I had these people call me the other day. I got a text message alerting me of a potential Google account security issue they had blocked and they I should expect a call. I also got one of those emails and an automated phone call. The automated phone call had me dial 1 if I wanted a call back from support to help recover my account.
I got a call from a very professional sounding woman assuring me she was with Google and they had discovered some potentially fraudulent activity with my Google account in Frankfurt. They said they had locked down my account to protect it but they would walk me through recovering it.
I knew this was impossible, because the Google account in question doesn't have passwords. It has a couple of passkeys which are all physical hardware tokens in my home. But I wanted to see how pushy they would get.
Turned into a half hour phone call with me playing dumb (was watching my kid's sports practice, nothing to do for a half hour but cheer him on). Eventually when I was done with it I let them know I was in the process of filing the report with the federal cybercrime department. Immediately hung up from that.
There’s an easier tell. It’s impossible because you can’t to get Google to help you at all about any account issues, never mind them being as proactive as to call you.
In other words if Google call you, it’s not Google.
It’s slightly depressing that there are probably more fake Google support staff than real ones.
I feel Google, Facebook, etc. all need to setup actual phone numbers and chat rooms, and make them rank highly on searches for "Google support phone number", "Google fraud department", "Google account recovery department", "Google Live Support Chat" etc.
Then those numbers should simply play a message that this is the only official phone number, and no human will ever call from or answer this number, and the company does not offer customer support or appeals to account problems.
They also need to make searching for fraud phone numbers return anti-fraud messaging rather than what it currently does. Seems like the entire 844-906 exchange is fraudulent [1].
I had a family member that just got scammed because they panicked after their Facebook account got banned, basically exactly like [2].
In case you would like a concrete example to ground the cynicism about corporate trade offs around customer support, I recommend watching Jill Bearup's 10 minute video [0] about this week's demonetization. For example, she has to deal with some form that she "can't submit", a customer service contact 12 time zones away (so email replies are 12 hours delayed), and an account manager who is non-responsive. In her court, are some unaffiliated google employees giving guidance, but only because they were already part of her youtube watching audience.
If it weren't for the routine ex-Googler postmortem blog post shared on HN I'd think Google doesn't even have human employees.
The greatest mystery of my life is what is a "Google Product Expert" on their community forums whom I assume:
1. isn't an employee speaking as the company.
2. is someone given the title by the company.
3. spends a lot of time answering questions despite not being paid for it.
4. can contact Google employees somehow.
The only perks for this that Google lists is that you can join a secret club of Google Product Experts. It feels like gig economy applied to customer support.
I had Google call me once :) It was when I was riding in a Waymo and one of the screens in the vehicle was lagging a little bit. They made the surprising choice of calling my phone, rather than ringing the car itself, and I didn't pick up because... who picks up when your phone says, "Call from Google" :) They called the car shortly afterward to reassure me that the lagging screen wasn't an indicator that the car would underperform.
Being guaranteed to be able to talk to a human would be great, but I just don't see how it can possibly scale to over 1 billion users that aren't paying like gmail has.
Years ago, my brother used to work for XBox Live Tech Support, and he said that easily over half the calls he got were for things that customers could easily self-service, like a password reset. Many tech issues were fixed by the most basic troubleshooting step: Power cycling.
Meanwhile, my uncle works XFinity tech support, and he'll frequently get calls when a website has an outage, not to mention how many non-technical people think any internet-related issue, such as a forgotten Google password, means calling your ISP.
This doesn't even begin to talk about bad actors calling tech support to try to break into someone else's account. Google accounts are high-value targets. Once you've gotten in, there's a really good chance you could easily pivot to all of that person's other accounts.
To handle the call volume that a service like Google would have, if they offered phone tech support, the amount of staff they would need would be in the hundreds of thousands, and so many of the calls they take would be wastes of time. There are a lot of non-technical people that have no idea how things work and basically think that Google IS the Internet.
I had a weird security alert on my Google account the other night after trying to do a "Sign in with Google" to a service I've used for years. Trying to view my account/security info kept redirecting me to a page instructing me on how to clear cookies.
I clicked support and was able to get a call right away. But I pay $20/year for Google One.
Somehow Google and other tech companies are not required to have a customer service that actually solves the legitimate problems customers have with their services. I wonder how they are allowed to do this not just in the US but across the world.
I got one of the same calls (didn't believe them). Afterwards I phoned Google support and they said the same thing, they will never call you. I had them confirm nothing was wrong with my account, just in case.
So it's very possible to phone Google support, just don't believe anyone who calls you.
> It’s slightly depressing that there are probably more fake Google support staff than real ones.
I've never thought of it that way but you're right! Dealing with support at most tech companies is a horrible experience and is usually something I research before using a product where a failure in service provision could lead to catastrophic results.
Depends heavily on the company. Fidelity, for example, has super friendly, local sounding support employees. They will sometimes call you directly, too, for things like "checking in on your retirement goals". If someone called sounding professional, it would not be a tell that it isn't actually fidelity.
Plus, most of the weird "customer support" scams I've gotten in the past are people with thick accents on a garbage connection.
I've gotten real support calls where the audio was so bad it was hard to understand anything they said. And/Or the standby music fidelity was so awful it's like pounding a spike in my ears. (Or maybe that's intentional so I hang up and don't bother with them.)
You'd think they'd have equipment newer than the 1960's.
I get lots of helpful emails from my mail administrator telling me I have some sort of problem I need to log in/revalidate/release pending messages etc.
Frankfurt is actually notorious in Germany for their issues with drugs. Going outta the train station you can see ppl passed out with literal needles in their arms, taking a shit in public view etc
Doesn't really transfer to cyber crime, but it's definitely one of the more "criminal" places in Germany. Still super tame compared to actual slums etc though
The glaring common denominator here is that the attacker has the ability to send an unprompted, unblockable request to the victim's phone. Pressing the safe-looking green button that shows up, even accidentally, is digital suicide.
Google Prompt is supposed to be a safety feature. The account recovery process lets a hostile actor turn Google Prompt into a loaded gun, and Google puts it directly into the victim's hand, aimed straight at their own head.
There's absolutely no way to shut off Google Prompt that doesn't involve removing every Google app from your mobile devices.
This is called MFA bombing. Just send prompts until the user accidentally accepts one.
Microsoft’s authentication has protection against this, requiring you to manually enter a 2 digit number in your phone, matching what you see on your other device. Very simple, there is no excuse for Google to not have similar.
That quickly becomes tedious when you need to do it multiple times a day - e.g. logging in to different customer environments. Much prefer the one-click approval.
Google allowing OTP codes to be generated from the cloud is also insane to me. I've known about this feature for a little while, but it never ceases to amaze me how careless Google is with security.
> Unbeknownst to him at the time, Google Authenticator by default also makes the same codes available in one’s Google account online.
This sounded absolutely crazy to me so I went to open Authenticator on my phone and lo and behold it offered me the option of linking to my account and "backing up my codes in the cloud" to which I declined.
But I had never seen this behavior before, so is this new? It did not seem to be enabled by default in my case.
What's crazy to me is that Google would allow access to a foreign device from a single click. It would be easy for a person to accidentally click it, or for a kid playing on their parents advice to click it when it popped up. I really can't understand why they wouldn't send a code that would have to be entered instead; it would be far less prone to those kinds of problems.
"foreign device" based on IP geolocation is pretty tricky and annoying.
My home in Texas had an IP address which a lot of databases had as supposedly being in Montreal. It was like that for years. Gotta love so many sites trying to default to French.
How would a code help? The victim has already bought into the social engineering. If the person on the phone asks the user to read out a code, they will. If the person on the phone asks them to enter a code (i.e. the version of this kind of prompt where the user needs to enter a code on the phone matching the one showing on the login page), they will.
Google only added this feature recently. I am really conflicted about this feature. Without it you need to either save every TOTP code when you first set up the account or manually disable 2FA on every account and then enable it again so you can enroll it on a new phone. I used it when migrating to my most recent cell phone but then disabled it. Of course you have to trust that Google actually deletes the codes from your account.
Generating and storing your passwords, OTPs, and passkeys in a fully E2EE system like 1Password is effectively a root of trust, although you also have to trust (a) the password manager company, (b) whatever third-party systems and devices they use to build and deliver their software, (c) the quality of their cryptosystem, and (d) whatever device you use to decrypt/access secrets in your vault.
Yup. If you DON'T have this feature, you're depending on every user who has TOTP 2FA to actually save their backup codes somewhere they can retrieve ~years later or back up their TOTP some other way manually. Naturally, most users will fail to do this, so you'll have to deal with how to securely reset the accounts of people whose phones got lost or destroyed.
But then if you DO have it, you have to deal with the situation in this story, where if you can compromise their one key account, you get all of their TOTP codes too.
There is a big gap in the greater security landscape here. I personally use hardware authenticators for this reason, but I have to manually enrol each security key for each account.
Really what I would like is a root of trust which maybe is a cipher text which I can store in several physical locations, and then my security keys are derived from that root of trust. Then when I set up 2fa with a service it is using the root of trust and seeing that my security keys are is derived from that root of trust. This allows me to register the root of trust only once and then I can use any key derived from it.
Some cryptocurrency hardware wallets such as Trezor's are usable exactly how you want: they support fido2/webauthn and derive their keys from the recovery seed phrase. You can write down the recovery seed phrase, initialize other hardware wallets with the same recovery seed later on, and they will present to a computer as the same fido2/webauthn token.
Just checked and Google authenticator seems to be synced to my account, which is a huge SPOF and not what I want. It's possible that I did this without realising, but does anyone know of a way to revert authenticator to local-only? I don't see anything obvious.
> does anyone know of a way to revert authenticator to local-only?
To answer my own question: tap the profile pic (top right on Android) and choose the Use Without an Account option. Removes codes from cloud storage and any _other_ devices. Mentioned in TFA.
