my email address or my wife's for this account - can you tell me what's on file?"


I wonder how that would work if they cannot prove my identity first by telling the representative a code sent to my phone number. I would expect the bank to tell the attacker to go into the local branch with identification.

Social Engineering. You would expect the bank too but not so. These scummy people are good at manipulation.

Humans are very exploitable.

"Im ever so sorry; but I am unable to get to the bank right now, my mother was in an accident and I need to get to the hospital in 30 minutes. Is there any other way?" "No? Can you do it for me".

Playing empathy over the phone gets you places as does wearing a workers Hi-Vis jacket to get in to back stage at festivals.


My bank would happily say too bad. I have had them insist on getting me into the branch for absurd things in the past.

> By default, Google Authenticator syncs all one-time codes with a Gmail user’s account, meaning if someone gains access to your Google account, they can then access all of the one-time codes handed out by your Google Authenticator app.

When business guys are involved in a security app. Many of us can easily imagine the "user story" that caused this.


Just look at the probably hundreds or more comments here through the years of people bashing Google for having their authenticator app not sync TOTP secrets to the cloud. For the longest time it was pulling teeth to get the app to surrender the TOTP secrets saved inside.

Google listened.


I always tell people to take control of the situation and stay calm. If “Google” or someone contacts you about a problem, simply hang up or ignore the email, look up the company’s info online, and contact the company directly.

It seems like the common thread here is that the thefts were of cryptocurrency, rather than real assets in a financial system with safeguards. You can still get robbed of those assets, but it leaves a far stronger paper trail to catch the perpetrators.

The difference is that we haven't spent a century building up police organizations, bureaucracies, processes and international working relationships to track down crypto crime the way we have for "normal" financial crimes.

You would track down this crypto in just about the same way you'd track down a fraudulently ordered wire transfer that was cashed out. Records would be requested, IP's and timestamps recorded, more records would be requested from other parties based on those, and so on and so on. The difference is that it's somebody's job to go after those. It's nobody's job to go after this.


It’s the classic tradeoff of freedom vs. security. It’s the biggest reason I can’t foresee myself storing substantial amounts of cryptocurrency. I just want to hand my hard earned money to a financial institution and not have to think about it too much.

Almost all scammers use more or less the same trick, they try to trigger a fear or greed rush with their message/call, so you don't get a chance to question authenticity of what you read or hear.

That is also what many salespersons do to get you to buy what you don't need nor even want, you cannot miss this limited time discount.

Always stop for a moment and be skeptical, caller ID can be spoofed, email addresd can have ä or ē in the domain that you won't notice if you don't look carefully.


So the attacker has known in advance that the secret was stored in google photos? Is it a common way to store passwords, or is some piece missing here?

Likely a common way to store recovery codes. Similar to those bots that scrape github for API keys

That is one really nasty aspect of cryptocurrency. They make theft cryptographically irreversible. And you can watch the thieves spend your money!

Stop using TOTP. Enable Advanced Protection on your Google account and exclusively use security keys.

Problem solved. Total cost: $30 in security keys (Advanced Protection enrollment is free.)

It’s just like Canada Bill Jones said: It’s immoral to let a sucker keep his money.


I hadn't considered that use of Google Forms to send emails from a Google domain. That's a pretty huge security risk, technically it doesn't risk your zgiogle account but the phishing and impersonation risks for Google are huge.

How did the scammers know these people were likely to have significant amount of crypto in the first place?

Never Trust a call you didn't initiate.

I wholehearted agree with your mantra. But I need banks and other businesses to learn this. Particularly banks.

My bank has literally called me with what amounts to "ur being haxxor3d", and like … who are you? The representative literally would not tell me who he worked for. I was 210% sure it was a scam, and hung up on him. Turned out, it was legit.¹

Companies need to make sure their own operations don't bear the trappings of fraud.

¹(I don't regret hanging up, though. Calling back to a known, published-by-the-business-itself number is the right thing to do.)


Yeah I got a similar call once from someone, maybe a credit card company, and the first question was "to verify your identity we need the last four digits of your social security number" and I was like wait a minute, you called me. What are the last four digits of YOUR social security number?

45 BTC (as in the screenshots) is not 500K, it's 4.5M

Losing a fortune with one bad click is not a new thing or all that rare, stock betting is all the same.

Idk I just think the title is pretty lame and generalizes a pretty informative phishing article, in a bad way.


Easy for me to be a smartass in hindsight, but I can't resist:

> Unfortunately for Griffin, years ago he used Google Photos to store an image of the secret seed phrase that was protecting his cryptocurrency wallet.

Um, duh...

> "[...] I put my seed phrase into a phishing site, and that was it.”

>Almost immediately, all of the funds he was planning to save for retirement and for his children’s college fund were drained from his account.

Um, duh. First mistake to put all eggs in a single basket. Second mistake, this basket was a cryptocurrency. Third mistake, pasting the secret key to that _anywhere_.


>ultimately seized control over the account by convincing him to click “yes” to a Google [2FA] prompt on his mobile device

Stopped reading there. What more can we do to protect people from their own stupidity (and I'm not talking about the crypto "investment" part)?


The wallet name was exodus, how fitting :D

> Daniel told Tony his account was being accessed by someone in Frankfurt, Germany, and that he could evict the hacker and recover access to the account by clicking “yes” to the prompt that Google was going to send to his phone.

Come on.


Holding $500k in hot wallet, this man is braindead...

Are these spammers just lucky or is there something that lets them sniff blood in the water and specifically target people holding large amounts of crypto?

It wasn't a hot wallet, he had taken a photo of his seed and then left it in Google photos.

So your conclusion is sound but your premise is invalid.


If you're so rich, why aren't you so smart? is the burning question here.

It's mind-boggling to me how crypto guys can be simultaneously savvy enough to be involved in crypto, to the tune of millions of dollars, but also retarded enough to fall for stuff like this.


It's not really a matter of intelligence, and nobody's smart 100% of the time.

Let's take the average person on this forum, who's probably pretty tech savvy. Their odds of falling for a scam on a given day might be 1 in a billion. But when they're exhausted after work, they might be 10X likelier to fall for a scam. Another 10X when they're stressed out about family life, or going through a breakup. Another 10X when they're out drinking with their friends. And so on.

Eventually, whether it's due to age or other factors, everyone gets to be in situations where they're susceptible to scams. And scammers are experts at emotional manipulation, exploiting fear and embarrassment.


100% - yes - if you follow simple rules



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: