Literally got something similar to this last Friday. Sounded legit. My one weird trick that works every time - give me a ticket # and an official phone number to call back to and I can confirm the phone number is legit. This way you can continue the conversation if it is actually legit, and if it's not legit then all good.
The guy who called me said "I can send you an email to show it's official" and I thought of that immediately when I read this article. No dice, he refused to give me a number to call back on, so I knew it was fake.
EDIT You can spoof from email addresses and you can spoof phone numbers - if someone is calling from a legit number on caller id it means NOTHING. You have to call back to a legit number to be sure it's real.
I personally don't even allow them an opportunity to give a "phone number" either. I always ask them to identify their company and the branch that they are with - and then personally go to the official website of the company (i.e. https://amazon.com, etc.) and look up the phone number there.
You’re probably worth a lot of money rn. I would start an entire business just selling people Google’s number. Heck, I would start an entire Google support company rn, publish a phone number and proxy calls to Google. I’d screen calls then also sell Google my services. You’re welcome. Build this in 2 months. I want 30% ownership.
I make them hundreds of thousands a year even with their commission from my app sales. Still don't have a contact there (same with Apple).
They're happy collecting their commissions and avoiding you. The only good thing is that (for the most part) the payment method is just a password/faceid/touchid away.
I have the fun of making outbound calls to offer people a public service and collect payment if people desire it. Most people gladly hand over their credit card details. A few years ago, someone wisely asked why they should trust me. (It only happened once in a decade!) I said they don't have to. They could look up our phone number at an easily verifiable government website, then call back; they could call any facility operated by the department; or they could visit any facility. Said individual provided their credit card details right then and there. Virtually noone cares about security.
The trouble is, you have to place the outbound call to those contacts to trust them. People could spoof an incoming call from numbers in your contacts and it will look as legitimate to you as a receiver as if the real number was calling you. With voice spoofing, it's now possible to call someone as [grandchild] with [grandchild]'s voice with a pretty horrible story about what's going to happen if some Bitcoin or Google Play gift cards are not purchased and handed over immediately.
I'll give you an example. When the Bank calls me about something important, I tell them to give me their department / extension and I'll call them back. I then look up the bank's phone number on their website (it's actually in my phone already, and on my bank cards) and call them back.
This process doesn't care about them calling from a spoofed number. We've had big problems with spoofed number scams and the CRA (Canadian version of the IRS) recently.
> Callers from legitimate businesses treat me like i’m questioning the moon landing when I tell them I’ll need to call them at an official number.
Not to justify their behaviour, but: most businesses are not set up to allow for callbacks or they're set up to actively discourage them. For example: they may be contracting out to call centers or employee performance may depend upon making a sale. My situation is unique since all calls our handled internally and my performance is not based upon making a sale.
That's said, the current situation pretty much dictates that a secure option should be offered to clients.
No kidding!? I have never had someone take this in stride. Responses have ranged from surprise to defensive condescension. It rarely even works at all, and the two worst offenders were both banks. One UK, one USA. I almost had the check for my rent bounce after three days of this rigmarole and ended up having to just go with it.
Where do you bank? I'm looking for recommendations.
Even better, once I had a financial institution tell me I needed to read them a one time code someone would text me. They were actually surprised I had a problem with it when it’s the scam playbook.
To be fair I give just about anyone and their dog my CC number. Chargebacks work and my life is that little bit easier for it.
Playing Jason Bourne with your credit card number is not worth the effort if you ask me.
I would even say this is a net positive for the economy: the cost of fraud is outweighed by the lower barrier to payment. I'm sure you'd have made fewer sales had people been more worried about security. Net positive then, right?
Depending on which country you're in and which bank you're with, chargebacks are nothing like as straightforward as they used to be. I just completed yet another one, which involved 2 separate phone calls totalling over an hour (so probably not worth it on a $/hour basis), accepting the risk that if Visa rejects the claim I'm liable for a further $50 charge (this is new), and generally 3 months of hassle until I got most of the money back (less the international transaction fee, as the merchant had fraudulently claimed to be in the same country as me, but charged me from the UK).
For the record what kind of chargeback are you initiating, and why does it have to go through visa rather than the bank who issued you the card? Unauthorized card-not-present transaction initiated by a third party? Some cbs are harder than others to get ruled in your favor, but the one where a criminal takes your card and uses it without your knowledge is by far the easiest one to get awarded. It involves one call to your bank and you get a new card, all fraudulent charges reversed.
If your bank doesn’t want to honor the request yes you’ll have to contact the payment network (visa/mastercard) and I’m sure there’s someone in this thread who has experienced that for an unauthorized transaction chargeback but it’s exceedingly rare.
Merchant error chargebacks , on the other hand… very different situation.
In the rare case something worms it's way to collections I just ask for the certified letter. Now in ten years that only happened once. I even called the hospital asking where my bill was and they said I didn't owe anything. Three months later collections!
The great thing about credit cards (as opposed to obvious scams for suckers like cryptocurrency) is that consumers don't have to care about security. They can dispute fraudulent charges and never be out any money.
Nope. I only sell services that people previously requested, though it is often months earlier. (As I suggested, it's a government job.) Sales is just one of the things tacked onto my job description over the years.
And to further crush that cynicism: most people are overjoyed when I call them.
Not everyone who makes outbound calls is a telemarketer.
The healthcare company I work for has a whole department of very nice people who make outbound calls to offer free health and nutrition classes to poor people.
Yes, they're free. As an employee I am also required to take one of the classes each year, so I know what they entail. Yes, they cost our company money. No, they're not sponsored by some corporation or ad company, and no we don't sell people's information on (HIPAA and all that).
There are a lot of contact numbers for e.g. banks and often it’s not obvious how to re-contact the department you are talking to. So, I’m happy to take a number, but I have to be able to find it on the conpany site somewhere (will also accept generic e.g. “call the bank fraud line and supply this reference number”)
How does that help them? It's not gonna pass any legal scrutiny. If they were going to lie, it doesn't matter whether you said yes or not at any point in the call.
Probably going to cost a lot to get to that point, probably more than they will scam you for. They're after the quick hit that gets them something right away while also believing that you won't take it that far.
It's like knowing how to pick a lock vs just throwing a rock through the window that's next to the door to gain access. They both get you there.
You don't, but large organizations can have a lot of entry points (or none... but that's a different topic), so you let the caller pick the inbound number that will actually reach them or their department, but then you still independently verify that the number belongs to the organization before trusting it.
I usually ask for the phone number, find it on the corporate site, then call the branch office.
Alternatively, ask for their license number, check the license, then call the number it lists. (Kills two birds with one stone for licensed professionals.)
Be careful with checking official numbers too, or at least tell any non-tech friends. Fake numbers have been ending up in search results on official looking websites. It's a real knife fight out there.
I find that when it’s legit a consistent thing happens, which smells of careful training: they instruct me to call the number on the back of the card, or on a bill.
Only worth it for a targeted attack. Even then I might just read the number off a genuine bill instead of their fake one. And that's assuming they have linked my address and number - lots of scam calls are low effort dial every number.
It's interesting how easily Google results rankings are manipulated by bad actors, and how unvetted the scams are in paid adverts on and through Google. The web is untrustworthy, and Google transparently passes it to users. We'd probably be better off if Yahoo's quaint curated list of sites had won out.
> It's interesting how easily Google results rankings are manipulated by bad actors, and how unvetted the scams are in paid adverts on and through Google.
Well, SEO, I get that this kind of gaming is hard to prevent, not at Google's scale.
But the AdWords scams? Or all the other fake ad scams, chumboxes and god knows what? The complete lack of audits around something that actually causes money to change hands should be outright banned.
At the high end of ads, think large brand TV spots, you got entire teams of lawyers involved to make sure licensing, actor releases, technical details, corporate identity and a myriad of other things are taken care of.
But at the low end? Some rando from St Petersburg can post an ad for a book "uncovering Western lies about NATO expansion", some Indian can post an ad for "Norton Removal", some American an ad for a f2p game with content that clearly does not describe the actual gameplay or some Chinese can post an ad for penile enlargement pills - and none of the four will get even one human eye on the ad before the campaign goes live and the ads are displayed to actual users, even though all four either violate Western laws outright or are at least banned by the providers/networks.
And the problem isn't just limited to Google, Youtube, AdWords, Unity Ads [1], Taboola [2], Outbrain [3], Facebook/Insta [4] - it's everywhere, the entire low range of ads is infested to the core. Self-service ad platforms should be shut down, period - the industry has shown that "self regulation" doesn't work.
Yes, and that same lack of lawyers/friction is what also allows legitimate small businesses to thrive. I've worked for many, and out of those many, none of them had lawyers involved at all.
It is all about balance. Google could do more here, however the answer is not as obvious as you might think. Especially in an age where identities get stolen often and the lag time on catching said fraud is quite long.
The issue is that the entities mentioned are doing...nothing at all. Not even basic MANUAL identity checks and payment checks. Automated checks work very well until they don't.
> Google could do more here, however the answer is not as obvious as you might think.
Oh it is. A basic background check alone done by an actual human to see if the business is actually real, let's say this costs Google 1h @ 40 dollars plus 20 dollars for credit bureau fees. Google can offload that cost to the advertiser - even for a small cookie store, that's hardly an expense.
And after that, vet the campaign material for each asset. When you have 200 dollars in ad spend (which isn't much), 10 dollars should go pretty far in having a human see if the "pizza store" didn't just place an ad for penile enlargement.
> Automated checks work very well until they don't.
The key thing is, the entire ad industry is amoral. No one cares about fraud or brand reputation any more, not when you see chumbox ads on "reputable" newspapers. So everyone seems to think "why should I leave a few dollars on the table?".
Yes, especially do not google the number that you were given on the phone. That is completely certain to turn up the scammer's official looking page and "confirm" the phone number.
I have seen Microsoft support forum articles that list the "Facebook official phone number". The fact that it's not from Facebook doesn't make it less authoritative in a panicked person's mind.
Google, Meta, Microsoft, and Apple really must start publishing an "official phone number". It is perfectly OK that this phone number just plays a repeating message saying that the user should browse google.com/phone. That website can explain that there is no phone support offered, and provide a bunch of links for common scamming hooks that leads to anti-phishing material.
This happened to me once. I was calling Amazon and did a Google search on mobile. I called the big number that was at the top of search results. After I had given my account email, but nothing critical, I started becoming wary of the questions I was asked because they weren't relevant. I hung up and searched again and the result did not come up again, and Amazon's number was totally different. I looked up the number I called and it didn't find any results. So I'm guessing an ad scam. I definitely don't trust Google results with featured answers for things like that anymore.
The guy who called me on friday felt like a targeted attack, I've been getting a TON of pokes at trying to reset my google password. It really made me feel like there's less and less you can trust online. Scammers are winning the arms race, and have the resources to create really good looking pages.
They also typosquat support numbers for people who misread them or assume things like toll-free is always 800 when it can be other area codes. Just because someone answers, don't give them enough PII to use your identity elsewhere.
Yeah, if you're a high profile target then you need extra layers of security, but for regular folks that one weird trick is enough to make you just enough of an annoyance to make another target preferred.
But in a world with Pegasus, and telecoms in smaller vacation countries selling off SS7, etc, etc - if someone good really wants to target you normal security protocols aren't going to cut it.
I imagine it will be like SIM swapping attacks where attackers will pool all their money together, gain temporary SS7 access and conduct a ton of attacks in a short window of time. Reducing the per-attack cost.
The phone network is just not a secure channel for any sort of communication
Explain how SS7 access can allow someone intercept my call back to an official number like Bank of America or a number on Fidelity a 401k support page.
The last I heard, Google relied on spam filters for this.
Supposedly, people have been fired after being falsely accused of harassment. The scam works as follows:
Send a message to bob@gappsdomain.com and notavictim at the same domain. Arrange for the headers to be “from” bob. Now, notavictim reports Bob to HR. If the google admin is competent, they look at the headers, and note that Bob didn’t send the email. (Not sure if they catch the offender or not.)
If they’re incompetent, they see the message in Bob’s from box, and recommend he be fired.
This is a feature that enables dubious workflows, where Bob configures spam bots to bother his coworkers, but wants those messages to be auto filed in his sent box.
I didn’t think it worked when spoofing unrelated domains like Google though. That’s just dumb. Maybe the attacker had the author’s IMAP gateway password and moved the message into the inbox?
Google spam filters are terrible because they filter way too much legitimate email. I have been a paying business Gmail user for years, all DMARC, DKIM, etc… in place. My messages still go into client Gmail spam folders. It’s extremely infuriating. Google knows I’m not sending spam. They can’t deliver my email properly to their own inboxes? Nonsense.
> if someone is calling from a legit number on caller id it means NOTHING. You have to call back to a legit number to be sure it's real.
This reminds me of one time where I got a call from a number I don't know, got yelled at something about spamming calls. Yelling includes threats about getting reported to police or whatever, which was confusing since I never had any history with this number.
I suspect my number was spoofed. I'm not sure if there's any defense against that.
I have no time and energy for the level of paranoia present web services RQUIRE. I started to cut back. One of the firsts: not accepting Terms and Conditions for a site my company delegated for the sole purpose of delivering my payslips (probably some others too, but marginal compared to this). I'd need to revisit the details to tell what was that exactly, but some sort of sharing some of my data with thrid party (subcontractor) thing. It is a recent develpment, I will see how it flies with my organization, but I'd be surprised if I could be forced to accept T&C just for receiving payslips. We have 2 other admin accounts for reporting time, absence, no more for me with some arbitrary service provider, thanks. (in the previous job of mine our absence tracking system sent me incentivised ads in the dashboard to attract others to their platform and some sort of weird discount system if I buy things here or there, quite repelling)
I don't know. Google could solve this all in an afternoon. It controls e-mail delivery, it is the e-mail delivery monopoly. Why deliver these e-mails? It just shouldn't.
But because Google delivers spam from senders who spend a lot on Google ads; and e-mail traffic gets laundered into web ads traffic; they just can't do it. And because Superhuman charges more than $0, it can't do it either. Nobody can fix e-mail. If you can't see how phishing and Google Ads are related... you know, this is why it is hard to "just" pass a law. It's not because the law wouldn't fix the problem. It would, if you permit the status quo where Google is the e-mail monopoly. It's this whole A16Z "just pass a law" nonsense, where someone thought he was saying something really insightful because he didn't like Jon Stewart, getting in the way of my inbox zero, and simply never receiving non-personal e-mails at all.
— no support group from a big company is going to call you. Ever.
— never give out codes sent to use via sms or push notifications to someone requesting them via phone or email. Never. The messages often even say that!
— Don’t put all your private info behind one password, so don’t use Google Authenticator backed by your Google Account as your password manager. Always use a third party like 1Password or similar.
— Don’t have the same email you use banking and investments be the email that the world knows. Create a new email for that. If you use Chrome, even use a separate profile with that email, and only have your password manager as an extension. No others.
- claiming to be the online banking support of my bank
- asking me to read them a code sent to me via SMS
and when I refused to do that, they blocked my login credentials for online banking and sent me a sternly worded (paper) letter that my account could not be upgraded automatically for their software system migration because I had refused to engage with their support agent.
I then had to create a new login in their app, call the phone number on their letter and read that guy the SMS code and, to my surprise, that was the only !!! authentication needed to activate the new login credentials that I had just created.
(BTW, this was one of the top 100 largest banks worldwide)
It's almost like some companies are training you to fall for scams.
EDIT: This specific instance was Deutsche, but Chase has the exact same horrible habit of calling and then asking for an OTP code.
I've gotten calls from my bank before, where they tried to get me to authenticate after I answered the phone. I said "look, you called me, I'd be crazy to just answer the phone and give out personal info." They refused to provide any info that I could have used to validate that they were legit (like telling me something about my account number, when my account was created, etc.). They said I had to authenticate with them before they would tell me anything.
Sometimes the rep is understanding, and acknowledges that he would have the same reaction, but other times it's like they don't realize they're asking their customers to do something Very Stupid™.
Over a decade ago, I worked in a bank call centre, first as one of the people who would occasionally make those outbound calls and have those crazy conversations, and then later in their customer experience team. It was well known that those outbound calls to customers were a mess, but it was thought of as tricky to fix. The dilemma was that the risk department felt they needed to identify people, but not only were those people often hesitant to provide any info, we wanted them to be - for everyone else who called them, but not for us.
It was also difficult that when people asked whether they could call back, we encouraged them to, but couldn't guarantee they'd then speak to the same person. They'd need to just talk to whoever they got. That was usually enough to put the person off and they would just take the risk (unfortunately).
Edit: Just wanted to add that I personally didn't want the people to make an exception to their unknown caller scepticism. Perhaps this bugged me more than others, but I would strongly encourage them to call back, and then do my best to get the call-back transferred to me. For that and many other reasons which I like to think of as preferring quality over quantity, my stats were as bad as you'd imagine!
When that bank did really try to tackle this issue, they quickly realised that there was more than one level of risk, and for the vast majority of the calls, we could get by with very little of that customer verification process - basically just that we had called them on a number they had provided, and they stated their name (which I think was more as a recorded verification that they were at least stating they were the correct person). For the much smaller number of outbound calls with more risk, we could then ask the person to call back. Once the risk peeps were on board, it was vastly improved fairly easily.
I'm not in that space at all now, but it seems far easier than it was back then. A few banks I'm a customer of send notifications right into the online banking app, which the customer approves, confirming that they at least have access to that. I don't know what they do if you don't have the app installed. I do find it a little sad that it is yet another thing pushing you to need a smartphone (and to install yet another app). On the other hand, I think all of those banks require me to have the app to use as an authentication token to do any kind of online banking even on a desktop browser, so if you're going to do that, may as well take advantage of it everywhere.
It happened with Schwab. I've enabled option trading in one of my accounts and got a call from Schwab, asking to authenticate me. I told them I couldn't trust it's a legit call; give me a number and case number and I'd call back.
> … I had to authenticate with them before they would tell me anything.
Sensible. But this whole “we called you now prove to us who you are” mess is stupid.
“Hey, this is Carol from Le Bank. Please just give us a call back at our main number found in the app or on our website. Then you can reach me directly at extension 123.”
From 25 August 2025, you will benefit from the upgrade for online banking and Deutsche Bank app.
[..]
From 25 August, you will be able to simply reset your PIN yourself.
[..]
after logging in, you can also see accounts for which you are an authorised signatory."
But out of fairness, let me just mention that Chase behaves the same way. I think all of them just don't really care about small- and medium-sized businesses.
I've had this same issue with BECU (Boeing Employee's Federal Credit Union). They're a really good financial institution, but like many, they suffer from nearsightedness. They know that they're "the good guys", so they feel that it's unnecessary for them to properly authenticate themselves to you. So it's asymmetrical security and asymmetrical trust.
The worst part of this (for BECU) is that they've been warning their customers about phishing attacks from entities claiming to be BECU.
At my (very large) bank, they have asked me to read them a code from text that literally said "Do not share this code with anyone over the phone" in the text message next to the code. I'm 100% sure it was my bank asking for the code. I called them from a number I found on their site over HTTPS and verified from another source, they knew my account information. I gave it to them while telling them they need to fix this. This was a few years ago. Nothing bad ever happened. Just bad security practices.
My old insurance company (Cigna) used to call me and demand information to verify it was me. I eventually figured out it was a thing to try to convince me into getting cheaper cancer treatment so they could save money.
Ye. I called my bank to unblock my Mastercard after they blocked it due to Blizzard charging 10USD or something for Star Craft. I just told them my name and they unblocked it.
On another occasion the bank called me regarding my house insurance and asked me to identify myself with their dongle.
Like, there is a wonder I have any money at all in my account. But then again, giving away plastic cards with a magic number on that you gave to strangers for them to withdraw an amount of their choosing from your account was the norm for decades ...
Maybe the wisdom is "Security through no security"?
I know Wells Fargo gets a bad wrap (and rightly so) for some of their behavior, but IME they've always had their stuff together with online access and banking.
I had to call Chase about an issue with my credit card. I called them and knew I was talking to a legit agent. At least as sure as one can ever be. Still, at one point she asked me to read back the code she texted me. I started to do so then stopped. I explained that the text she sent me specifically states "We will never ask you for this number (over the phone". I refused to read it back since it violated their own stated policy.
She had to do some additional work to resolve my issue but it did get fixed.
My local medical clinic sent me an sms with a link, asking me to change my medical info. I called them to point out how they were training their patients to fall for sms scamms.
Yes, I've also had wells fargo require me to read codes that were emailed back to them, and while this was mitigated by me calling them, it sketched me out every time I had to do it.
The bank's policies and those like it are the root cause of these scams. There are countless things like this where real "legit" behavior is completely indistinguishable or sometimes even worse than scams.
There will always be people that are "wallet inspector" stupid that you can't really shield from scams. But common sense practices and consistent messaging would solve a lot of the problem. There needs to be better accountability for companies that have these insecure practices. The same way they'd be held accountable for a data breach. Oh, wait...
They treat you as you deserved to be treated: As a serf. You let them stomp all over you and still come crawling back to plead with them to let you bank with them. Even though there's hundreds of banks you can switch to.
If anything even remotely similar happened to me, I'll instantly close all accounts and move my business to another bank.
>never give out codes sent to use via sms or push notifications to someone requesting them via phone or email. Never. The messages often even say that!
Some services even say that when they are indeed codes you are _supposed_ to read back to them. Which clearly helps further train people to ignore that language.
Google support actually did ask me for that code when I had them disable energy savings on my nest thermostat. (it's insane that this had to be done through support, it's the setting where the power company can essentially control your thermostat in exchange for savings)
To their credit/discredit, when I said no I'm not giving that out it says not to they just moved on. Not sure why they even asked then.
Yes, it is so easy to enable this setting, they even keep sending us notifications to enable it. But once enabled, it is impossible to disable it.
It is a setting that let your power company to change your temperature settings when grid is under load. We wouldn’t mind it but they turned our heat way down during one freezing night while we were sleeping. Everyone woke up with cold next day.
The asymmetry in activating/deactivating may be because power companies discount rates (don't know if it is automatic or you have to contact the provider) for people with that setting active, and removing it dusqualifies you from the discount, so there is at least potentially an asymmetrical financial impact of toggling it one way vs the other.
> — no support group from a big company is going to call you. Ever
> - never give out codes sent to use via sms or push notifications to someone requesting them via phone or email. Never. The messages often even say that.
Chase bank still, as of last week, asks for these codes over inbound calls. Drives me mad. They do so when calling me about fraud alerts, not the other way around.
NEVER answer - like NEVER :) absolutely NEVER answer... calls or text... it is really simple. I also have Chase and I have blocked just about every single number they called me from (probably like 12 over the last decade)
My phone is set to Do Not Disturb by default. Only 5 numbers can reach me direct to ring and that is immediate family only. I never answer calls from unsaved numbers. If they really need to reach me they can leave a voicemail.
When you answer a call your brain kinda loses its ability to step back and think. Almost like the same trick that those people who ask for directions and steal your watch do.
Security is not the main reason I do this but it has been nice knowing I can't be reached directly by scammers and hackers.
I stopped answering unknown numbers because everything that's important comes via email anyway. But a friend of mine has a job that requires them to answer calls from weird numbers, so it's tough.
> never give out codes sent to use via sms or push notifications to someone requesting them via phone
Unfortunately, some call centers DO use that for verification in some cases (i.e. you call them, and they send you a code to your email/phone that you read back).
>I’ve personally never had that happen. It should go on a name and shame list
The key situation for giving out an SMS code that the gp is pointing out is the customer initiates the call to the support center.
For example, suppose somebody wants to add a credit-card to their smartphone digital wallet. They have to call the bank issuing their credit-card to do that. Once the customer support person answers the call, a common security verification (e.g. Chase Bank does this) is for them to send you a 6 digit code to your phone. You then repeat this code back to the support person on the call. They want proof of your identity and also proof that you physically have the smartphone with you. Repeating the SMS code to the customer support person is safe because the customer called the official 1-800 number on the back of their card.
That's a totally different sequence of steps from receiving a random call from somebody claiming they are from Chase Bank. Yes, in those cases, you never give out SMS codes to that untrusted person on the phone.
Note, however, that those are two "totally different sequences of steps" to you and I, and "completely analogous / equivalent sequences of steps" to my father in law :-/
How else are you supposed to do identify verification over the phone?
I think if the war against phishing online has taught us anything, it's that humans can't be trusted to not reveal secrets to scammers. Only machine-to-machine public key authentication (like TLS or WebAuthn or U2F) is truly phish-proof.
They should have users receive the code and then submit said code into the application for verification, with clear instructions that this code is produced as a result of a support call, and to confirm you are on an existing call when submitting the code.
Doing so would not force users to divulge codes over the phone, and enable support staff to verify identity all without training users that reading codes over the phone is acceptable.
Still not foolproof. Attacker can MITM the connection by initiating their own call to the real support line and relaying instructions between the user and support.
The signin 2SV SMS verbiage used by Chase is: "Chase: DON'T share. Use code 12345678 to confirm you're signing in. We'll NEVER call to ask for this code. Call us if you didn't request it."
I assume in the case where the customer initiates the call and support is verifying their identity via SMS, they use different text (i.e. not "to confirm you're signing in"). Otherwise, that'd be pretty ridiculous.
Chase did this to me. A million alarm bells but even after hanging up and restarting the conversation from a phone number publicly listed on their website as a support contact they still did it. Wild.
Stripe Support does it for certain specific cases (email & phone). However, whenever they do it, it's a bilateral code generation: The support agent also gets a code they have to read out to the end user, which is featured prominently to them, saying the agent will have to read it out to get authentified.
Also me. Every 10 years my domains expire, and I can just pay a few hundred bucks again and forget about it, or I can do a bunch of work to move them somewhere and adjust A records and fuck around with stuff I don't remember and potentially have downtime.
IAM permissions are almost always a pain to get right but they can be so useful when you can create an API key with permissions to do only exactly what it needs to do.
But over here our bank has also been sending out leaflets on how to avoid scams, and the top two are "if you need to call, call the number written on the back of the card" and "if you're not sure, come to the bank in person".
Same thing I tought my parents, and my mom actually got a call about some "personal info they needed to verify", said she'll come to a bank in person, they said "ok", she went in person, and they actually needed to verify some data (some EU regulation, she hasn't visited a bank in years).
Google business support called me to close the loop on an issue I had with a business listing. It was from a very busy and loud call center, and was made by someone with a heavy accent.
During a Tracfone support call I made recently, they sent a 2FA text to me. I said to the rep, "The text says 'Don't share this code with anyone.' Can I share it with you?" They laughed and said yes. It was completely legit as I had called Tracfone for some service changes.
So some of these systems are very poorly designed.
I'm in the midst of a transfer of enterprise account ownership with with Apple, and I can assure you, the only way to complete it is to wait for a phone call from Apple Support from 1-512-884-5022. You can call this number back and verify it is indeed Apple Support and get notified it does not accept inbound calls, only outbound.
> Always use a third party like 1Password or similar.
Or even better, don't rely on a third-party hosted service.
I've been a Codebook[1] user since the old-days when they used to call it Strip.
They are old-school, local-system storage. With sync/backup done how you like it (all three encrypted before it leaves your computer):
- Dropbox
- Google Drive
- Local folder (which you can then sync with using your own mechanism)
- Recently (only this year) they introduced a totally optional hosted subscription cloud-sync option for those who want it
Honestly if someone from Google Support calls me, my immediate response would be: "Google... Support? Now there's two words I've never heard in the same sentence before."
The danger with stating this in terms of absolutes like:
> no support group from a big company is going to call you. Ever.
Is, eventually, you probably will get a call from a support group at a big company, as many have noted in response, and then all of the other absolutes in the list also become "well, people say never, but I think this is one of those exceptions" instead of "it's never worth taking the risk of assuming it's the company who really called you".
A company, even big one people joke about having a complete lack of actual human support agents, may really call you one day. The other 364 days of the year it's probably a scam. The safe bet is to take the issue they called about and contact the official support channel yourself (being careful to get a real one and not an ad/fake site if you need to Google it). It may not always seem the most convenient, but it only takes one mistake to end up in a much more inconvenient place one day.
Has anyone invented something like the TLS three-way handshake, or a U2F challenge, that can use spoken words as a transport layer? People could then be "safely" tricked into reading back "correct-horse-battery-staple" or whatever, because they actually wouldn't have the ability to generate a usable sequence unless the attacker first provided something that only the real site owner could provide.
I'm imagining something with the non-phishability of U2F but the usability of an SMS 6-digit code. Maybe that's U2F.
Include SPAM call blocker in that list! Notably, both iOS and Android have that feature. Never pick the first call from an unknown number! If it's urgent and they are genuine, they'd leave either a voicemail or a text.
I am a big fan of keepass which I sync with dropbox, good apps exist for iphone/android/mac/windows/linux. But I don't know if that's more secure than a password provider like 1password. At least not fitting into the typical profile, and being able to control the data, open source code, and offline access feels like the optimal way for me.
AMEX fraud support group called me. A real live agent.
Capital One texts codes during live calls and requests the customer read the code to them.
A health care provider sends emails with links to 3rd party domain to provide encrypted email, because a) regular email isn’t supposedly not HIPAA compliant and b) apparently the health care provider’s web and app infrastructure which provides secure messaging is not secure enough for certain messages. It’s indistinguishable from a phishing attack.
Hospital direct invoicing by email, also includes 3rd party links, which takes the user to a site asking for personal information including SSN. It’s certainly phishing. Right? Nope, it’s legit, and no option to get a mailed bill once volunteering an email address.
I think half of mobile device users don’t know or can’t handle a best practices workflow.
The reality is the tech industry sucks, it’s bad at its job, gives shitty advice to everyone then goes and violates all of it
leading to loss of trust.
regular email isn’t supposedly not HIPAA compliant
It isn't.
I work in healthcare, and if anyone in the company sends an email with PHI or PII in it, we're supposed to alert the Security department, or lose our jobs.
> — never give out codes sent to use via sms or push notifications to someone requesting them via phone or email. Never. The messages often even say that!
I tried making this point downthread but it bears repeating higher up. Per OP, this was account with Authenticator enabled. If you have a working authenticator setup, they aren't going to "ask for a code", since by definition you're already authenticated. And while I'm no expert, I really don't think there is such a thing. Recovery for a lost account never goes back to device-in-hand once you have enabled full 2FA.
Something is being skipped in the description of the phish here. I don't think OP is being completely honest.
The code I read to them was a Google account recovery code. That’s how they accessed my Google account. I, mistakenly, believed they needed to confirm I was still alive and the rightful owner of the account.
Then the attacker used Google SSO to perform the initial log in to my coinbase account. Then they opened Google Authenticator, signed in as me, to get the coinbase auth code so they could complete coinbase’s 2fac.
But... that's an email that would be sent to a non-gmail address, the one on file that you originally registered your account with. And while I don't have copies of the transactions in front of me, these things are not unclear as to their purpose or intent. They tell you straight up that they're resetting the authentication for the account and to be sure you are doing it intentionally. They're also accompanied by warnings that would be simultaneously sent to your active gmail address and to the Authenticator app.
I really think you're reaching here trying to ascribe blame. You... just got phished.
My best guess is that this attack was purely social engineering, and that no email spoofing actually happened. I think that the email message in question is actually a legit email from Google.
I'm not familiar with the formal account takeover process at Google, but my best guess is that the attacker simply requested an account takeover via the official Google process, which triggered this email to be sent by Google legitimately. By reading back the code in that email, the attacker was able to claim the Google account as theirs, thus access the Gmail inbox to reset the Coinbase password and access the authenticator backups from the Google Drive.
I would be very curious to see the original message headers of the email though.
I don't think that email he posted from legal@google.com is legit.
Look at the first sentence of the first paragraph and the first sentence in the second paragraph. Two grammar errors which are a dead giveaway it's fraudulent.
> Thank you for your assistance and understanding during your recent support
call, regarding a ficticious request aimed at accessing your Google
account.
Comma doesn't belong there and "fictitious" is misspelled.
> To follow all guidelines of the internal review properly. Please keep a
secure note with the temporary password which your support representative
has provided to you.
Out of place period. Should be a comma.
Legit, canned emails like this (especially from legal@google.com) would be proofread much better than this. It's fake.
Yes, at least two emails. One was the spoofed email from legal@google.com (which sadly convinced me this was legit) and the other was a Google recovery code email.
The spoofed email was deleted by the attacker, but I have a copy because I forwarded the email to phishing@google.com (something ChatGPT told me to do). The attacker then deleted the original but when I got my account back an hour later, Google bounced back the email. So that is the copy I have and the headers are not super helpful.
This is why 2FA isn't all it's cracked up to be. Strong passwords kept in your head are less brittle than managing something you can lose. If you have a real support channel (like employer IT) to deal with loss it's workable. Online services with no support is just asking for trouble.
2FA can be all it's cracked up to be. A Yubikey you have to physically possess, and physically touch, to login to a site is completely immune to this.
Yes, you need to buy hardware, yes you need 1 or more backup yubikeys in a bank safe somewhere in case your primary one breaks, but it is actually safe.
Strong passwords in your head are bad because they're even more phish-able. Like, with FIDO2, my yubikey will not login to "fake-coinbase.com", the attacker cannot proxy the data they get from the yubikey. For 2FA TOTP codes and for passwords, a phishing page can just proxy through the stuff to the real coinbase and login (as happened in this attack).
downvote all you want, this is third time in a month that basically "opsec" failure would've been prevented by a password manager that binds to domains, or passkeys. Both of which people regularly kvetch about here.
> Be skeptical of unknown calls. If something feels off, hang up and restart the conversation by contacting the company directly.
I wonder sometimes how many scams I've avoided simply by pretty much never answering my phone when someone calls unless I'm expecting a call or it's someone I know.
> The attacker already had access to my Gmail, Drive, Photos — and my Google Authenticator codes, because Google had cloud-synced my codes.
I usually don't answer calls from numbers I don't recognise - but a couple of days back it was a scammer claiming to be from Amazon - said I had ordered an iPhone for £600 and was it a real order.
I was pretty suspicious but thought I would get them to authenticate their identity as someone really from Amazon by telling me the last thing I had really ordered was...
I must have stayed on the call for 20 minutes, eventually they ended up swearing at me - all the time I could hear other people in the same room trying the same lines on different people. I have no idea why I stayed on for so long....
Even when you know it’s fake, the whole thing is very disconcerting. I received a scam call ostensibly from a local utility and filed an identity theft report with local police naming the utility as “victim”. The caller even told me where they (probably really) were. Police do nothing, scams continue until something breaks.
A few years back I got a call from a scammer selling a device that would help stop scam phone calls - that actually took me a while to realise it was a scam (this is like 15 years ago).
A lot of them phone me and ask for my wife by name "Can I speak to XYZ" - I usually reply "No" and end the call. Actually, for the last few calls I've not even been saying the "No".
I wonder, how this in affects modern software stack that have AI with the AI Call Screening which will ask questions, you can automatically identify certain dimensions: phone is active -- phone has a plan,-- phone is a Pixel or iPhone with a specific minimum model and OS ver ?
Then because of the leak side channel effect they can further future target calls such as coming from google about your problem with "your pixel 9 or 10?"
The biggest red flag in all these stories is getting a call from a customer support person trying to help you.
When it seems like it’s impossible to get ahold of them in a real emergency.
I've actually gotten legitimate calls from the bank, although the correct way to handle those is to say that you won't give any information to them but you'll call them back.
I get legitimate calls from my health insurance company. When they call, they are not allowed to say the company they call from, it's a HIPAA thing. Once I say the name of the health insurance company, they will confirm it. It's weird, but it's the way it is now.
It doesnt seem to be a red-flag. The caller was calling as an Attorney from Google General Counsel responding to an estate request. They followed up with a spoofed @google.com email with their name corroborating the call.
They're saying that the least likely part of the cover story is that Google would proactively reach out to you in order to help you personally with the service you are (most likely) paying zero dollars for, and assign one of their most expensive employees to the case.
As of late, I have one rule: Any unknown number I'm not expecting I let it go to voicemail, where I have a message along the lines of: leave your message and your number, and if it's important I'll call you back. The only time I pick up is when I am expecting, say, a delivery, or a doctor's call, etc, and in those cases I'm only expecting to hear about a delivery or a doctor's call, etc. Hoping that can filter and help on this front.
I have a 1-2 second rule. I pick up I say hello, if someone doesn't respond in 1-2 seconds, I hang up.
They have the scammers working off phone queues, it takes a little bit of time to get the call to the scammer, who has to start off with a script, so there's a delay.
Remember, the scammer, also likely not a native english speaker, also probably bored out of their mind, has to spin up, they have to read the name, understand how to say it and then say it out loud. Their is a mental startup time that a normal conversation doesn't have.
If someone calls you and isn't ready to immediately respond to "hello" it's a scammer.
I try to avoid picking up and saying anything because it seems like an advertisement "yes, this number is not only active but a real person who answers random calls - try calling back (possibly from a different number) later".
I don't even pick up calls from unknown numbers. I use call screen. Most people hang up as soon as they hear it, or they don't say anything at all. Once somebody did start speaking sensibly and a personal matter and I picked up and continued the call normally. Probably my favourite feature since upgrading to a reasonably modern phone.
Not always true. My landlord recently had a contractor call me. I did my usual "pick up and don't say anything" routine for unrecognized numbers, and the contractor silently hung up and never called back. Thankfully my roommate actually answered the call, but pick-up-shut-up prevents legit people from leaving voicemails and sometimes prevents legit people from reaching you entirely.
Personally, I would utter a confused "hello?" if I was calling somone, the ringing stopped, and no one said anything, but I guess not everyone would.
I could easily see someone like a contractor calling from the road or otherwise not paying full attention to their phone. They likely never realized you answered and needed the "hello" to refocus their attention.
As with 'craftkiller, I've noticed that I do need to make some kind of noise. I've settled on subtle light coughs or grunts (nothing anyone would think twice about, but which will definitely trigger a "oh this is a human!"). I figure it might still fool some percentage of automated systems which detect whether a human (and which human) is actually there or not based on automated transcription.
I've set my phone to not answer unknown callers (those not in my address list) and more importantly, I've done this for my parents as well and further instruct them as often as possible to not believe anything they get in email. With all of this, my mom still will reach out at least once or twice a year in a panic about some scam email she thinks is real.
Well easy to say, but if you are working in the real world, then unknown callers may be important - i.e. FedEx trying to push your package through the customs and if they can not contact you, your package goes either back or is destroyed.
Not necessarily. Ours would work down the list of numbers she had for me, my wife, and other emergency contacts without leaving a message. My wife got pulled out of a meeting at work once despite me being the parent at home because I missed a call from the school and they didn't bother to leave a message.
If you have an iPhone, the latest iOS 26 will answer unknown numbers not in your address book for you and ask what they want and then alert you to see if you want to take the call.
The attacker had access to the Google account which includes passwords from Chrome and also the 2fa codes stored in Google Authenticator, because those were synced to Google without the author noticing it.
So with passwords and 2fa the attacker could login to Coinbase too.
They gained access to the Google account by stealing the verification code over the phone, but then they had easy access to other accounts (e.g. coinbase) because they had access to 2FA codes because Google authenticator was backed up to the users Google account.
“never answering my phone when someone calls unless I'm expecting a call”
Friend’s mother got scammed. She’d contacted tech support and they said they’d call back. Then a scammer just happened to call her within that next hour…
In my experience most authenticators cloud sync automatically, at least on iOS. For most people, this is a benefit. Otherwise, lose your phone and you're stuck, I doubt most people secure recovery codes properly either.
> I wonder sometimes how many scams I've avoided simply by pretty much never answering my phone when someone calls unless I'm expecting a call or it's someone I know.
In my experience organizations providing services to me for money nowadays ususally just send mail instructing me calling a central number where I can be in the 15th place of the call queue. In case they call they do whenever they please, which is the most inopportune occasion in most cases (in the loo, in transit, in a conversation, basically busy with life!). In best case leaving a message mumbling quickly in a sound quality sounding like sitting in a bucket in ungoverned Afghanistan, with the suspected sense of calling them back on the central number (incomprehensible).
Getting a procative call for my benefit would make me very suspicious about the authenticity of that call!
If you have to have use a phone, at minimum disable notifications and never answer it. First it removes all of the urgency. Second, the caller has to provide some way for you to contact them, which gives you a second point of contact to validate.
Never, ever, use a cloud password manager, that's just dumb. Combining these things together in some sort of master account -- be it Google, Apple, Microsoft -- is also terrible. It's like leaving all of your savings accounts, checking, and investments at a single bank.
All of this stuff is going to get way worse because of AI. You'll be talking to real people you know personally who are 100% not AI but were tricked in to asking you to do something by other AI enabled scammers. However aggressive I've suggested people be in the past probably isn't going to be enough for 5 years from now.
These things have always been possible, and have been done, but now they can be done at scale, with advanced testing to figure out what works on who, whereas before it was targeting the guy who kept posting pictures of expensive watches on his public Instagram.
> Never, ever, use a cloud password manager, that's just dumb. Combining these things together in some sort of master account -- be it Google, Apple, Microsoft -- is also terrible. It's like leaving all of your savings accounts, checking, and investments at a single bank.
It's honestly irresponsible to pick up phone calls at this point. Phishers are really good, and every human has some weakness, so you can't guarantee you wouldn't fall for something -- perhaps one day a new vulnerability comes out and your old guidance is no longer perfect. Answering the phone at all is just putting yourself at risk
I don't answer calls from numbers I don't know, period. (In fact I routinely have my phone in Do Not Disturb mode so only a few numbers, the ones I have in my favorites, will make the phone ring at all.) If it's urgent enough to the caller (either because they're legit or because they're a scammer and are trying particularly hard), they'll leave a voice mail. (I've had plenty of fraudulent voice mails.) If they claim to be from some company I have a relationship with, I check independently to see if something's up. This incident illustrates why, even if it seems like a call is legit, if you didn't initiate the call, you shouldn't even be talking.
I also don't leave any information I'm worried about someone stealing in my Google account. I find it hard to understand how anyone in tech could fail to see how risky that is.
I understand the dangers of answering scam calls, don't explain it to me
but you're assuming that "bank security" (or the like) will never call you to alert you to a scam, or that you will recognize their number. maybe they don't, you may know that, but I sure don't.
It's true, unknown calls are 99% spam. That's on you if you'd want to believe otherwise; by your own admission, you don't know.
Yes, important companies you do business with you will come to store those in your contacts. You'll have specific account reps even. Services, apps, don't call you, for this very reason, they have in-app confirmation flows.
I don't think security at most bank will ever call you about a transaction. At best they may text you. But if you get some communication there's a problem, if you talk to someone, you should call the official number rather than someone who calls you.
Bank or government use to call me about important stuff (when I messed up tax report, because of my mortgage, etc.), so not answering is not always a good idea.
And nobody use voice mail in EU, it seems to be an US thing.
You don't need a spoofed email to steal someone's crypto. Criminals can just hold a gun to your head and demand your keys.
It's happened lots of times and it's why traditional banks are way more secure than crypto.
Well done to the author for talking about it, but I hope the real lesson is learned that crypto isn't a real store of wealth and can be stolen at any time....
Not just scale either. On the phone you're dealing with people having less fear from local repercussions, from reprisal, less care for the community, etc.
I've been told that scammers aren't interested in making scams too good, the idea being that you want to select for people who are bad at recognizing a mediocre scam, because they'll be more likely to play along for the entire scam.
You miss the point. You can't mug someone for their Vanguard account. Robbery risk is limited to cash on hand, or arguably whatever the ATM limit is on your bank account.
Not sure about the distribution, often it’s cash or jewelry that’s already home. Bank tellers and even taxi drivers get increasingly educated to stop such suspicious withdrawals/meetings.
you're suggesting that the poster is shoving his hate of crypto currencies into this conversation, and not making a sincere statement about security that withstands even the tiniest amount of scrutiny?
People do get taken hostage until they give up their crypto accounts sometimes. There was a prominent one in NYC recently that was on the news again due to--basically-- the alleged involvement by one of the stars of a popular reality tv show.
In cryptocurrency, you can use a multi-signature account to define your own security setup.
For example, even a 2-of-2 setup with a trusted authority like a bank is straight-forward improvement in security over the conventional bank system.
You can go further, for example consider a 3-of-5 setup with 2 keys in security deposit boxes, 1 key on a laptop, 1 key on a phone, and 1 key on a hardware token. You can set the hardware token to erase its keys when the wrong pin is entered, making it pretty rubber hose proof.
It doesn't need to be required of anyone. People are responsible for their own funds and have their own security/effort profiles. The "right way" of doing things will be discovered through natural selection.
If some idiot leaves all of their funds on an exchange like this, and it gets hacked, then good. That's how the market evolves and money moves out of the hands of the incompetent and into the competent.
Multisignature wallets are the answer to this. Also helps spendthrifts (to require group concensus for bitcoin redemption).
Of course, this doesn't help if you don't have trusted associates — and can be (even more) dangerous with multiple people responsible for crypto custody.
Also helps if you have offline ("cold wallet") storage, which would require hours to importPrivKey and redeem. Slow them down...
There's a non-zero chance someone can just roll a new key and it happens to be yours, and poof, your money is gone with no recourse.
It's a tiny, infinitesimal chance: but it's a heck of a lot greater of a chance than the same thing happening with a bank account, especially the "no recourse" part.
The odds of the bank making an error related to your account and crediting you money is far greater than the odds of generating the same keypair as someone else.
I'm a huge critic of the cult of crypto, but the odds of a key collision are smaller than the odds of <some highly improbable series of mistakes/coincidences/malice happening that result in you losing your money in the traditional banking system>.
The odds of a 'someone gets access to your account/wallet and instantly drains it with no recourse' are much higher in the crypto space, as the author of the post experienced.
The load bearing question is, why didn't the attacker also clear out OP's bank account, retirement savings, and max out his credit cards? Unfortunately, the difference is that banks care literally at all about their customers accounts being emptied.
What I specifically mean by "care literally at all" : banks have a policy of reimbursing people who had their accounts emptied despite taking reasonable precautions. This creates sane, linear incentives: banks care 1000x more about a $100,000 fraud than a $100 fraud; they care 1000x more about a scam affecting 100 people than a scam affecting one person, etc.
Unrelated, but for added spice, here's a thread from ten months where everyone agrees you're a fool unless you secure your coinbase account with google authenticator
It's not linear at all. We had our identity stolen through an insurance scam (somebody used our bank account and somebody else's name to open a policy with Progressive, which apparently does not validate ACH debits). This resulted in premiums of ~$300, $300, ~$500, $1002.96, ~$900, ~$900, and ~$3000 as the attacker presumably racked up huge fraudulent claims on the insurance company. The first 3 bills were reversed by Wells Fargo because their fraud policy covers fraudulent charges under $1000. The 5th and 6th were reimbursed because they were reported within 60 days of being made (and were under the limit anyway). The 7th didn't go through because we had detected the fraud and closed the account by then. But the 4th was just over the $1000 limit that they would reimburse, and so they were like "Sorry, nope, you're on your own for that one." We even filed a police report and waved that at them, and they said "We don't care. Company policy." So the very counterintuitive and non-linear result was that they paid for the $300, $500, $900, $900, and $3000 charges, and stuck us with the $1000 one, just because it was $2.96 over their limit. (Part of me really regrets declining to prosecute, but I had a ton of other stuff going on at the time and the last thing I wanted to do was get involved in a court case.)
This is one of the main reasons I don't like crypto. If you get hacked, even if you did everything right, then you're out of luck. The funds are (generally) unrecoverable.
With my bank, I've been able to recover several thousand after a thief was able to bypass the 2FA app used to verify large transfers. (I still don't know how they were able to bypass the verification, and after investigating our bank never told us. Not sure that makes me feel all warm and fuzzy, but at least I was made whole with minimal fuss.)
In my actual real world experience of digging my elderly mother out of $25,000+ of scam debt, banks do not care at all unless they can be shown to be at fault, and then they weigh the loss expense vs the likely legal expense.
What kind of scam debt in particular? I’m not blaming your mom, but there’s a big difference for a bank between “someone stole my identity to falsely authorize this transfer“ and “someone tricked me into authorizing this transfer”.
Never thought about it this way before, but phishing an individual is way higher ROI than identity fraud. So we should be extra vigilant about the former.
With the former, your recourse is essentially zero. Banks won’t do anything, cops are useless.
With the latter, banks try to prevent it and it’s harder and riskier.
> banks have a policy of reimbursing people who had their accounts emptied despite taking reasonable precautions
In USA, banks are actually required by law to reimburse fraudulent account activity if reported within 60 days. However, this does not cover cases where the account holder themselves made the transfers even if they were tricked into doing so.
But if someone gets your login and liquidates your bank account, in USA a least, the bank is 100% responsible for that fraud.
Credit card companies are 100% responsible for fraud regardless. Even if they try to market it as a perk "You're never responsible for unauthorized transactions". Yeah, no shit. It's the law.
Banks really don't mind fraud, because they can use fraud to justify higher fees, which they ultimately make more money off of than the fraud actually costs them.
The flip side of that of course being that they increasingly force you to do your banking on a locked down smartphone for the same reason.
Doesn't seem like there's a lot of middle ground between being responsible for your mistakes and being treated like you can't be trusted to make your own decisions.
And transferring money from a bank or brokerage account takes time. Enough time that anyone paying attention should be able to report the transfer as fraudulent before it completes and have the account frozen.
this isn't fradulent - you being silly and allowing someone full access to your account is your fault as much as leaving a wallet a strip club and calling owner joe for a refund
It is absolutely fraudulent. If you intentionally misrepresent yourself as the real account holder to the financial institution (by presenting credentials that do not belong to you), the institution relies on this misrepresentation, and damages result, that is fraud. Full stop.
It's generally impossible to reverse crypto transactions so such regulation would be pointless. CFTC could force Coinbase to use 2FA but that was already enabled.
The question is not whether it's legal to defraud someone, but what a financial services provider's obligations are if their customer gets defrauded. The answer here is quite different for banks and brokerages than for crypto exchanges.
it really is not. no bank is going to refund you money cause you are a moron (we have all been morons, I am not trying to disparage the person that got scammed, I sympathize with him)
I’m struggling to understand the chain of events, because the story starts midway. Is the claim that JUST the 2FA code was enough to pwn everything with no other vulnerabilities? If that’s the case, then that’s a way bigger problem.
Or (given the password database link at the end), is the sequence:
1) various logins are pwned (Google leak or just other logins, but using gmail as the email - if just other things, then password reuse?)
2) attacker has access to password
3) attacker phishes 2FA code for Google
4) attacker gains access to Google account
5) attacker gains access to Google authenticator 2FA codes
6) attacker gains access to stored passwords? (Maybe)
7) attacker gains the 2nd factor (and possible the first one, via the chrome password manager?) to a bunch of different accounts. Alternatively, more password reuse?
I guess the key question for me, was there password reuse and what was the extent, or did this not require that?
Disclaimer: work at Google, not related to security, opinions my own.
No, if they had had the password they wouldn't have needed to do all of that. They could have just logged in, perhaps just needed the 2FA code. However, you say that you gave them both enhanced security codes (I'm guessing this was a gmail backup key), and you also gave them the 2FA SMS code. These are the only two things you need to take over any gmail account, and it doesn't require knowing the password. It's just purely social engineering.
The only question mark is the email from google. It sounds like it was a scam email, so it would be interesting to know whether/how it was spoofed.
And did you have passwords using chrome password manager as well (which were also compromised by the Google account access, and this is how they got access to e.g. Coinbase?), or did they get passwords through some other means and just needed 2FA?
I did have saved passwords in Chrome password manager but they were old. My guess is that the attacker used Google SSO on Coinbase (e.g., "sign in with Google"), which I have used in the past. And then they opened up Google's Authenticator app, signed in as me, and got the auth code for Coinbase.
By enabling cloud-sync, Google has created a massive security vulnerability for the entire industry. A developer can't be certain that auth codes are a true 2nd factor, if the account email is @gmail.com for a given user because that user might be using Google's Authenticator app.
Hmm, I see what you mean, although technically this is still a 2 factor compromise (Google account password + 2FA code). Just having one or the other wouldn’t have done anything. The bigger issue is the contagion from compromising a set of less related two factors (the email account, not the actual login).
Specifically, the most problematic is SSO + Google authenticator. Just @gmail + authenticator is not enough, you need to also store passwords in the Google account too and sync them.
Although, this is functionally the same as using a completely unrelated password manager and storing authenticator codes there (a fairly common feature) - a password manager compromise leads to a total compromise of everything.
Inbox is the biggest compromise of them all IMO. I realized this a decade ago and use a different email for every account that I have. None of them have anything to do with my name in any way, I use 4 random words to create new email for any new account that I need. Accidental takeover of any one account does not lead to total take over of my life :)
No, it sounds like they got him to create backup codes, which (along with SMS 2FA code, which he also gave them), that is all they need to take over the gmail account. Job done.
I never considered Unicode domain names a good idea. Looking at it today, it appears that the only people who use Unicode in domains are scammers and criminals.
I can't believe he omitted that detail. How did they appear to send an email from a google domain? This is especially puzzling given that he says he works in security.
Which should trigger every automated alarm bell, as well as SPF/DKIM checks. Which is where this falls apart slightly because in my experience, Gmail is pretty alert about flagging basic things like this.
The headers uploaded are the report email being sent to Google, not the original incoming email. We still don't know how this was spoofed.
The screenshot in TFA shows the subject was "Recent Case Status" and the sender was Google <legal@google.com>. This wasn't as simple as a dodgy subject.
I wonder how many people would fall for that though.
RAID is cool but It's not much of a backup then if it's always plugged into a running computer. Half of risk comes from some process "intentionally" the erasing the data.
I use the super-sophisticated method of manually copying everything important to an external storage another every 5 weeks or so. That has never failed me.
There needs to be a standard way for customers to authenticate employees representing companies, sorta like a reverse-text-message-code. Maybe, as a customer of a website, I can login to the site (authenticate myself), then generate a code that only myself and someone inside the company can see. Then, I can ask him to read the code back to me so I know he's legit. Does that already exist? I've never heard of it.
But the main way to know is that companies never call you these days. No company should have and few do have a workflow where an employee will call you "cold" with a problem. Instead, companies email, snail mail or text about a problem and you call them back.
But if someone somehow sounds legit, you ask for the official number and whatever info is need to identify your supposed problem. Then go to the website and verify. Call the number at the website (that you find from your own search, not the caller's info) and then have them verify you.
> Note: if you’re a developer and your users have gmail accounts, an authenticator code is NOT a 2nd factor, if that user is using Google Authenticator.
So many people and developers do not understand two factor authentication. If the necessary information is automatically sync'd to another device, you likely don't have two factor auth.
Example: If you log in from a Macbook, and the second auth is sent to your phone, Apple will helpfully forward that code to the Macbook, completely removing the second factor.
There’s threats and there are threats. Second factors largely exist to prevent password stuffing from password reuse. Even if the second factor is the same device as the device where you are initiating a login this works just fine.
If your goal is to stay safe even after one of your devices is owned then you’ve got a rarer (and way more difficult) threat model.
It doesn’t work because people don’t understand it. They understand they are getting harassed all the time and in a state of terror because you might get locked out from your accounts because you lost a device or because something went wrong with your relationship with Apple, Google, Microsoft and other large unaccountable vendors —- something you may or may not get an explanation of.
Since you’re getting harassed all the time and dealing with opaque rules it is no wonder people are fatigued, make mistakes, are inclined to panic when they get a scary call and hand over the keys, etc.
To add to that, having anything to do with crypto is to put a big target on your back and make yourself vulnerable.
Two factor usually means "something you have + something you know". So your MacBook + your password is two factors.
I've seen references to "three factor" auth which is often a push notification to a phone, and then there's more secure second factors, like yubikeys or code-protected passkeys.
My mantra: trust no inbound communications. If something is in fact urgent, it can be confirmed by reaching out, rather than accepting an inbound call, to a number publicly listed and well known as representative of the company.
These scams will only get better, they will impersonate your loved ones, your best friends, your children, and plead with you to save them by handing over money or information, but it will all be a ruse. The only things that can prevent this outcome are: positive ironclad proof of identity / personhood / company representation, or ongoing rejection of belief in inbound communications.
I used to think sophistication was the game, but when I brought up the obviousness of Nigerian prince scams with someone, I was told that the poor quality is a tactic. That is, these scams use scale, so the idea is that mediocre scams will weed those people out who are able to discern the scam and select for those who are easily manipulated. This increases the chances that you'll be able to scam the person.
```
By sending an email that repels all but the most
gullible the scammer gets the most promising marks to
self-select, and tilts the true to false positive ratio in his
favor.
```
I lost the original email—the attacker deleted all evidence and then cleared my trash (and yes I tried using the Google tool to find deleted emails, but the attacker cleared that too). The reason I have this email is because I forwarded this email on to phishing@google.com, before the attacker deleted everything. When I got control of my account, and removed the scammer recovery methods (he added a windows device—I don’t use windows, and a Brazil phone number), the email bounced back from phishing@google.com (apparently Google doesn’t accept that address). So what I have is the bounced-back copy.
I avoided this exact scam. The most important thing is to never trust an incoming phone number. If they can't give you a publicly posted phone number that you can call inbound, they are a scammer.
Google has dozens of properties and it is easy to generate an email from one of them that seems to confirm the attacker's identity. Never trust any of these to identify a legitimate representative.
I too avoided it; I had an interesting interaction with the (American) call center scammer -- he called, said his story; he gave me a callback number when asked; I asked him for a web page I could verify a callback number. He quickly rattled off a legitimate Coinbase webpage URL, I believe their ToS page, which does include a phone number. He then hung up rather quickly.
Sadly for the scammers, that number didn't match. But, I note it was part of his script to sound confident and give a working URL. Pretty strong.
It's already hard to verify if a phone number is legitimate, and I think it will get harder. And on the other hand, easier to get a search engine AI to incorrectly spit out the wrong number.
They probably sent it from gmail which would pass the SPF check (google.com and gmail.com have the same SPF).
They wouldn't have it signed to pass DKIM, but google doesn't use strict alignment checking so to pass DMARC either SPF or DKIM are acceptable.
Yes, SPF (the original design) is horribly broken and trivially bypassed. The most prominent design flaw is that the inbound SMTP service uses the SMTP (rfc5321) MailFrom address for SPF validation, which is not the same sender address shown to the recipient, they can only see the the message (rfc5321) 'From' header address. SPF originally didn't require the domains in the MailFrom and From addresses to match, so an attacker would simply use a domain they control in the MailFrom address, and the 'spoofed' domain in the From header.
That was in 10 years ago though. DMARC fixed this by adding the alignment requirement, meaning that the domains in the MailFrom and From address must match. By default the alignment policy is 'relaxed', meaning that the MailFrom and From domains can differ in subdomain, as long as they share the same organizational domain. Setting the SPF alignment to strict (aspf=s) like you mention in your post requires the domains to match exactly, with no subdomain differences allowed.
So, it doesn't matter that Google doesn't use strict SPF alignment in the DMARC policy, the fact that they have DMARC already adds the requirement to SPF validation that the domains must match.
Yes, google.com and gmail.com use the same IP ranges in the respective SPF policies, but Gmail will never allow you to send email addresses from a domain that you do not own. This is why domain validation is required when you set up Gmail with a custom domain.
The only scenario where your explanation would hold up, is if the attacker was able to gain control of the DNS of a subdomain of the google.com domain, and successfully validated it as a custom domain in Gmail, then send emails from that subdomain in rfc5321.MailFrom address and the google.com domain itself as the rfc5322.From domain.
Can't practically require both SPF and DKIM with DMARC anyways. Doing so would also be dumb as it would break forwarding (even when DKIM would otherwise remain intact).
Deprecating SPF would do everyone a favour though. Especially for reasons like these.
SPF alignment ensures the MAIL FROM domain matches the From header.
DKIM alignment ensures the From header matches the domain in the DKIM signature header.
In the DMARC policy, you can set both adkim=s and aspf=s.
Google owns and manages all of this, so they can send emails with a google.com MAIL FROM, a google.com header, and signed with a google.com DKIM key. And they could do likewise with gmail.com emails.
I'm not clear on why this isn't practical, perhaps there is something I'm missing though? I would appreciate your viewpoint.
DMARC specifies that SPF alignment is checked for the domain in the MIME From. The domains in SMTP and MIME From do not have to be the same (nor both align).
Your MTA can still check alignment for both HELO and SMTP From as specified by SPF's RFC(s) though and spam filters often do for extra information/signal.
DMARC's adkim/aspf aren't basically supported in practice. Nor they should be. For reasons already mentioned, as you already read.
So any message from Gmail is treated as legitimate for google.com, and yet Gmail can't do its own checks on outgoing mail to ensure that unauthorized people don't put legal@google.com in the From: header? Seriously?
I've received a phishing email from an @paypal.com email address. (The From: header showed an @paypal.com email address.) Fortunately, the text of the email itself was fishy enough to make me realise it wasn't legitimate. I have no idea how it passed spam filters. I reported the email to both PayPal and my email provider, and I never heard back.
> Wouldn't the Apple account reject it because it fails DKIM/etc?
Yeah, I would be curious to see the actual email headers of what was received.
As an aside, fun fact, this would not be possible with @apple.com because Apple employees have old-school S/MIME signatures as an additional security layer.
IIRC, if you're using Apple's Mail client it gets validated against the root cert shipped with MacOS/iOS. You get a little black tick next to the sender.
In theory, third-party places like gmail could (should ?) automagically verify S/MIME sigs where a root cert is readily available.
Probably not the same attack vector, but I've gotten phising emails from a real googlemail.com addresses by the scammer abusing backscatter spam and the reply-to address.
I got scammed because somebody put a fake bank location into Google Maps and so the Google voice caller ID said it was my bank. Luckily, I realized I got scammed and called the bank up right away and they got the charges reversed, which is why I still use that bank. Moral of the story: never trust inbound calls. They are the easiest vector for scammers to spoof.
It's insane that telephone service companies aren't getting greater scrutiny in all of this. For marginal profits they're allowed to create giant financial craters in the lives of citizens.
Why do banks have to "know their customers" and telephone providers don't?
Telephone companies are required to implement the STIR/SHAKEN protocols to authenticate phone calls. But it doesn't seem to have stopped the flood of scammers.
I have read that one problem are VOIP systems which can spoof outgoing phone numbers. It sounded like these are easy to attack. Or maybe scammers just make fake VOIP calls from overseas.
Same for emails. If you didn't reach out to the person first, don't trust ANY email with alarming call-to-action text, especially if it contains a link to where you can take care of the issue.
Extending this further, based on the stated value it looks like he probably had 40 or 50 ethereum. He might have bought them for a fraction of today's price - say $50 - so might only be out $2500 based on cost at transaction time...
Your analogy is different. They bought for X, then when it was stolen it was worth 80k, and at this random time today, it's worth $120k and he's saying he lost $120k.
Value is arbitrary, and only crystallises at liquidation. I have a painting I paid £300 for. Works by that artist are now selling for £10000. Does that make my painting worth £10000? I can send it to be appraised but even if it is valued at £10000 that value could only ever be realised if I send it to auction. If I wait too long the artist may fall out of fashion and the work may be worth less than I paid. The real value is the pleasure it gives me each day when I look at it. Is that worth more or less than £10000?
This is honestly the cause IMO. I refuse to any call from any number not in my phone book, UNLESS I am expecting a very specific call and if it’s not who I expect, I hang up with no conversation.
I think there is relatively cheap way to reduce such scams: make it mandatory for banks etc to perform “training” of the clients. Regularly make a call to clients asking for sensitive data. Then block account if client provides this data.
I was targeted by this exact same attack several months ago. It sounded incredibly real, the emails looked legit, down the domains, Google even has a process for this exact scenario. The only thing that tipped me off is that they sent a login request to my phone. Nothing about the login request seemed off- it even originated from a Mountain View IP. But it was the fact they had sent me a login request which prompted me to drill the voice on why they needed a login request instead of some other form of verification. The disembodied voice soon became agitated and eventually told me that I should expect to lose access to my Google account soon since I hadn't complied with their request.
It was only after I checked Twitter that I saw Garry Tan's callout of the exact same scam. After experiencing it myself, I wouldn't fault anyone who fell for it. The only other tip-off was that the voice was pretty monotone and unemotional, but that only appears obvious in hindsight, not in the moment where you're slightly panicking that someone might be trying to claim access to your account.
except its not a spoofed email. It's really from Google. You cant spoof emails from Google that inbox.
You can use Google Cloud or Google Sites to trigger emails to anyone that legit come for Google email addresses and servers or submit forms on Google that will send legit emails to Gmail users/targets.
They simply either just embed their scam text into these emails or use the emails from legal@ as a scare tactic and pretext for their scam when they call you.
> except its not a spoofed email. It's really from Google
Read the text shown in the screenshot in an article. I am 99.9% sure that is not from Google. The wording screams scam to me, most likely from someone who is not a native English speaker.
Among many many other red flags, it specifically says not to try and change your password for 6-12 hours and to not share the details of the email with anyone.
How did they get the passwords to his Google and Coinbase accounts? He reused passwords? The same one for Google as for Coinbase? Or did they reset his Coinbase password via his Gmail? The post doesn't make this explicit, but it warns against password reuse.
I believe they logged into coinbase with Google SSO. And then they used my Google Authenticator codes which were cloud synced as the second factor auth method.
A warning to auth engineers: if an account is using a Gmail address, then auth codes from Google Authenticator should not be considered a second factor.
This isn't something "auth engineers" can control, there's no magic Google Authenticator flag on a 2fa code - it's all HMAC and numbers, you don't know if the code came from Authy, Google Auth, a homebrew code generator, a dongle, etc.
Passkeys also solve this even if they’re not hardware backed. He was able to give them a code but wouldn’t have been able to do a passkey handshake for a domain which isn’t Google.com. Plus they’re easier to use and faster.
I don't know about that. If they can hack your Google/iCloud account they can add a new device, sync all your passkeys to that device, then log into all your other accounts.
How do they do that if you are incapable of giving them a valid authentication code?
I don’t use Google but at least in the Apple world you also get a fairly different prompt for enrolling a new iCloud Keychain device than simply logging in. Obviously that’s not perfect but there is a good argument for not getting people accustomed to hitting okay for both high and low impact challenges using the same prompt.
But they can't hack your Google or iCloud account if it's secured with a passkey, unless they have some other non-phishing means of doing so, which the attacker in this story presumably did not.
I had to reset the 2FA for a domain admin account for Google Apps earlier this year — I'm not sure if my password manager somehow lost the passkey, or if I missed creating one before some deadline. (It's a little-used domain.)
I think I requested the reset with various details, then had to wait 24 hours before continuing.
I feel like a lot of things would benefit from that time delay and, perhaps, an in person check like the notary ID verification AWS used to use.
About a decade ago I had suggested to Google at an identity forum that they embrace a local government/organization model for their hard-landing account recovery process (since it can ultimately devolve to an ID check) by having a mechanism where you can start the account reset process and get something which could be taken to a third party to approve after they do an ID check. As people increasingly depend on things like email accounts for everything there are a constant stream of people who will lose access to their phones but could easily visit a notary, library, DMV, police station, etc. and pass a check against a pre-registered government ID.
>A warning to auth engineers: if an account is using a Gmail address, then auth codes from Google Authenticator should not be considered a second factor.
Incredible take. I don't know what's worse here — suggesting gmail address = google authenticator, thinking you can know the source of "auth codes", or the fact this is coming from an auth engineer. I'm switching to handwritten HMACs on paper napkins today.
But how did they get his Gmail password in the first place?
I'm not sure if I have the same password reset flow as OP, but when I try to reset my password and even provide the 2fa code, it basically doesn't let me get past a certain point without contacting my backup email address or making me use a phone which I'm logged in on to complete the reset
The article gives advice to change your passwords because of leaks. So as the post above suggests, it really sounds like they reused their google password somewhere. Then had Google sign-on for Coinbase, or had their Coinbase password in Google.
Seems likely to be an SMS code, Google will use a phone for recovery if you claim to have no other access.
This person read an SMS code — one that explicitly says not to give it to anyone — and then they said "I work in tech. I design authentication experiences. I know you’re not supposed to share verification codes! And yet, I got phished."
This person's greatest mistake was answering the phone to a stranger. Who knows what hell can be unleashed on one's emotions nowadays with AI. One cannot expect to be rational in a lion's den.
They are royally fucking up their PSA by throwing Google under the bus rather than telling people to avoid answering their phone to scammers. I suspect this PSA will help approximately no one because of that. Not getting your voice captured (for AI synthesis) is, by itself, a great reason not to answer random calls like this.
> Who knows what hell can be unleashed on one's emotions nowadays with AI
This is key. I would "never" fall for a scam like this. But who knows for sure? I would also never cheat on my partner, but can I say with 100% certainty that some insane situation can't possibly ever come up where my many layered defenses are compromised? Can some sufficiently charismatic individual deliver a perfect AI script to me based on info from 5 other breaches, in my brother's voice, to make me give up a 2fa token in an emergency? Maybe! So just never answer the phone, ever
Every day Google is trying to foist Gemini on me yet spam like this waltzes right through Gmail. Perhaps once we have finished our Dyson sphere powered AGI we will be able to block emails spoofed from @google.com.
I'm get tons of email from @google.com, not spoofed, but somehow they send some email to $myname@google.com, which doesn't exist, and it google server returns back to my $myname@gmail.com telling me that with a huge CTA from the spammer. That bypasses all spam filters since it's an actual email from google.
My two cents: 1. When somebody communicates with you and tells you it's urgent it's usually scam. They are trying to make you do stuff because of the urgency and so scam communication will always be urgent. Here in Greece one of the most common scams is to call older people and tell them that "your son has had a car accident and we need 5000 euros right now to operate on him, bring the money in a bag"
2. (More general) When a person initiates a communication with you it is for his benefit, not yours. If it was for your benefit then you'd initiated the communication to benefit from it. This is not only about scam but also about selling stuff or answering to polls or whatever. Be always sceptical when somebody you don't know contacts you.
Same exact scam happened to me three weeks ago and I almost fell for it. The guy was very sharp and sounded very authentic.
Ever since then I've been getting hundreds or thousands of Google notifications I've had to decline. Anyone know how people are able to send out hundreds of 2FA gmail notification popups without Google blocking this?
This means you should still have the email from legal@, right? In that case you can solve the mystery of how they managed to pass DMARC by sharing the headers from it.
Why would you have passwords/credentials to your accounts (including financial accounts with tens of thousands of dollars) on a device that not only you can drop in the toilet, but also lose, or get stolen, or hacked? Do you have any idea what access all your cute apps have to the contents of your device?
Both mobile OSes offer pretty strong app isolation and mitigation against malware, most people don't need to worry about Pegasus level of threats.
Google took forever before adding cloud-sync to their TOTP app even though pretty much all the other ones did it from day 1. And I bet a non-trivial amount of people got locked out of their accounts because they hadn't reliably stored recovery codes.
Financial services are actually the least of your worries since you can get ahold of customer service and eventually recover your credentials even if it takes a few days and some snail mail. However if you lose access to Gmail or Facebook, good luck unless you know an employee.
I agree. I wonder if there is a good compromise between convenience and security, though. For example, before allowing Google Authenticator to sync for the first time on a new device, maybe notify the user on all devices and enforce a 72-hour delay, or wait until the user approves the new device using an old device (in a way that is hard for a scammer to pass off as legitimate).
I always read these stories and worry that I will fall for something like this at some point. With all the complexity around authentication, 2FA, backup codes, text messages, cloud-sync, pass keys etc, I find it impossible to be confident that you won't be phished/spoofed/hacked.
I worry more about aging parents/relatives, many of whom aren't exactly tech-savvy to begin with. Many of these scams are becoming increasingly sophisticated, at the same time that being able to perform verification in meat-space is disappearing (companies don't have local support reps that answer phones, etc.)
I got a nasty one of these recently. Attacker had my wife’s CC, and made purchases they knew would flag our bank and look sus and pop up on the app. Then I get a call from my “bank”, correct number, I ask them to verify and they say look at the number. All they ask for is the customer support code in my banking app to cancel to fraudulent transactions. At that moment I insist on calling back and they hang up, but I was very close.
Can someone please explain to me what it means for authenticator codes to be “cloud-synced”? Is that solely dependent on whether you’re using the Google Authenticator app while signed in to your Google Account? Is it possible to not have them “cloud-synced” if you are signed in?
Google Authenticator app defaults to backing up the TOTP secrets so if you log in on a new device you have them there. Pretty poor default for security, and you can disable it, but not the first time I've heard of this biting someone.
I've lost 2FA codes. It's complicated but if you have a financial relationship with the vendor you're going to be able to get everything sorted out. I imagine as this happens more there will be common internal policies which aid customers in this situation.
You have to weigh the amount of potential hassle against the value of potential losses. Why you would have $100,000 of value stored somewhere and only secured by a loose-lipped third party app is beyond me.
You really shouldn’t use SMS 2FA. SIM swapping does happen. This kind of depends on the jurisdiction though. In some countries operators won’t reassign the phone number willy-nilly.
Still, better to just not do SMS auth. These days Yubikeys are not that expensive. Get three, register them all at the most important places, and put one at a parents’ place or similar.
But the point I was making that IF the website does not allow Yubi THEN SMS is almost certainly available, and you should use that as a backup mechanism.
Why ? Some sort of backup mechanism is better than none at all.
> Most clued-up places enable you to register a Yubikey as 2FA. So then it doesn't matter if you loose your OTP app and your backup codes because you've still got a Yubikey.
And what happens if you lose your Yubikey or it stops working? You're back to needing backup codes or an additional 2FA device
Which is why most apps with sync have two sets of credentials: one to login on the platform and one master password for encryption. That helps in those scenarios.
You mean to say that if it were enabled on my Google account, then the TOTP numbers for my other accounts are visible via authenticating into Google Account on some other unknown device? Sounds like it could be convenient if you lose your phone, but still risky if an attacker can sign into your Google Account.
Google Authenticator can be local-only or synced to the cloud.
In local-only mode, the authenticator is bound to a specific device. You can manually sync it to additional devices, but if you lose access to all those devices, it's game over, you will get locked out of whatever accounts you secured with authenticator as the second factor.
In cloud-synced mode, it's synced to your google account, so if you lose your phone, you can restore authenticator state. But if your google account gets taken over, it's game over, the attacker has your authentication codes.
This sounds like a classic account recovery scam where the scammer uses Google's account recovery feature to gain access to the account. Once they have the 2FA code, they're in. This time the scammer used an account takeover as the pretense for needing the code.
As for the email, this blog post ( https://sammitrovic.com/infosec/gmail-account-takeover-super... ) from about a year ago notes that somehow scammers were/are using Salesforce to spoof emails from Google that appear legitimate. Seems like something similar happened here, but there's no way to be sure without the headers which the scammer seemingly cleaned up.
I have a cell phone with an area code where I no longer have any connections or ties. Almost all the spam calls I receive come from that area code. By simply ignoring or blocking calls from that area code, I can avoid nearly all of the spam.
I've enjoyed that state of affairs for over a decade but now I'm moving back to where my area code matches my physical location. I'm sad I'll be losing this easy filtering trick.
On the plus side, iOS and Android now have features for auto-answering and filtering so thankfully I have that.
Coinbase offers Vault though. You can lock your funds into a Vault and it takes like 2-3 days to unlock them + you have to get approval from multiple different email accounts to even begin the unlock.
Coinbase has many ways to secure your account if the user enables them
also physical Yubi Keys would prevent anyone from withdrawing or steals funds as it would have to be plugged in and tapped to process them.
The attacker had the passwords and 2fa codes from the Google account so Coinbase couldn't really distinguish them from the right person (tho presumably for large transfers they may require some extra checks, dunno)
The article is poorly written and not clear. It sounds like you're suggesting the author let Chrome save his Coinbase password and Google synced that to the attacker as well?
> Google had cloud-synced my codes.
> That was the master key. Within minutes, he was inside my Coinbase account.
The author clarified that he had enabled Sign in with Google on his Coinbase account. So if the attacker was logged in with his Google account, then they had access to his Coinbase account without needing a password.
Isn't "Sign in with ______" (Google/Facebook/Etc) discouraged, because if for whatever reason Google/Facebook/Etc decides to ban your account, you can no longer log in to those services?
I get 5 calls and texts a day about my Google and Coinbase accounts. So many that if either Google or Coinbase really did try to contact me, I wouldn't see it.
Always confirm such things by calling the official contact number that you already have and asking about the case. Do this before you discuss the matter further.
Never act based solely on an unsolicited telephone call or email.
That's the big question. I've heard attackers have used Google's own tools like Google forms or Google cloud to send the email through Google's servers so it wasn't flagged. This is a major vulnerability that Google needs to fix. I'm quitting Google because I'm worried about other vulnerabilities like this.
1. DO NOT use your Gmail for recovery. Use another email provider.
2. Use a family member's phone number for recovery.
3. DO NOT install your bank's app. Somehow the Royal Bank of Canada's app was used as an attack vector. If the RBC app can get hacked, smaller banks are even more vulnerable.
4. Use incognito mode on your browser for banking so a thief or hacker can't use your browser history to find out your bank.
Thanks for sharing. I already had it in the back of my mind that this cloud sync thing in Google Authenticator was not very secure. I'm getting rid of it right now.
I do see why Google did it; it's going to be difficult to educate users to always set up 2FA both on a primary and a backup device. Much easier and convenient to automatically sync different devices. But your story makes it obvious that something isn't quite right here.
Ironically, Authy's cloud sync feature may have been what pressured Google to add cloud sync[1].
And yes, Google could have added an extra encryption password. But users forget/lose passwords, especially if they normally never need them. So I can see why Google didn't go that route.
I'm super curious how this hack worked, but I feel like the story is just about the last step. What did the attacker have such that this last step did it?
My guess is that the attacker had the google password, and also the login for Coinbase was somehow stored in Google, so the attacker getting into google also exposed Coinbase. I just looked at Coinbase, and it does have a "Sign In With Google" feature.
If you want to live the stripped-down TOTP lifestyle, you have to love this 20 line Python solution. Does not depend on weird libs, and the last edit is 4 years ago. Write the seed on a Post-It and you're all set. Not so convenient, but sound sleeping!
https://github.com/susam/mintotp
I'd complain to Google about this, maybe through a lawyer if needed to get them to take it seriously. They won't accept full responsibility, and in general people need to be aware of the risk of spoofed email, but Google should be able to stop fake emails from google.com from appearing in a Gmail inbox. You'd think they would also have the ability to recover an email deleted immediately after an account takeover, or at least work out how the spoofed email was delivered from other internal logs. Google should investigate whether their negligence contributed to the success of this attack.
If you want to keep $100k in a crypto exchange, it doesn’t cost much comparatively to purchase a few yubikeys.
The thought of having all my online services centralized with a single provider for email, SSO, 2FA, and so on is scary. Especially at Google, where you can lose all access at the drop of a hat, with no recourse.
There are some weird things (like the fact that Google doesn't tend to call the owners of consumer-level accounts and the fact that the email is phrased very oddly), but wow.
I wonder, though, did "Norman" just guess you had tens of thousands in crypto lying around, or was this step two of a phishing attack?
> The attacker already had access to ... my Google Authenticator codes, because Google had cloud-synced my codes.
This was such an obvious mis-feature I can't believe they actually rolled it out. For those using Google Authenticator you can and should disable cloud sync of your TOTP codes.
I can understand it. Ordinary users were getting locked out of their accounts when losing their phones. Some of those stories hit HN.
Don't disable cloud sync unless you have a backup of all your TPTP secret keys. It's dangerous to advise people to disable cloud sync without mentioning backups. Being locked out of thousands of dollars in your crypto account is as damaging as losing that crypto to hackers.
In that case wouldn't you be better off just disabling 2FA? The problem with the cloud sync is that users like the one in the article think they have 2FA but in fact if their Google account is compromised all their accounts using Google Authenticator TOTP second factors are also compromised.
TOTP isn't that great, you should definitely use a hardware and/or pass key for important and financial services. That said your cloud synced Google Authenticator can be behind a Google account with strong 2FA (i.e. not SMS nor TOTP), then it's mostly fine.
The lesson here is really not to ever share codes you receive by SMS, and preferably disable phone as recovery and second factor.
Otherwise rational and educated people are willing to suspend disbelief about anything as long as it supports their crypto yacht dreams. In this case the concern that their yacht dreams were being lost. Which ironically caused their dream to be lost.
They still attack tech professionals living in California. Saying you have crypto will probably move you to the top of the list, but they'll still get to you eventually.
My brother (a tech professional in California) does not have any crypto or social media, and attackers still stole his phone number, which they used to steal his email account, which they then tried to get into a non-existent Coinbase account. He was only out of the time it took to get his phone number back (a couple of hours later).
Use a password manager and use a SEPARATE second factor authenticator not tied to the password manager. I personally use Authy (though I think it's been deprecated) and Bitwarden.
I recently got a Google scam call from someone using Google Voice in the bay area (650 number) claiming to be with Google and that an unauthorized device was trying to access my account. Eventually realized they were just trying to get my to unlock my account probably to drain bank accounts.
Same. I don't store my 2FA with my passwords. I also use Authy, I'd like to move to something else but as long as it's working. I was annoyed they got rid of the Mac app.
Same, the desktop app worked great. Probably for the best though, ideally you want to pull your codes from a phone and password from your desktop device.
> The attacker spoofed the “From” field so it looked like the emails came from @google.com — something Google’s filters should have blocked outright. On iOS, Gmail doesn’t let you view full headers, so I had no way to double-check in the moment.
I don't know what the Google Authenticator team was thinking, if at all, when they did that deplorable implementation of the sync feature.
One click on the "backup codes" on main screen and boom, no confirmation or anything. Your keys are in the cloud. I couldn't find a place to undo it. Article says it's enabled by default now. This is shameful.
It was not legit from legal, I had the same attack on me two weeks ago. They were pretending to be from Google General Counsel responding to an estate request to my Google account being handed to another party who was supposedly the inheritor.
What clued me in was that he said he couldnt share the estate documents with me until I gave him my popup 2FA code.
Were there any further login attempts that they tried to do to access your Google Account? It almost seems like the attack being described in the article is very sophisticated that the attackers aren't just contacting random people but might have certain people in their radar.
You can trigger emails from Google on behalf of other users or use a platform like Google Cloud or Google Sites to trigger emails that come from real Google servers.
why were you synchronizing your 2fa codes? that requires opt in, even in the form of a signed in google account combined with google authenticator as a choice of 2FA code storage
why were your coins not in a cold wallet? that is how you stop this permanently
why did you acknowledge any kind of inbound communication? ignore it. always. or call outbound to a confirmed number to make sure.
btw you were scammed out of $80k, as you admit in your article, the headline is misleading for seemingly no reason except the larger number
> an authenticator code is NOT a 2nd factor, if that user is using Google Authenticator.
it is still a second factor, because it is something you have instead of something you know; it's just that you converted it to something you know when you read it and transmitted it to someone else
all that being said, yeah, legal@google.com (as a homograph attack) should probably be blocked.
If you're running a service with things of value, slow down big actions - please - like why allow large money transfers without an 8 hour wait period and extraordinary verifications.
This is indeed a sophisticated and alarming attack, but…
> the attacker shuffled my staked ETH and other tokens through multiple transactions, then drained the account.
Live by the decentralized, irreversible, climate-destroying, scam-and-slavery-enabling currency, die by the decentralized, irreversible, climate-destroying, scam-and-slavery-enabling currency.
> Google enabled Authenticator cloud sync by default.
> The attacker spoofed the “From” field so it looked like the emails came from @google.com — something Google’s filters should have blocked outright. On iOS, Gmail doesn’t let you view full headers, so I had no way to double-check in the moment.
Can somebody explain what exactly this means, and how it works?
No clue how it works functionally these days. But it reminds me of tricks we pulled back in high school programming class. Our school was using Novell NetWare, and some students were given email addresses for various purposes. We discovered you could edit the From field, so it would display any text as your name and then your email address after it to the recipient on Novell's email client. If you added enough text, including whitespace, it would push the actual email address off screen(I don't remember if you could scroll to it or not).
We trolled each other in class with it a bit. But at one point some student not in our class sent out a mass email, which was against the rules. I replied with a From line as "Administrator" and a bunch of whitespace, telling the girl that she broke the rule and would be suspended for it. Our teacher made me apologize, and I was lucky that I didn't get into more trouble beyond that.
Basically, the from field on an email can be anything you want. It's like sending physical mail and using a fake letterhead with someone else's info, just type what you want. No verification.
That's sometimes a good feature. Like, a third party provider can send newsletters on behalf of company A. But can also be bad, when used for phishing.
However, the email doesn't just appear in your mailbox. It comes to your email provider by another server connecting to it and sending the email. Spf allows the owner of A.com to specify which IPs/servers are actually acting on their behalf. So if I get an email from something@A.com, I can lookup and verify that the sending server is one to trust. If not, the email client should reject or warn the user somehow.
Yeah, sorry if that wasn't clear in my explanation. Without these in place, you will accept anything from anyone claiming to be @A.com,but with dmarc the whole point is to flag when they're only pretending to be.
I'm pretty surprised gmail didn't flag this at least. When I did it for a class in Uni, it always let me know that the FROM header didn't match the sender since that's a clear attack vector
His phrasing is very confusing - claiming the "from" field was spoofed, but that if he could see the "full header", he could have spotted the spoofing.
I would also assume something as prominent as the Gmail website/app for iOS, and the google.com domain, would have all possible email security features correctly configured.
So.. is this not the case? Or is it, but due to bad UI, despite all this security, any schmoe can send email appearing to come from google.com, and I have to pore over unspecified details in the "full header" to spot a fake?
It could indeed be that some MUAs only display the comment section. In theory you can use a MIME from like '"Google <google@google.com>" foo@example.com'. Though most spam filters heavily frown upon garbage like that. Things like '"Foo (google@google.com)" <foo@example.com>' will likely pass though. (It's commonly done by shit forwarders.)
Apple Mail does allow you to see the actual sender if you tap on the name though. Outlook has been way worse in that aspect, by not letting you see the full sender. At some point it even saved these fake addresses automatically in your address book if it matched a contact's name or something. (I couldn't find the thread about it right now, but it has been discussed elsewhere.) It's a disservice to everyone except attackers to be honest.
On obvious spoofs I see "legal@gmail.com <via scamdude@askjdfaskldfj.net>". I think he means that it didn't indicate the latter. And if gmail phone app didn't fail to display headers he could have looked
It's my understanding that emails have headers, just like http responses, and the app might have displayed that fake header instead of verifying the provenance of the email and displaying where it actually came from. So it is a UI/UX issue.
Why email clients have started hiding/not providing access to headers is beyond me. It seems like an anti-pattern. There have been many times recently where I've wanted to check the headers because an email was suspicious, only to find I couldn't.
I never pick up calls from numbers that I don't know. If it's important they leave a message. And if I think it is important, I call them back through official phone numbers
This is a great lesson on 2FA fundamentals. Picking time-based codes for 2FA is equal to picking something you know twice. That isn't strong 2FA. That is 1FA with an extra step (1.5FA). To make it all the way to 2.0FA, you must pick something you know (password) and a private key (Yubikey, smart card, etc.) that does operations in-situ, that cannot be computed anywhere else, to then match to an expected value on the server. It therefore isn't something you know twice. It is something you know + something you have uniquely generated.
Strong 2FA is holding your cryptocurrency in a multisignature setup instead of an exchange that holds your keys for you and can disregard the 2FA whenever it wants.
The security bottleneck is the one institution that holds all of the responsibility. It cannot be fixed by giving more hoops to authenticate themselves to the one institution
Knowing how impossible is to get a hang of anyone at Google in case things go wrong, it is probably very safe to just assume they will never ever ever call you.
One thing I really hate is that some companies with poorly design customer service flows actually REQUIRE you to read a code they text you over the phone to a rep.
At least now more companies include a "never read this over the phone" note in their authentication texts.
Coinbase not doing MFA? That makes them the other kind of MFA.
But yeah tel tell with Google is if someone from Google calls you then you know it is a scam by the fact that Google called you. Google doesnt give a fuck about you. Even if you spend millions on ads.
As a rule, I never give any private or secret information on received calls. I had a doctors office that their automated system would call and ask for my social security number, and I'm like, nope... not happening. Even when I knew it was likely legit.
One wrong point in this. Google Authenticator does not cloud sync by default. You specifically have to accept the cloud sync option that you are prompted with.
Lucky for you Coinbase have set up a fund for people who got scammed through social engineering attacks due to their recent security fuckup.
Regardless of whether you received an email from Coinbase notifying that you were affected, the attack they suffered is much larger than they let on to the SEC.
I think that’s a pretty unsympathetic take. Hindsight is 2020 but there are factors outside the author’s control (synced MFA, Gmail not detecting the spoofed address)
Cloud sync is not out of one's control, and complaining that Gmail did not automatically detect the spoofed address is an inversion of assumption. It's like dropping your icecream and then being mad nobody caught it for you.
Is the average user (someone who "works in tech" even!) really so uninvolved in their own security? Are they not expected to hold any responsibility whatsoever?
No more deserving than any other of the crypto cultists.
Whether you fall for an elaborate phish, or if your Ponzi-token predictably loses value after your 'investment' was cashed out as an earlier adopter's profit, it's all the same to me.
Alternatively your hardware wallet bricks itself or three of your disks fail at once.
I don't care. You lost the money when you first exchanged it for worthless tokens.
OP said the coin base account was drained within “minutes”. Server thief bait can take up to 24h to notify you when someone takes the bait.
> We'll put a tiny amount of cryptocurrency in a wallet, but probably still enough to attract the attention of automated scripts. We notify you when it's taken within 24 hours.
I've had a few calls where they are from legit places (I confirmed later) and they ask me verify my identify. I counter, that they need to verify who they are. They were confused and we couldn't go forward, because I wouldn't answer their questions until they answered my question.
I no longer answer calls from a number not in my contacts. If it's a real call that I need to take care of, I figure they'll leave a voicemail and I can decide whether I want to call back.
Something isn't adding up here. The author is excruciatingly rigorous with documenting lots of stuff here, including the screenshots. Then glosses over this bit awfully fast:
> So when he asked me to read back a code — supposedly to prove I was still alive — in a moment of panic, I did
This was an account with authenticator enabled. I'm no expert, but I really don't think there's a recovery process that works as simply as "read back a code". Certainly not in the SMS 2FA sense I'm sure we're all expected to interpret.
Honestly it seems like the author is trying to blame Gmail's UI, when some other more involved phishing technique was actually the novel part here.
I also feel like the article doesnt completely explain what happpened. Where is this code from?
Did they send the fake legal email and at same time trigger a recovery code to be sent?
Is this like the same thing in discord where they ask you for your email to join a server then ask you for a code sent to verify you own that email but really they submitted the email for password reset. The victim doesn't realize it's a real recovery code sent by Microsoft, etc instead in the moment thinking it is a "discord code". Once you submit the code in discord they have your account stolen in seconds.
Is this what the article is attempting to describe?
If the scammer is attempting to login to the actual account (which requires 2fa), asking the scammee for the code will allow the scammer to login and do all the things. The scammer is using the victim as the 2fa directly.
if the scammers had spoofed the email, they would already have that code, and if they hadn't spoofed that email... I mean it looks like a case ID, why would they need it?
Maybe the reading back the code was to get buy in, then there's a missing step here like they had him hit "allow" on a 2fa prompt. Or maybe the email was legit, since it references a "temporary code" and the case ID allowed access with that code?
Good chance my reading comprehension is shot and I'm missing something, I suppose, but I don't understand.
> In the Gmail app on iOS, it looked completely legitimate — the branding, the case number, everything. Even the drop-down still showed “@google.com.”
> So when he asked me to read back a code — supposedly to prove I was still alive — in a moment of panic, I did.
The sentences do not refer to the same thing.
The code was not in the email... The narrator was asked to read back "a code" not the case ID in the email. "A code" here referes to a 2fa push notification code. The email was used to rattle the narrator / build trust to get them to comply.
Yes, that is how I read it as well. Email was just for fun, and the code came by a different channel (of course). The email the scammer sent wouldn't contain a code they can use to take over his account (of course).
Someone keeps trying to hack into my main Google account (I keep getting 2FA requests), which unfortunately was part of some early crypto activity and was traced back to me, and I don’t know what to do.
I myself can keep denying them but I have a toddler and if he accidentally accepts one of them, I’m screwed.
And since it’s impossible to reach anyone at Google, WTF do I do?
Another company that sends 2FA over SMS codes, then wants them over the phone is Family Mobile. Its a Walmart T-Mobile derivative.
Its not a GREAT carrier, but I have a legacy plan for unlimited everything at $20 a line.
But if I have to call in, they do send a 2fa SMS code, and require to tell them over the call. Its absolutely ridiculous. But, Ive only had to call in 4 times in the last 9 years, so, yeah.
The scary thing is that the only filter people have now is "workflow". If someone calls you, you can't tell who they are but if you call them, from a number you find one the official website (that you find rather than someone telling you), then they're likely legitimate.
But that's hard because many people work on markers of legitimacy, not algorithms.
Spoofing email and phone caller ID is actually really common these days, but line-tapping is also active in some places.
Call the persons extension back from an out-of-band line, but after checking the contact phone number on the old web page or government business registry.
This is effective against most forms of line tampering, as targeting an unknown random line number is much more difficult to predict.
Most nuisance calls we get are the classic foreign operator message repurposed language translations trying to get people to "press 1 if you like ice cream" which bills 3rd party long distance calls. There was a local dubious calling card scammer arrested twice for this con. Just hang up, and report/block the number =3
> On June 19th, my life changed with a phone call. I was doing yard work when my phone rang. The number showed up as Pacifica, CA — (650) 451-5708. I answered.
I'm not trying to undermine the idea behind this article, but I was raised to never answer the phone and that was in the 90s
Out of curiosity, does anyone know if there is any scenario where Google would legitimately call you? I assume the answer is no, but it would be interesting if some extreme edge case existed.
Edit: Obviously not “you work at Google and your boss calls you” or whatever
I was considering adding a page to my personal web page where people could add phone numbers for me to whitelist. I have been getting 5 to 15 spam calls a day recently so I essentially have to whitelist.
This is why I don't like cloud syncing OTP secrets. The hassle of migrating them is proportional to their security. They should only exist on one or more phones/watches/computers and on paper backups.
I get these inbound communications all the time and many banks actually use them to communicate with you. Each time, I have always sheepishly said "This is kind of how people get scammed right. Do you mind setting it up so that if I call back the account exec will know what to do? It's just I'd feel foolish if I got scammed this way" and then I end up calling back and with a little work get where I wanted.
I think the reality is that people think "Oh couldn't be me and am I going to be the weird security guy" so it isn't whether you know software and security etc. that determines it. It's whether you're willing to be embarrassed frequently in these conversations.
I've had the banks call me, Coinbase scammers call me, all sorts. I'm at the point where I block my own area code (which is from a different state where I have a few people whitelisted fortunately) and that's eliminated a lot of it.
I don't mean I can't be scammed. Just that perhaps some mitigation comes from willing to be socially awkward and insisting to someone that you want to do it by the book.
Sorry but it’s stupid to blame Google when it’s 100% your fault. This is a scam that is 10+ years old and you fell for it in 2025. It’s not googles fault at all.
Something being known doesn’t mean a solution exist.
Computing the the set of Unicode characters that would result in a homograph of a latin alphabet word is non trivial. Now do this for relevant/trusted domains, now put in place a mechanism to mark a domain as trustworthy that also minimises your liability.
> Something being known doesn’t mean a solution exist.
But we aren't talking theory. In this case solutions exist, just not in this app?
Also, the triviality point is puzzling, are we only allowed to criticize professionals for trivial fails? (though using a different font is one of the trivial mitigations)
> that also minimises your liability.
How is that a factor, what is their liability now without any mechanism and will it increase if they add some?
Yes, and the industry has been responding to it since approximately 5 minutes after Canter & Siegel started cranking out that green card spam in 1994. We have SPF, DKIM, DMARC, etc. _and_ more importantly, the victim in this case was using Google's mail client to access Google's mail service so they don't even need complex protocols designed to inform 3rd parties about whether a message is legitimate. If Gmail refused to accept any messages claiming to be from google.com which didn't originate from their servers, it'd be quite defensible given the ratio of attacks to the handful of legitimate cases where someone needs to do something like post to an outside mailing list using their @google.com email address.
This is like saying it’s not Ford’s fault that they didn’t put in seatbelts and safety glass because people knew driving was unsafe. When bad outcomes happen at scale, you need a system-level fix.
EDIT: to be clear, the fix has arrived: had he used passkeys, this attack would have been impossible and every login would’ve been faster and easier. There are edge cases but this is literally the reason why U2F was created a decade ago.
Yes, they made a mistake. They were honest about that.
A little secret which will help you in life: everyone makes mistakes, even people who don’t think they will, even you. Looking all the way back to last week and 2 major NPM hacks ago, you can get access to a lot of systems simply by hitting someone when they’re busy and distracted.
There's a difference between taking accountability for your mistake and blaming other people for your mistake. Blaming others when you are clearly in the wrong is reprehensible.
That's a very harsh position to take and one I struggle to find support for in the post. I hope that you are never in the position where you make a mistake and others apply that standard to your response.
Title: I Was Scammed Out of $130,000 — And Google Helped It Happen
Heading: Google failed me in two ways
Body: Google has become the vault of our digital lives — and that vault had cracks.
If Ford adds seatbelts and you decide to take them off because they annoy you; when get into a crash you can’t claim Ford failed you since the seatbelts weren’t forced upon you more.
> The attacker already had access to my Gmail, Drive, Photos — and my Google Authenticator codes, because Google had cloud-synced my codes.
Don't do that. Don't put your 2FAs somewhere else than in an unsynched app. Not in Bitwarden, not in any online account, nowhere else than "Something you have".
Literally got something similar to this last Friday. Sounded legit. My one weird trick that works every time - give me a ticket # and an official phone number to call back to and I can confirm the phone number is legit. This way you can continue the conversation if it is actually legit, and if it's not legit then all good.
The guy who called me said "I can send you an email to show it's official" and I thought of that immediately when I read this article. No dice, he refused to give me a number to call back on, so I knew it was fake.
EDIT You can spoof from email addresses and you can spoof phone numbers - if someone is calling from a legit number on caller id it means NOTHING. You have to call back to a legit number to be sure it's real.
I personally don't even allow them an opportunity to give a "phone number" either. I always ask them to identify their company and the branch that they are with - and then personally go to the official website of the company (i.e. https://amazon.com, etc.) and look up the phone number there.
A little less convenient for a LOT more security.
For some reason I can't seem to find my local Google branch's phone number on their website...
This was so much funnier than I wish it was… ugh. Contacting Google. Good luck.
Wonder why I've never had that problem.
Are you saying you can find Google’s phone number?
Yes.
You’re probably worth a lot of money rn. I would start an entire business just selling people Google’s number. Heck, I would start an entire Google support company rn, publish a phone number and proxy calls to Google. I’d screen calls then also sell Google my services. You’re welcome. Build this in 2 months. I want 30% ownership.
I make them hundreds of thousands a year even with their commission from my app sales. Still don't have a contact there (same with Apple).
They're happy collecting their commissions and avoiding you. The only good thing is that (for the most part) the payment method is just a password/faceid/touchid away.
Duh.
EDIT: also thank you, but and 0.0% is fine.
It’s not (248) 434-5508 ?
I have the fun of making outbound calls to offer people a public service and collect payment if people desire it. Most people gladly hand over their credit card details. A few years ago, someone wisely asked why they should trust me. (It only happened once in a decade!) I said they don't have to. They could look up our phone number at an easily verifiable government website, then call back; they could call any facility operated by the department; or they could visit any facility. Said individual provided their credit card details right then and there. Virtually noone cares about security.
I don’t trust anyone calling me who isn’t already in my contacts.
Callers from legitimate businesses treat me like i’m questioning the moon landing when I tell them I’ll need to call them at an official number.
Now try and convince your family to do the same (especially parents who are prime targets).
The trouble is, you have to place the outbound call to those contacts to trust them. People could spoof an incoming call from numbers in your contacts and it will look as legitimate to you as a receiver as if the real number was calling you. With voice spoofing, it's now possible to call someone as [grandchild] with [grandchild]'s voice with a pretty horrible story about what's going to happen if some Bitcoin or Google Play gift cards are not purchased and handed over immediately.
I'll give you an example. When the Bank calls me about something important, I tell them to give me their department / extension and I'll call them back. I then look up the bank's phone number on their website (it's actually in my phone already, and on my bank cards) and call them back.
This process doesn't care about them calling from a spoofed number. We've had big problems with spoofed number scams and the CRA (Canadian version of the IRS) recently.
So in other words, you don't trust any incoming calls, even if they appear to be from a number saved in your contacts?
> Callers from legitimate businesses treat me like i’m questioning the moon landing when I tell them I’ll need to call them at an official number.
Not to justify their behaviour, but: most businesses are not set up to allow for callbacks or they're set up to actively discourage them. For example: they may be contracting out to call centers or employee performance may depend upon making a sale. My situation is unique since all calls our handled internally and my performance is not based upon making a sale.
That's said, the current situation pretty much dictates that a secure option should be offered to clients.
I've not once had a legitimate company not say "good for you in taking the extra security precaution of calling us back".
No kidding!? I have never had someone take this in stride. Responses have ranged from surprise to defensive condescension. It rarely even works at all, and the two worst offenders were both banks. One UK, one USA. I almost had the check for my rent bounce after three days of this rigmarole and ended up having to just go with it.
Where do you bank? I'm looking for recommendations.
Even better, once I had a financial institution tell me I needed to read them a one time code someone would text me. They were actually surprised I had a problem with it when it’s the scam playbook.
I suspect far more people question the moon landing than the authenticity of caller!
To be fair I give just about anyone and their dog my CC number. Chargebacks work and my life is that little bit easier for it.
Playing Jason Bourne with your credit card number is not worth the effort if you ask me.
I would even say this is a net positive for the economy: the cost of fraud is outweighed by the lower barrier to payment. I'm sure you'd have made fewer sales had people been more worried about security. Net positive then, right?
Depending on which country you're in and which bank you're with, chargebacks are nothing like as straightforward as they used to be. I just completed yet another one, which involved 2 separate phone calls totalling over an hour (so probably not worth it on a $/hour basis), accepting the risk that if Visa rejects the claim I'm liable for a further $50 charge (this is new), and generally 3 months of hassle until I got most of the money back (less the international transaction fee, as the merchant had fraudulently claimed to be in the same country as me, but charged me from the UK).
For the record what kind of chargeback are you initiating, and why does it have to go through visa rather than the bank who issued you the card? Unauthorized card-not-present transaction initiated by a third party? Some cbs are harder than others to get ruled in your favor, but the one where a criminal takes your card and uses it without your knowledge is by far the easiest one to get awarded. It involves one call to your bank and you get a new card, all fraudulent charges reversed.
If your bank doesn’t want to honor the request yes you’ll have to contact the payment network (visa/mastercard) and I’m sure there’s someone in this thread who has experienced that for an unauthorized transaction chargeback but it’s exceedingly rare.
Merchant error chargebacks , on the other hand… very different situation.
In the rare case something worms it's way to collections I just ask for the certified letter. Now in ten years that only happened once. I even called the hospital asking where my bill was and they said I didn't owe anything. Three months later collections!
The great thing about credit cards (as opposed to obvious scams for suckers like cryptocurrency) is that consumers don't have to care about security. They can dispute fraudulent charges and never be out any money.
“I have the fun of making outbound calls to offer people a public service and collect payment if people desire it.”
Oh so you’re a telemarketer.
Nope. I only sell services that people previously requested, though it is often months earlier. (As I suggested, it's a government job.) Sales is just one of the things tacked onto my job description over the years.
And to further crush that cynicism: most people are overjoyed when I call them.
Oh so you’re a telemarketer.
Not everyone who makes outbound calls is a telemarketer.
The healthcare company I work for has a whole department of very nice people who make outbound calls to offer free health and nutrition classes to poor people.
Yes, they're free. As an employee I am also required to take one of the classes each year, so I know what they entail. Yes, they cost our company money. No, they're not sponsored by some corporation or ad company, and no we don't sell people's information on (HIPAA and all that).
The real world isn't a tech bubble cage fight.
There are a lot of contact numbers for e.g. banks and often it’s not obvious how to re-contact the department you are talking to. So, I’m happy to take a number, but I have to be able to find it on the conpany site somewhere (will also accept generic e.g. “call the bank fraud line and supply this reference number”)
But this is google, who don’t have a phone number to call them.
Just to add on, never say "yes" when you get a call from an unknown number (or maybe from all numbers, just be careful).
"This is he(or she)", or "who are you trying to contact" handle most situations.
Just don't let scammers get you saying something in the affirmative.
What happens if you say "yes"?
They have you acknowledging something at that point. Doesn't really matter what it is when they can take it out of context.
Edit: Many of them are scammers, they don't play by the rules.
How does that help them? It's not gonna pass any legal scrutiny. If they were going to lie, it doesn't matter whether you said yes or not at any point in the call.
> It's not gonna pass any legal scrutiny
Probably going to cost a lot to get to that point, probably more than they will scam you for. They're after the quick hit that gets them something right away while also believing that you won't take it that far.
It's like knowing how to pick a lock vs just throwing a rock through the window that's next to the door to gain access. They both get you there.
Yes, why would you accept the phone number given to you by this stranger calling you as legit?
You don't, but large organizations can have a lot of entry points (or none... but that's a different topic), so you let the caller pick the inbound number that will actually reach them or their department, but then you still independently verify that the number belongs to the organization before trusting it.
I usually ask for the phone number, find it on the corporate site, then call the branch office.
Alternatively, ask for their license number, check the license, then call the number it lists. (Kills two birds with one stone for licensed professionals.)
I simply don't answer my phone for anyone not already in my contacts, unless I'm expecting a call from a contractor or local service.
I assume if I have a problem with any of my accounts, I'll eventually find out and self serve to go and fix it, as much as possible.
Be careful with checking official numbers too, or at least tell any non-tech friends. Fake numbers have been ending up in search results on official looking websites. It's a real knife fight out there.
I find that when it’s legit a consistent thing happens, which smells of careful training: they instruct me to call the number on the back of the card, or on a bill.
Obvious next step to me is malicious bills sent to an address
You are a bit late with that idea: https://www.justice.gov/usao-sdny/pr/lithuanian-man-sentence...
Only worth it for a targeted attack. Even then I might just read the number off a genuine bill instead of their fake one. And that's assuming they have linked my address and number - lots of scam calls are low effort dial every number.
It's interesting how easily Google results rankings are manipulated by bad actors, and how unvetted the scams are in paid adverts on and through Google. The web is untrustworthy, and Google transparently passes it to users. We'd probably be better off if Yahoo's quaint curated list of sites had won out.
> It's interesting how easily Google results rankings are manipulated by bad actors, and how unvetted the scams are in paid adverts on and through Google.
Well, SEO, I get that this kind of gaming is hard to prevent, not at Google's scale.
But the AdWords scams? Or all the other fake ad scams, chumboxes and god knows what? The complete lack of audits around something that actually causes money to change hands should be outright banned.
At the high end of ads, think large brand TV spots, you got entire teams of lawyers involved to make sure licensing, actor releases, technical details, corporate identity and a myriad of other things are taken care of.
But at the low end? Some rando from St Petersburg can post an ad for a book "uncovering Western lies about NATO expansion", some Indian can post an ad for "Norton Removal", some American an ad for a f2p game with content that clearly does not describe the actual gameplay or some Chinese can post an ad for penile enlargement pills - and none of the four will get even one human eye on the ad before the campaign goes live and the ads are displayed to actual users, even though all four either violate Western laws outright or are at least banned by the providers/networks.