I use Authy and it does this too. I like that I can get the code on my phone or tablet. I also keep paper copies of the original QR codes in a safe place.
The trick with Authy is to disable multi-device access unless you're in the process of adding another device, so hackers and scammers can't add their own devices to your account without your aid. If you leave the setting enabled, someone may get your TOTP secrets from Authy before you can stop them.
You can just decode the QR code and use whatever secret is in there to generate the OTP codes. TOTP isn't that complicated, it's really just a second password that the system generates.
It is at least relatively new. Years ago I had to try the Google “hard landing” account recovery process because it wasn’t happening, which is how I learned that they had that form going to an email address which had been deleted. Fortunately I had paper recovery codes in my safe.
Google rolled out that hare-brained "improvement" in an update to Google Authenticator a few months ago, with the nice extra that for some users, when you dared unselecting the new cloud backup checkbox, the secrets stored in the app were instantly corrupted in some way, so you were locked out of your Google accounts immediately as a bonus <chef's kiss>. Happened to a family member, luckily they had a working emergency access method.
We will never use Google Authenticator again.
They added this recently, because lots of people complained to Google that they lose their tokens; Authy and others started to gain traction because they did synchronization. Google was pretty much forced.
I know, 2FA loses the entire point when it's synchronized. But, well. People lose their stuff all the time!
The active ingredient in 2FA as practically implemented for nearly everyone has never been the 2. It's mostly just not letting humans choose their entire password.
It does feel like the security protocols necessary to secure $100k to $Ms of crypto which transfers instantly and non-reversibly is a challenge for the average user.
Even as a fairly tech enabled GenX, I have forgotten passwords and had to reset them (usually accounts I haven’t used in a while), had files corrupted without a good backup, lost a Yubikey somewhere in the house (I think at least).
From what I can tell I would need to have my crypto seed laser etched into titanium, and then treat that talisman as if it was made of pure platinum as far as securing and tracking it.
Versus keeping my money in SIPC and FDIC protected accounts.
I will say, the BTC appreciation is a big attraction of course, but long term I don’t see how it becomes widely adopted with so much logistics risk, and appreciation… well who knows about that.
1) if you don't exclusively have the private key (wallet), you don't own the crypto. if someone else gets the private key unwittingly, they now own the crypto
2) split cumulative funds into two wallets, a "hot" wallet and a "cold" wallet. keep the funds in the "hot" wallet to no more than for which total unintentional loss is tolerable. keep the private key to the "cold" wallet off any internet connected device except for the minimum duration required to transfer funds to the hot wallet.
3) print the recovery phrase for the cold wallet and store it in a physically secure location
4) if an ideally secure physical location is not possible, split risk across multiple "cold" wallets
that sounds tedious af and still prone to error, i'd rather literally pay someone to handle all of this for me, let's say, some kind of institution which specializes in storing and handling money
> 1) if you don't exclusively have the private key (wallet), you don't own the crypto. if someone else gets the private key unwittingly, they now own the crypto
That's not how the legal system works, and they're the ones who decide who owns things.
> From what I can tell I would need to have my crypto seed laser etched into titanium, and then treat that talisman as if it was made of pure platinum as far as securing and tracking it.
Not sufficient. You'd also need someone you trust 100% to have another seed protected as if it was the gold of Fort Knox. And then you'd only only use "multisig" to sign transfers.
And that other person needs to live on another continent.
And you both need a backup plan in case you die if you plan to leave these 0.1 Bitcoin to your heirs.
This makes the $5 wrench attack impossible to succeed. As to whether the attacker is willing to add gratuitous (because it's impossible it'd succeed) torture/killing to its list of crime is something else though.
> I will say, the BTC appreciation is a big attraction of course, but long term I don’t see how it becomes widely adopted...
I think mid-term to long-term people simply buy a Bitcoin ETF or stocks from a company holding shitloads of Bitcoins like MicroStrategy. Just like I buy SLV (paper silver) or the ZKB silver ETF (physical replication, in vaults in Switzerland).
Keeping your own Bitcoins is not unlike keeping physical gold coins. It's doable but risky. Multisig really helps a lot but buying a Bitcoin ETF is simply easier. Open bank or broker website, click click. Done.
I'm not saying Satoshi's dream or the Bitcoin maximalists' dream is good old Wall Street manipulating Bitcoin's price using paper Bitcoin (silver ETFs were in big trouble in 2021) but what I'm saying is I think that's how it's going to end.
>I think mid-term to long-term people simply buy a Bitcoin ETF or stocks from a company holding shitloads of Bitcoins like MicroStrategy. Just like I buy SLV (paper silver) or the ZKB silver ETF (physical replication, in vaults in Switzerland).
But what's the inherent value of BTC if it doesn't do the things it claims? What value does Michael Saylor owning a bunch of bitcoin, of which I have a pretend share, even have?
This is the paradox of Bitcoin. It's a really cool technology that's really hard for normies to use.
