this post was submitted on 27 Mar 2025
665 points (99.0% liked)

Technology

68131 readers
3350 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
665
Have I Been Pwned owner, pwned. (htxt.co.za)
submitted 5 days ago* (last edited 5 days ago) by Tea@programming.dev to c/technology@lemmy.world
70 comments fedilink hide all child comments
 
  • A jetlagged Troy Hunt accidentally clicked a link and logged into an account only to realise he had been phished.
  • Despite reacting quickly, attackers were able to export a mailing list for Hunt’s personal blog.
  • Hunt has detailed the attack and warned his subscribers in a timely fashion.
you are viewing a single comment's thread
view the rest of the comments
[–] sugar_in_your_tea@sh.itjust.works 51 points 5 days ago* (last edited 5 days ago) (2 children)

I almost fell for a bank scam a couple years back. Basically, I had just gotten a new phone w/ GrapheneOS, which doesn't have Google's scam number protection (I was well aware, that's not the issue) and I hadn't yet transferred my contacts, and I received a call about a fraud alert on a card. This has happened a few times, and usually it's a pretty straightforward call where they verify my identity before asking me about certain transactions. As a bit of background, I was on vacation at the time and I got the call while waiting in the parking lot while my SO ordered something at a food truck.

Anyway, the call progressed like this:

  1. Mentioned , which I have
  2. Asked to verify my identity with a code to my phone - standard
  3. Went over a couple suspicious transactions, which I confirmed wasn't me
  4. Asked to verify my identity again, and that's where I got suspicious, so I didn't provide it

I immediately called my bank and sorted things out, and we figured out nothing was stolen because I didn't provide the second code (that was to link an external account to suck my money out). Because I was in an unfamiliar setting and honestly pretty tired (we drove all day the day before), I just skimmed the text in step 2 w/o reading that it was a user-initiated code (i.e. for a password reset) instead of a bank initiated code (i.e. verify identity).

I consider myself a pretty security-conscious person. I use a password manager, MFA everywhere I can (preferring TOTP), I'm a lead backend SW engineer who has caught multiple security issues, etc. However, I fell for the scam and missed the safeguard that should have protected me. Fortunately it all worked out, but I did have to change all of my account numbers and login, which wasn't particularly fun while on vacation. That bank is fortunately one of the few that supports TOTP in my country, though I had avoided setting it up because it required a special app (Symantec VIP) and calling in (no self-service). I now have it set up and feel much better about my account security.

[–] Zikeji@programming.dev 23 points 5 days ago (1 children)

I'm fairly certain I annoy the people at my bank because I always insist on calling them back at their official number if they ask for any personal information. I don't fuck around with my bank security. I did however get got a couple of more years ago back when the chrome browser window phishing attack first started and had my Steam account stolen for a solid minute.

That's the attack where they simulate a browser window so what you think is a oauth popup is actually just inpage javascript and CSS.

[–] sugar_in_your_tea@sh.itjust.works 6 points 5 days ago (1 children)

Yeah, I'd really rather avoid waiting on hold every time there's a fraud alert or something. It doesn't happen a lot, but I have a lot of cards (like 10) and I often have one that gets an alert most years. It's usually not an issue, especially since I don't usually have money at the same institutions where I have a credit card, this was a special one where it's a card I only use at like 3 places (Steam being one of them) because it's for purely personal spending (as opposed to "family" spending).

If I wasn't on vacation, hadn't just gotten a new phone (I enter my bank's numbers as contacts), or wasn't impatient (I was hungry and waiting for food), it wouldn't have been an issue. It was just a perfect storm of opportunity. Now it's even less likely because I now use TOTP and my understanding is that there's no reason the bank would ever ask for that code (I think they only send text).

It happens.

[–] Zikeji@programming.dev 1 points 5 days ago (1 children)

Yup, what you're describing sounds inline with how Corey Doctorow fell victim to fraud.

[–] sugar_in_your_tea@sh.itjust.works 5 points 5 days ago* (last edited 5 days ago) (1 children)

This one?

It's completely different. In that case, they were able to set up a fake business to accept payments, which is way more sophisticated than what happened to me. In my case, they just needed my login name and phone number, and I had reused the login name on several sites, so a number of places could have been involved in a breach. All the scammer had to do in my case was:

  1. check if I have an account at a major banking institution
  2. call me, pretending to be the fraud department
  3. get me to give them my SMS code (they'd trigger through the normal "forgot my password" process)
  4. keep me on the line long enough to link an external account
  5. get me to give them another SMS code ("final authorization" or whatever)

That's it, just two pieces of information, some smooth talking, and a little luck that I don't catch on. Corey Doctorow's situation required quite a bit more setup than that:

  1. get Amex to approve them as a mechart
  2. create a fake online ordering website that gets enough SEO to show up in search results
  3. have someone actually place an order at the vendor so nobody gets wise

That's a lot more sophisticated than what happened to me.

[–] Zikeji@programming.dev 5 points 5 days ago* (last edited 5 days ago) (1 children)

He got scammed again? Damn. Sorry, I was referring this one. And not really the details of the scam, but it was the wrong place / wrong time element that reminded me.

Edit: the article you linked is older, so I guess not "again".

[–] sugar_in_your_tea@sh.itjust.works 1 points 5 days ago

Oh yeah, that's a lot more similar.

[–] nulluser@lemmy.world 9 points 5 days ago (2 children)

Asked to verify my identity with a code to my phone - standard

No, absolutely not standard. This is where red flags should go up. If your bank texts you a code when you log in, then that's what the scammers are doing (trying to log in as you, triggering the website to send you the code to confirm that it's you logging in (except it's not you, it's them), and then getting you to tell them the code so they can finish logging into your account.

[–] sugar_in_your_tea@sh.itjust.works 11 points 5 days ago* (last edited 5 days ago)

There are two types of texts:

  • 2FA - usually says something like "we'll never text you this code, don't give it to anyone"
  • ID verification - pushed by a rep while on a call, and doesn't have the "we'll never text you this code" bit

The first is needed for user-initiated actions, the second is only used to ensure the person you're talking to has access to the device on file.

When I called the actual bank, they did the second one to reset my account credentials, and again when I set up the MFA app after the trip. It's absolutely a thing. When I call for help navigating the website, the person on the phone walks me through the SMS verification process, but explicitly tells me to not tell them that first type of code.

Scammers do the first and cannot do the second, which is why they have the warning text on the first and not the second (though there is different warning, which makes it clear they're different). My fail was skimming the text for the number and ignoring the warning about not giving it to anyone.

[–] lka1988@lemmy.dbzer0.com 2 points 5 days ago

USAA does this when someone calls in, but I think that last part is the real difference here