this post was submitted on 27 Mar 2025
665 points (99.0% liked)

Technology

68131 readers
3350 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
665
Have I Been Pwned owner, pwned. (htxt.co.za)
submitted 5 days ago* (last edited 5 days ago) by Tea@programming.dev to c/technology@lemmy.world
70 comments fedilink hide all child comments
 
  • A jetlagged Troy Hunt accidentally clicked a link and logged into an account only to realise he had been phished.
  • Despite reacting quickly, attackers were able to export a mailing list for Hunt’s personal blog.
  • Hunt has detailed the attack and warned his subscribers in a timely fashion.
you are viewing a single comment's thread
view the rest of the comments
[–] nulluser@lemmy.world 9 points 5 days ago (2 children)

Asked to verify my identity with a code to my phone - standard

No, absolutely not standard. This is where red flags should go up. If your bank texts you a code when you log in, then that's what the scammers are doing (trying to log in as you, triggering the website to send you the code to confirm that it's you logging in (except it's not you, it's them), and then getting you to tell them the code so they can finish logging into your account.

[–] sugar_in_your_tea@sh.itjust.works 11 points 5 days ago* (last edited 5 days ago)

There are two types of texts:

  • 2FA - usually says something like "we'll never text you this code, don't give it to anyone"
  • ID verification - pushed by a rep while on a call, and doesn't have the "we'll never text you this code" bit

The first is needed for user-initiated actions, the second is only used to ensure the person you're talking to has access to the device on file.

When I called the actual bank, they did the second one to reset my account credentials, and again when I set up the MFA app after the trip. It's absolutely a thing. When I call for help navigating the website, the person on the phone walks me through the SMS verification process, but explicitly tells me to not tell them that first type of code.

Scammers do the first and cannot do the second, which is why they have the warning text on the first and not the second (though there is different warning, which makes it clear they're different). My fail was skimming the text for the number and ignoring the warning about not giving it to anyone.

[–] lka1988@lemmy.dbzer0.com 2 points 5 days ago

USAA does this when someone calls in, but I think that last part is the real difference here