I feel that crypto offers a different risk profile than say the gold ETF. There certainly is significant risk and expense to storing and securing the physical gold backing the ETF. I think it also needed to be audited as matching expected reserves occasionally?
But crypto has similar it and physical security costs at a minimum, though physical storage will be cheaper. Auditing maybe similar costs, I’m not quite sure how you confirm ownership of an address or pile of BTC without transactions?
The big risk is that these big holding companies of bitcoin become targets of state-scale cybercrime hacking armies. Can you imagine an adversary deploying constant attack on every facet of you IT infrastructure, from accessing the private keys presumably stored in hot wallets to support active trading to the interface where they may try interfere with client functions to all sorts of ends from theft to market manipulation.
I partially agree, although I can see more companies offering these kinds of services in the future. Block already has a system with Bitkey, custody companies like Casa and Unchained are providing services as signers, and AnchorWatch is stepping in as both a custody and insurance provider at the institutional level. Despite the government's best efforts to limit participation from existing banks[1], other services are jumping through the arduous hoops of regulation to fill in the void.
> Just like I buy SLV (paper silver) or the ZKB silver ETF (physical replication, in vaults in Switzerland)
I'd suggest that holding precious metals without actually having physical metal under your exclusive control is essentially as flawed as holding crypto without exclusively holding the private key.
I have no doubt that at least some especially in the early days envisioned crypto as a legitimate alternative to fiat currency. That being said, in it's mature state as a technology, it amounts to nothing more than a clone of the modern financial system with a different set of oligarchs, except that it has far fewer consumer protections, and the nature of it makes implementing said protections in any way extremely difficult.
That combined with the extreme volatility of value that is not only endemic to any coin with meaningful usage, but is generally a goal of most coins, makes it only really useful as a speculative vehicle, and those same properties also make it uniquely bad in terms of a store of value to be used in commerce unless the seller also plans to speculate on the value.
And, even if you're good with all of that: Yes, the tech itself is decentralized, but if you don't have at least some background in basic software development or scripting, you're almost certainly going to end up using some product or another to manage your wallets and transactions, and while the wallet is anonymous, the accounts you connect the wallet to are often quite the opposite, and because of the structure of the chains, your entire transaction history is visible to everyone on the network, at all times. So it's private by default, but basically any casual user is immediately and forever doxxable.
Xmr aims to be a digital cash, and basically achieves that. Btc has goals more akin to digital gold, hence being more useful to speculators than people buying things is somewhat intentional.
I don't know who the oligarchs you're talking about are. Buterin? Bankman Fried? In either case, their position is quite different from that of a banking titan.
I wonder if people who are "invested" in cryptocurrency are more susceptible to these kind of scams. There's a strong aspect of FOMO in getting people to buy imaginary internet money, and also in getting them to panic and fumble said internet money.
One of the reasons I stay away from it is that, at least in recent years, every scam that I see taking place involves crypto. I have a lot of acquaintances and I can almost draw a line at this stage: the higher the "shadyness" of the person, the more they are invested or talking about crypto. I am yet, even tho I owned, to have had the need to use crypto in my daily/weekly/monthly/yearly life.
It is very easy to destroy lives with it as we can see in this case, and, making it harder to do so will work against the vary nature of this tech. This is a tough nut to crack but I think the space will remain filled with predators constantly baiting prey into the system with the promise of a big reward.
"You can't undo a transaction" is a core feature of crypto. This is hilarious, because in actual payment networks, it literally only benefits scammers.
Every consumer ever has at one point or another wanted or needed to reverse a transaction. Chargebacks are a FEATURE of credit cards.
Traditional banks and the financial industry are generally sub-optimal, but at least if you are scammed, they will do their best to either recover your money or return you whole.
To have this safety, money and finances have to be centralized, regulated, and governed, all of which crypto doesn't have and doesn't want.
No they won't. If you bank transfer money to a scammer, the bank won't refund you, nor can they recover it. If you give a scammer your bank access credentials, they also won't refund you because you broke the TOS.
I wonder if it is just harder to give away several million dollars of government currency without being able to recover it? This is only an interesting story because it is so much money and because they are able to narrow the suspects down to a small group.
Cryptocurrencies are like speedrunning the discovery of why finance is regulated, though, that is certainly true.
I think you’re saying the same thing from the other side: it’s definitely true that it’s harder to get or transfer large amounts of real money because the system has layers of protection due to past fraud, but those fraud protections also mean that most people can’t get the kind of paper profits which lure people to cryptocurrencies. This gives scammers the appealing target of a self-selected group of financially unsophisticated people who have chosen a system designed to make large scale theft easy and safe.
It's obviously going to be much much more difficult to steal $450K from an actual bank account and get clean away - you're going to need a lot more proof of identity than a google login. From that POV, owning a lot of cryptocurrency is painting a target on your back.
100%. It's been that way forever too. I've caught numerous people setting up mining crap, it's everywhere and anyone that shouldn't be trusted but is probably will be a vector.
About a year ago I got an email from an actual Coinbase email address telling me that my account had been compromised. It included a case number.
Trying to log in with my username and password did not work. Moments later I get a phone call, the caller id says that it is Coinbase. Guy on the phone with a thick German accent tells me he's calling about my account and gives me the case number from the email. I know damn well never to trust a phone call you did not initiate, so I'm kind of just stringing the dude along on the phone.
I remember that I had set up a passkey, and try it. I get in with that and immediately run to the emergency "lock my account" button. I tell the guy on the phone that I have clicked it and after a bit of "uhmmm..."-ing and "hmmm..."-ing he just hangs up.
I call Coinbase support and they verify some recent transactions and ask me to forward them the email, and that's that. I still have no idea what the actual attack was or how they changed or invalidated my password. Best I can tell they did not manage to actually get in to my account.
I ended up changing my password to just about everything out of caution.
Last time I called boss money transfer, i called them and their real agents told me they must call me to verify. I was like, how would I know if it is boss money transfer or scammer. At the end I had to trust because voice was same.
I wonder if there's any one legitimate instance of a company calling you about compromised accounts and requiring your action. It seems to me that anyone reaching out and lighting a fire under your ass can be assumed to me a malicious actor.
Any notification asking you to confirm your identity that is not initiated by your actions should be immediately dismissed with a "no" and that should be all there is to such things, no?
I got a call from "Bank of America," and they smoothly talked me into giving them my debit card PIN. The trick was they had gotten into my online banking beforehand. "We've detected possibly fraudulent activity on your account." Then they read me real transactions from my actual account. "To be safe, let's lock down the account. For this we need more information for authentication, though." Probably started from a phishing thing that I fell for online without noticing. It was pretty clever of them. Not so easy to steal from a checking account without leaving a trail, unless you have the PIN. Then the main risk is to whomever was on camera at the ATM withdrawing as much cash as possible before the account was automatically locked down.
The next day, I got a call from "Bank of America" telling me that I'd been had. Fortunately they just credited the money back into my account. About $5000.
The main difference is that the first call wanted me to give them information, while the second call advised only "go into a bank branch in person."
The article's advice is correct. If someone asks you for info, tell them you'll call them back. It is almost certainly a scam. Calling back the possibly spoofed number at worst wastes a little time being on hold, and at best saves you or the bank a lot of money.
Don't call back the number possibly being spoofed (i.e. using your Caller ID as the source of the callback number). Call an independently-listed number for the company, such as the phone number on the back of a credit or debit card. Using an independent number prevents any failures where the Caller ID correctly reports an attacker-controlled but plausible-sounding number.
For extra paranoia and safety, perform the callback from a separate phone line. That would avoid at least some of the more-targeted attacks involving a compromise of the victim's phone connection, which could potentially allow the attacker to redirect outgoing calls.
> The main difference is that the first call wanted me to give them information, while the second call advised only "go into a bank branch in person."
Unfortunately physical branches are expensive to maintain, so a lot of banks have been closing them down. There are even plenty of banks with zero physical branches now. All contact is via phone or email, so there is no scam-proof way for them to contact you.
Here's a thing that is enraging, though: when a bank has SMS 2FA (insecure if you're being targeted but better than nothing) and they keep having you enter that into third-party websites. I mean going to a legitimate business, making a purchase with a credit card, and then the bank wants 2FA to validate a purchase instead of a login? Fuck off, I'll use a different card, then.
If it weren't for bullshit FICO calculations I would drop that account entirely.
Banks are pretty good at doing an impression of phishing scams, unfortunately. Almost every red flag for a scammer has also been done by a bank, legitimately.
There was a comment on Hacker News, which alas I can no longer locate, where a guy said he'd been called by his bank and the bank wanted him to answer various security questions. He said he was happy to do so, but firstly needed the bank to verify who they were, or to call the bank back on a telephone number on their website. The bank refused, so he refused to give them any details. The bank then blocked his bank account, meaning he couldn't pay his university tuition on time, meaning his student visa was no longer valid as he was no longer "studying", meaning he had to leave the country.
Also healthcare providers, though they seem to have finally wised up. They would call me from poorly configured phone systems (so unrecognizable caller id) and the first thing they would ask is to confirm full name and date of birth.
Patterns like this do a great deal of damage in desensitizing folks and making them accept dangerous patterns that get exploited by scams.
I have had my telephone company ask me to give them a code sent to my device. It is presumably to prove to the company that the representative is talking to me so that bad actors low in the company cannot start randomly messing with people’s accounts. It is the equivalent of the bad click here. The only real defense is to know the difference between a mechanism meant to authorize someone a the company and a mechanism to authorize you. Confuse the latter for the former like the victim did here and bad things will happen.
I called a bank to increase my ATM limit. The agent sent me an SMS code to verify my identity and wanted me to read it back to him. The message said not to give the code to any human. Sigh.
If some bank calls you about compromised accounts, the recommended action should be to hang up, find the official phone number for your bank, wait one minute[1], then call back.
[1] You have to wait or call from a different phone, because the call might not terminate immediately, and the scammer might still be listening on the line.
Sometimes there are good reasons for a bank to call you. The infuriating part is that not every bank has a quickly accessible number to call back if you don't trust the caller. Caller ID may be useless, but me calling the official number for my bank is pretty hard to fake (unless my carrier is part of the scam).
My bank has a button inside the app that will confirm that a real bank representative is calling you, or provides a button to call the bank's emergency line if they're not. It's a simple and effective way of preventing scams that I think more banks should implement.
A ss7 attack could make your carrier part of the scam without their knowledge, such that calling back the number will connect you to the scammer and not the bank.
Ideally yes no one would fall for that. But these type of attacks doesn't just rely on solely ignorance. They introduced urgency, the fight or flight situation. Plus the first guy in the article got caught up in bad timing where his mental condition aren't right with his kid crying, his wife yelling etc.
“In Soundcloud’s instance, part of declaring your innocence is you have to give them your home address and everything else, and it says right on there, ‘this will be provided to the person making the copyright claim.'”
Readit News
I got a call from a very professional sounding woman assuring me she was with Google and they had discovered some potentially fraudulent activity with my Google account in Frankfurt. They said they had locked down my account to protect it but they would walk me through recovering it.
I knew this was impossible, because the Google account in question doesn't have passwords. It has a couple of passkeys which are all physical hardware tokens in my home. But I wanted to see how pushy they would get.
Turned into a half hour phone call with me playing dumb (was watching my kid's sports practice, nothing to do for a half hour but cheer him on). Eventually when I was done with it I let them know I was in the process of filing the report with the federal cybercrime department. Immediately hung up from that.
There’s an easier tell. It’s impossible because you can’t to get Google to help you at all about any account issues, never mind them being as proactive as to call you.
In other words if Google call you, it’s not Google.
It’s slightly depressing that there are probably more fake Google support staff than real ones.
Then those numbers should simply play a message that this is the only official phone number, and no human will ever call from or answer this number, and the company does not offer customer support or appeals to account problems.
They also need to make searching for fraud phone numbers return anti-fraud messaging rather than what it currently does. Seems like the entire 844-906 exchange is fraudulent [1].
I had a family member that just got scammed because they panicked after their Facebook account got banned, basically exactly like [2].
[1] https://www.google.com/search?q=844-906
[2] https://www.npr.org/sections/alltechconsidered/2017/01/31/51...
[0] https://www.youtube.com/watch?v=6RZHajVV9PA
The greatest mystery of my life is what is a "Google Product Expert" on their community forums whom I assume:
1. isn't an employee speaking as the company.
2. is someone given the title by the company.
3. spends a lot of time answering questions despite not being paid for it.
4. can contact Google employees somehow.
The only perks for this that Google lists is that you can join a secret club of Google Product Experts. It feels like gig economy applied to customer support.
Years ago, my brother used to work for XBox Live Tech Support, and he said that easily over half the calls he got were for things that customers could easily self-service, like a password reset. Many tech issues were fixed by the most basic troubleshooting step: Power cycling.
Meanwhile, my uncle works XFinity tech support, and he'll frequently get calls when a website has an outage, not to mention how many non-technical people think any internet-related issue, such as a forgotten Google password, means calling your ISP.
This doesn't even begin to talk about bad actors calling tech support to try to break into someone else's account. Google accounts are high-value targets. Once you've gotten in, there's a really good chance you could easily pivot to all of that person's other accounts.
To handle the call volume that a service like Google would have, if they offered phone tech support, the amount of staff they would need would be in the hundreds of thousands, and so many of the calls they take would be wastes of time. There are a lot of non-technical people that have no idea how things work and basically think that Google IS the Internet.
I clicked support and was able to get a call right away. But I pay $20/year for Google One.
So it's very possible to phone Google support, just don't believe anyone who calls you.
Paying Google apps / GSuite users can call a number and it's real humans answering (and they're very helpful).
But indeed I don't think they proactively call you.
I've never thought of it that way but you're right! Dealing with support at most tech companies is a horrible experience and is usually something I research before using a product where a failure in service provision could lead to catastrophic results.
Deleted Comment
That's usually the tell, right there.
Legit support operations tend to sound unprofessional as hell. Heavy accents, scratchy lines, scripts referencing the wrong OS, etc.
Plus, most of the weird "customer support" scams I've gotten in the past are people with thick accents on a garbage connection.
You'd think they'd have equipment newer than the 1960's.
Urgently!
(I run my own mail server and I am the admin)
A customer support person from google? Scamers really tell the craziest stories.
Doesn't really transfer to cyber crime, but it's definitely one of the more "criminal" places in Germany. Still super tame compared to actual slums etc though
Dead Comment
Google Prompt is supposed to be a safety feature. The account recovery process lets a hostile actor turn Google Prompt into a loaded gun, and Google puts it directly into the victim's hand, aimed straight at their own head.
There's absolutely no way to shut off Google Prompt that doesn't involve removing every Google app from your mobile devices.
Microsoft’s authentication has protection against this, requiring you to manually enter a 2 digit number in your phone, matching what you see on your other device. Very simple, there is no excuse for Google to not have similar.
This sounded absolutely crazy to me so I went to open Authenticator on my phone and lo and behold it offered me the option of linking to my account and "backing up my codes in the cloud" to which I declined.
But I had never seen this behavior before, so is this new? It did not seem to be enabled by default in my case.
My home in Texas had an IP address which a lot of databases had as supposedly being in Montreal. It was like that for years. Gotta love so many sites trying to default to French.
Next day the phone broke, and I lost that account forever. I had not written the backup codes down anywhere.
But then if you DO have it, you have to deal with the situation in this story, where if you can compromise their one key account, you get all of their TOTP codes too.
Really what I would like is a root of trust which maybe is a cipher text which I can store in several physical locations, and then my security keys are derived from that root of trust. Then when I set up 2fa with a service it is using the root of trust and seeing that my security keys are is derived from that root of trust. This allows me to register the root of trust only once and then I can use any key derived from it.
IIRC on my platform, when they added the feature they turned it on by default, as an auto-installed update.
And if you're logged into the gmail app on the same device that also logs you into authenticator.
You didn't do anything wrong.
To answer my own question: tap the profile pic (top right on Android) and choose the Use Without an Account option. Removes codes from cloud storage and any _other_ devices. Mentioned in TFA.
Recommended alternative: 2FAS (https://play.google.com/store/apps/details?id=com.twofasapp) which allows you to import the secrets from Google Authenticator via QR codes, and has a local backup feature (e.g. to a USB drive).
Their personal accounts will be affected in the same way (lost phone, new phone etc).
Big brains at google didn't understand the number '2' in 2FA
I know, 2FA loses the entire point when it's synchronized. But, well. People lose their stuff all the time!
And the fact that one of those doesn't lead to the other passes way over their heads.
Even as a fairly tech enabled GenX, I have forgotten passwords and had to reset them (usually accounts I haven’t used in a while), had files corrupted without a good backup, lost a Yubikey somewhere in the house (I think at least).
From what I can tell I would need to have my crypto seed laser etched into titanium, and then treat that talisman as if it was made of pure platinum as far as securing and tracking it.
Versus keeping my money in SIPC and FDIC protected accounts.
I will say, the BTC appreciation is a big attraction of course, but long term I don’t see how it becomes widely adopted with so much logistics risk, and appreciation… well who knows about that.
2) split cumulative funds into two wallets, a "hot" wallet and a "cold" wallet. keep the funds in the "hot" wallet to no more than for which total unintentional loss is tolerable. keep the private key to the "cold" wallet off any internet connected device except for the minimum duration required to transfer funds to the hot wallet.
3) print the recovery phrase for the cold wallet and store it in a physically secure location
4) if an ideally secure physical location is not possible, split risk across multiple "cold" wallets
That's not how the legal system works, and they're the ones who decide who owns things.
Not sufficient. You'd also need someone you trust 100% to have another seed protected as if it was the gold of Fort Knox. And then you'd only only use "multisig" to sign transfers.
And that other person needs to live on another continent.
And you both need a backup plan in case you die if you plan to leave these 0.1 Bitcoin to your heirs.
This makes the $5 wrench attack impossible to succeed. As to whether the attacker is willing to add gratuitous (because it's impossible it'd succeed) torture/killing to its list of crime is something else though.
> I will say, the BTC appreciation is a big attraction of course, but long term I don’t see how it becomes widely adopted...
I think mid-term to long-term people simply buy a Bitcoin ETF or stocks from a company holding shitloads of Bitcoins like MicroStrategy. Just like I buy SLV (paper silver) or the ZKB silver ETF (physical replication, in vaults in Switzerland).
Keeping your own Bitcoins is not unlike keeping physical gold coins. It's doable but risky. Multisig really helps a lot but buying a Bitcoin ETF is simply easier. Open bank or broker website, click click. Done.
I'm not saying Satoshi's dream or the Bitcoin maximalists' dream is good old Wall Street manipulating Bitcoin's price using paper Bitcoin (silver ETFs were in big trouble in 2021) but what I'm saying is I think that's how it's going to end.
But what's the inherent value of BTC if it doesn't do the things it claims? What value does Michael Saylor owning a bunch of bitcoin, of which I have a pretend share, even have?
This is the paradox of Bitcoin. It's a really cool technology that's really hard for normies to use.
But crypto has similar it and physical security costs at a minimum, though physical storage will be cheaper. Auditing maybe similar costs, I’m not quite sure how you confirm ownership of an address or pile of BTC without transactions?
The big risk is that these big holding companies of bitcoin become targets of state-scale cybercrime hacking armies. Can you imagine an adversary deploying constant attack on every facet of you IT infrastructure, from accessing the private keys presumably stored in hot wallets to support active trading to the interface where they may try interfere with client functions to all sorts of ends from theft to market manipulation.
[1] https://www.swanbitcoin.com/politics/biden-s-sab121-veto-sta...
I'd suggest that holding precious metals without actually having physical metal under your exclusive control is essentially as flawed as holding crypto without exclusively holding the private key.
That combined with the extreme volatility of value that is not only endemic to any coin with meaningful usage, but is generally a goal of most coins, makes it only really useful as a speculative vehicle, and those same properties also make it uniquely bad in terms of a store of value to be used in commerce unless the seller also plans to speculate on the value.
And, even if you're good with all of that: Yes, the tech itself is decentralized, but if you don't have at least some background in basic software development or scripting, you're almost certainly going to end up using some product or another to manage your wallets and transactions, and while the wallet is anonymous, the accounts you connect the wallet to are often quite the opposite, and because of the structure of the chains, your entire transaction history is visible to everyone on the network, at all times. So it's private by default, but basically any casual user is immediately and forever doxxable.
I don't know who the oligarchs you're talking about are. Buterin? Bankman Fried? In either case, their position is quite different from that of a banking titan.
What are the other desirable features of BTC?
Deleted Comment
It is very easy to destroy lives with it as we can see in this case, and, making it harder to do so will work against the vary nature of this tech. This is a tough nut to crack but I think the space will remain filled with predators constantly baiting prey into the system with the promise of a big reward.
Every consumer ever has at one point or another wanted or needed to reverse a transaction. Chargebacks are a FEATURE of credit cards.
To have this safety, money and finances have to be centralized, regulated, and governed, all of which crypto doesn't have and doesn't want.
And if they don't, the courts can force them to do it and give you some extra money for the trouble.
Deleted Comment
Cryptocurrencies are like speedrunning the discovery of why finance is regulated, though, that is certainly true.
Trying to log in with my username and password did not work. Moments later I get a phone call, the caller id says that it is Coinbase. Guy on the phone with a thick German accent tells me he's calling about my account and gives me the case number from the email. I know damn well never to trust a phone call you did not initiate, so I'm kind of just stringing the dude along on the phone.
I remember that I had set up a passkey, and try it. I get in with that and immediately run to the emergency "lock my account" button. I tell the guy on the phone that I have clicked it and after a bit of "uhmmm..."-ing and "hmmm..."-ing he just hangs up.
I call Coinbase support and they verify some recent transactions and ask me to forward them the email, and that's that. I still have no idea what the actual attack was or how they changed or invalidated my password. Best I can tell they did not manage to actually get in to my account.
I ended up changing my password to just about everything out of caution.
Any notification asking you to confirm your identity that is not initiated by your actions should be immediately dismissed with a "no" and that should be all there is to such things, no?
I got a call from "Bank of America," and they smoothly talked me into giving them my debit card PIN. The trick was they had gotten into my online banking beforehand. "We've detected possibly fraudulent activity on your account." Then they read me real transactions from my actual account. "To be safe, let's lock down the account. For this we need more information for authentication, though." Probably started from a phishing thing that I fell for online without noticing. It was pretty clever of them. Not so easy to steal from a checking account without leaving a trail, unless you have the PIN. Then the main risk is to whomever was on camera at the ATM withdrawing as much cash as possible before the account was automatically locked down.
The next day, I got a call from "Bank of America" telling me that I'd been had. Fortunately they just credited the money back into my account. About $5000.
The main difference is that the first call wanted me to give them information, while the second call advised only "go into a bank branch in person."
The article's advice is correct. If someone asks you for info, tell them you'll call them back. It is almost certainly a scam. Calling back the possibly spoofed number at worst wastes a little time being on hold, and at best saves you or the bank a lot of money.
Don't call back the number possibly being spoofed (i.e. using your Caller ID as the source of the callback number). Call an independently-listed number for the company, such as the phone number on the back of a credit or debit card. Using an independent number prevents any failures where the Caller ID correctly reports an attacker-controlled but plausible-sounding number.
For extra paranoia and safety, perform the callback from a separate phone line. That would avoid at least some of the more-targeted attacks involving a compromise of the victim's phone connection, which could potentially allow the attacker to redirect outgoing calls.
Unfortunately physical branches are expensive to maintain, so a lot of banks have been closing them down. There are even plenty of banks with zero physical branches now. All contact is via phone or email, so there is no scam-proof way for them to contact you.
I recommend not calling back the incoming number even if you think it's real and spoofed, always look it up on the bank's website.
If it weren't for bullshit FICO calculations I would drop that account entirely.
Also healthcare providers, though they seem to have finally wised up. They would call me from poorly configured phone systems (so unrecognizable caller id) and the first thing they would ask is to confirm full name and date of birth.
Patterns like this do a great deal of damage in desensitizing folks and making them accept dangerous patterns that get exploited by scams.
[1] You have to wait or call from a different phone, because the call might not terminate immediately, and the scammer might still be listening on the line.
https://security.stackexchange.com/a/100342
My bank has a button inside the app that will confirm that a real bank representative is calling you, or provides a button to call the bank's emergency line if they're not. It's a simple and effective way of preventing scams that I think more banks should implement.
Good job helping the scammers, SoundCloud. WTF