And the problem isn't just limited to Google, Youtube, AdWords, Unity Ads [1], Taboola [2], Outbrain [3], Facebook/Insta [4] - it's everywhere, the entire low range of ads is infested to the core. Self-service ad platforms should be shut down, period - the industry has shown that "self regulation" doesn't work.
[1] https://discussions.unity.com/t/does-anyone-screen-these-ads...
[2] https://www.vice.com/en/article/taboolas-content-chum-boxes-...
[3] https://www.skeptic.org.uk/2021/01/the-outbrain-drain-why-ne...
[4] https://www.vice.com/en/article/instagram-and-facebook-are-o...
Yes, and that same lack of lawyers/friction is what also allows legitimate small businesses to thrive. I've worked for many, and out of those many, none of them had lawyers involved at all.
It is all about balance. Google could do more here, however the answer is not as obvious as you might think. Especially in an age where identities get stolen often and the lag time on catching said fraud is quite long.
The issue is that the entities mentioned are doing...nothing at all. Not even basic MANUAL identity checks and payment checks. Automated checks work very well until they don't.
> Google could do more here, however the answer is not as obvious as you might think.
Oh it is. A basic background check alone done by an actual human to see if the business is actually real, let's say this costs Google 1h @ 40 dollars plus 20 dollars for credit bureau fees. Google can offload that cost to the advertiser - even for a small cookie store, that's hardly an expense.
And after that, vet the campaign material for each asset. When you have 200 dollars in ad spend (which isn't much), 10 dollars should go pretty far in having a human see if the "pizza store" didn't just place an ad for penile enlargement.
> Automated checks work very well until they don't.
The key thing is, the entire ad industry is amoral. No one cares about fraud or brand reputation any more, not when you see chumbox ads on "reputable" newspapers. So everyone seems to think "why should I leave a few dollars on the table?".
Yes, especially do not google the number that you were given on the phone. That is completely certain to turn up the scammer's official looking page and "confirm" the phone number.
I have seen Microsoft support forum articles that list the "Facebook official phone number". The fact that it's not from Facebook doesn't make it less authoritative in a panicked person's mind.
Google, Meta, Microsoft, and Apple really must start publishing an "official phone number". It is perfectly OK that this phone number just plays a repeating message saying that the user should browse google.com/phone. That website can explain that there is no phone support offered, and provide a bunch of links for common scamming hooks that leads to anti-phishing material.
This happened to me once. I was calling Amazon and did a Google search on mobile. I called the big number that was at the top of search results. After I had given my account email, but nothing critical, I started becoming wary of the questions I was asked because they weren't relevant. I hung up and searched again and the result did not come up again, and Amazon's number was totally different. I looked up the number I called and it didn't find any results. So I'm guessing an ad scam. I definitely don't trust Google results with featured answers for things like that anymore.
Good to know.
The guy who called me on friday felt like a targeted attack, I've been getting a TON of pokes at trying to reset my google password. It really made me feel like there's less and less you can trust online. Scammers are winning the arms race, and have the resources to create really good looking pages.
They also typosquat support numbers for people who misread them or assume things like toll-free is always 800 when it can be other area codes. Just because someone answers, don't give them enough PII to use your identity elsewhere.
> if someone is calling from a legit number on caller id it means NOTHING
I had to tell my bank this once a few years ago, when they called me up and then expected me to give them personal information to confirm my identity.
> official phone number
Great idea unless the attacker has SS7 access.
Yeah, if you're a high profile target then you need extra layers of security, but for regular folks that one weird trick is enough to make you just enough of an annoyance to make another target preferred.
But in a world with Pegasus, and telecoms in smaller vacation countries selling off SS7, etc, etc - if someone good really wants to target you normal security protocols aren't going to cut it.
I imagine it will be like SIM swapping attacks where attackers will pool all their money together, gain temporary SS7 access and conduct a ton of attacks in a short window of time. Reducing the per-attack cost.
The phone network is just not a secure channel for any sort of communication
They currently lease temporary access to specific numbers from crooked middlemen for the weak claim that they're not "buying" the numbers.
Explain how SS7 access can allow someone intercept my call back to an official number like Bank of America or a number on Fidelity a 401k support page.
Can you expand on what ss7 means?
https://en.m.wikipedia.org/wiki/Signalling_System_No._7
How can he spoof an email address without Gmail or the like flagging it? I'm not talking about the common name but the actual email address.
That's what I'm curious about too. DMARC should make that impossible.
The last I heard, Google relied on spam filters for this.
Supposedly, people have been fired after being falsely accused of harassment. The scam works as follows:
Send a message to bob@gappsdomain.com and notavictim at the same domain. Arrange for the headers to be “from” bob. Now, notavictim reports Bob to HR. If the google admin is competent, they look at the headers, and note that Bob didn’t send the email. (Not sure if they catch the offender or not.)
If they’re incompetent, they see the message in Bob’s from box, and recommend he be fired.
This is a feature that enables dubious workflows, where Bob configures spam bots to bother his coworkers, but wants those messages to be auto filed in his sent box.
I didn’t think it worked when spoofing unrelated domains like Google though. That’s just dumb. Maybe the attacker had the author’s IMAP gateway password and moved the message into the inbox?
Google spam filters are terrible because they filter way too much legitimate email. I have been a paying business Gmail user for years, all DMARC, DKIM, etc… in place. My messages still go into client Gmail spam folders. It’s extremely infuriating. Google knows I’m not sending spam. They can’t deliver my email properly to their own inboxes? Nonsense.
> if someone is calling from a legit number on caller id it means NOTHING. You have to call back to a legit number to be sure it's real.
This reminds me of one time where I got a call from a number I don't know, got yelled at something about spamming calls. Yelling includes threats about getting reported to police or whatever, which was confusing since I never had any history with this number.
I suspect my number was spoofed. I'm not sure if there's any defense against that.
Now my default is to ignore any unknown numbers.
I have no time and energy for the level of paranoia present web services RQUIRE. I started to cut back. One of the firsts: not accepting Terms and Conditions for a site my company delegated for the sole purpose of delivering my payslips (probably some others too, but marginal compared to this). I'd need to revisit the details to tell what was that exactly, but some sort of sharing some of my data with thrid party (subcontractor) thing. It is a recent develpment, I will see how it flies with my organization, but I'd be surprised if I could be forced to accept T&C just for receiving payslips. We have 2 other admin accounts for reporting time, absence, no more for me with some arbitrary service provider, thanks. (in the previous job of mine our absence tracking system sent me incentivised ads in the dashboard to attract others to their platform and some sort of weird discount system if I buy things here or there, quite repelling)
I don't know. Google could solve this all in an afternoon. It controls e-mail delivery, it is the e-mail delivery monopoly. Why deliver these e-mails? It just shouldn't.
But because Google delivers spam from senders who spend a lot on Google ads; and e-mail traffic gets laundered into web ads traffic; they just can't do it. And because Superhuman charges more than $0, it can't do it either. Nobody can fix e-mail. If you can't see how phishing and Google Ads are related... you know, this is why it is hard to "just" pass a law. It's not because the law wouldn't fix the problem. It would, if you permit the status quo where Google is the e-mail monopoly. It's this whole A16Z "just pass a law" nonsense, where someone thought he was saying something really insightful because he didn't like Jon Stewart, getting in the way of my inbox zero, and simply never receiving non-personal e-mails at all.
A few reminders bear repeating:
— no support group from a big company is going to call you. Ever.
— never give out codes sent to use via sms or push notifications to someone requesting them via phone or email. Never. The messages often even say that!
— Don’t put all your private info behind one password, so don’t use Google Authenticator backed by your Google Account as your password manager. Always use a third party like 1Password or similar.
— Don’t have the same email you use banking and investments be the email that the world knows. Create a new email for that. If you use Chrome, even use a separate profile with that email, and only have your password manager as an extension. No others.
Except that a few weeks ago, I got a phone call
- from a number with no results on Kagi search
- claiming to be the online banking support of my bank
- asking me to read them a code sent to me via SMS
and when I refused to do that, they blocked my login credentials for online banking and sent me a sternly worded (paper) letter that my account could not be upgraded automatically for their software system migration because I had refused to engage with their support agent.
I then had to create a new login in their app, call the phone number on their letter and read that guy the SMS code and, to my surprise, that was the only !!! authentication needed to activate the new login credentials that I had just created.
(BTW, this was one of the top 100 largest banks worldwide)
It's almost like some companies are training you to fall for scams.
EDIT: This specific instance was Deutsche, but Chase has the exact same horrible habit of calling and then asking for an OTP code.
I've gotten calls from my bank before, where they tried to get me to authenticate after I answered the phone. I said "look, you called me, I'd be crazy to just answer the phone and give out personal info." They refused to provide any info that I could have used to validate that they were legit (like telling me something about my account number, when my account was created, etc.). They said I had to authenticate with them before they would tell me anything.
Sometimes the rep is understanding, and acknowledges that he would have the same reaction, but other times it's like they don't realize they're asking their customers to do something Very Stupid™.
Over a decade ago, I worked in a bank call centre, first as one of the people who would occasionally make those outbound calls and have those crazy conversations, and then later in their customer experience team. It was well known that those outbound calls to customers were a mess, but it was thought of as tricky to fix. The dilemma was that the risk department felt they needed to identify people, but not only were those people often hesitant to provide any info, we wanted them to be - for everyone else who called them, but not for us.
It was also difficult that when people asked whether they could call back, we encouraged them to, but couldn't guarantee they'd then speak to the same person. They'd need to just talk to whoever they got. That was usually enough to put the person off and they would just take the risk (unfortunately).
Edit: Just wanted to add that I personally didn't want the people to make an exception to their unknown caller scepticism. Perhaps this bugged me more than others, but I would strongly encourage them to call back, and then do my best to get the call-back transferred to me. For that and many other reasons which I like to think of as preferring quality over quantity, my stats were as bad as you'd imagine!
When that bank did really try to tackle this issue, they quickly realised that there was more than one level of risk, and for the vast majority of the calls, we could get by with very little of that customer verification process - basically just that we had called them on a number they had provided, and they stated their name (which I think was more as a recorded verification that they were at least stating they were the correct person). For the much smaller number of outbound calls with more risk, we could then ask the person to call back. Once the risk peeps were on board, it was vastly improved fairly easily.
I'm not in that space at all now, but it seems far easier than it was back then. A few banks I'm a customer of send notifications right into the online banking app, which the customer approves, confirming that they at least have access to that. I don't know what they do if you don't have the app installed. I do find it a little sad that it is yet another thing pushing you to need a smartphone (and to install yet another app). On the other hand, I think all of those banks require me to have the app to use as an authentication token to do any kind of online banking even on a desktop browser, so if you're going to do that, may as well take advantage of it everywhere.
It happened with Schwab. I've enabled option trading in one of my accounts and got a call from Schwab, asking to authenticate me. I told them I couldn't trust it's a legit call; give me a number and case number and I'd call back.
It gets fun being on a 3-way call with bank M, talking to a Schwab rep for verification and trying to explain why Schwab uses a Chase account number.
> … I had to authenticate with them before they would tell me anything.
Sensible. But this whole “we called you now prove to us who you are” mess is stupid.
“Hey, this is Carol from Le Bank. Please just give us a call back at our main number found in the app or on our website. Then you can reach me directly at extension 123.”
Which bank was this? Please name them so I can avoid doing business
https://www.deutsche-bank.de/ub/kontakt-und-service/service/...
"New online banking and new app
From 25 August 2025, you will benefit from the upgrade for online banking and Deutsche Bank app.
[..]
From 25 August, you will be able to simply reset your PIN yourself.
[..]
after logging in, you can also see accounts for which you are an authorised signatory."
But out of fairness, let me just mention that Chase behaves the same way. I think all of them just don't really care about small- and medium-sized businesses.
I've had this same issue with BECU (Boeing Employee's Federal Credit Union). They're a really good financial institution, but like many, they suffer from nearsightedness. They know that they're "the good guys", so they feel that it's unnecessary for them to properly authenticate themselves to you. So it's asymmetrical security and asymmetrical trust.
The worst part of this (for BECU) is that they've been warning their customers about phishing attacks from entities claiming to be BECU.
At my (very large) bank, they have asked me to read them a code from text that literally said "Do not share this code with anyone over the phone" in the text message next to the code. I'm 100% sure it was my bank asking for the code. I called them from a number I found on their site over HTTPS and verified from another source, they knew my account information. I gave it to them while telling them they need to fix this. This was a few years ago. Nothing bad ever happened. Just bad security practices.
My old insurance company (Cigna) used to call me and demand information to verify it was me. I eventually figured out it was a thing to try to convince me into getting cheaper cancer treatment so they could save money.
Jesus, insurance companies are so gross
Ye. I called my bank to unblock my Mastercard after they blocked it due to Blizzard charging 10USD or something for Star Craft. I just told them my name and they unblocked it.
On another occasion the bank called me regarding my house insurance and asked me to identify myself with their dongle.
Like, there is a wonder I have any money at all in my account. But then again, giving away plastic cards with a magic number on that you gave to strangers for them to withdraw an amount of their choosing from your account was the norm for decades ...
Maybe the wisdom is "Security through no security"?
I know Wells Fargo gets a bad wrap (and rightly so) for some of their behavior, but IME they've always had their stuff together with online access and banking.
This is the same Wells Fargo that silently truncated everyone's online banking passwords?
Edit: My bad, I misremembered. It wasn't that they truncated them, it was that they were case insensitive. Which is... objectively worse.
For future reference: https://www.merriam-webster.com/grammar/usage-bad-rap-vs-bad...
I had to call Chase about an issue with my credit card. I called them and knew I was talking to a legit agent. At least as sure as one can ever be. Still, at one point she asked me to read back the code she texted me. I started to do so then stopped. I explained that the text she sent me specifically states "We will never ask you for this number (over the phone". I refused to read it back since it violated their own stated policy.
She had to do some additional work to resolve my issue but it did get fixed.
My local medical clinic sent me an sms with a link, asking me to change my medical info. I called them to point out how they were training their patients to fall for sms scamms.
I mean just get a new bank at that point. They're telegraphing that they're gonna cause you more inconvenience in the future.
At least, you took the right steps. However, they were stupid to begin with.
Yes, I've also had wells fargo require me to read codes that were emailed back to them, and while this was mitigated by me calling them, it sketched me out every time I had to do it.
They should really send the code in a letter.
The bank's policies and those like it are the root cause of these scams. There are countless things like this where real "legit" behavior is completely indistinguishable or sometimes even worse than scams.
There will always be people that are "wallet inspector" stupid that you can't really shield from scams. But common sense practices and consistent messaging would solve a lot of the problem. There needs to be better accountability for companies that have these insecure practices. The same way they'd be held accountable for a data breach. Oh, wait...
This seems obligatory: Identity Theft, by Michell and Webb
https://www.youtube.com/watch?v=CS9ptA3Ya9E
Change banks.
Can you name the bank?
They treat you as you deserved to be treated: As a serf. You let them stomp all over you and still come crawling back to plead with them to let you bank with them. Even though there's hundreds of banks you can switch to.
If anything even remotely similar happened to me, I'll instantly close all accounts and move my business to another bank.
Same. Find a different bank not full of morons. It's not like there's a shortage of banks out there.
>never give out codes sent to use via sms or push notifications to someone requesting them via phone or email. Never. The messages often even say that!
Some services even say that when they are indeed codes you are _supposed_ to read back to them. Which clearly helps further train people to ignore that language.
Google support actually did ask me for that code when I had them disable energy savings on my nest thermostat. (it's insane that this had to be done through support, it's the setting where the power company can essentially control your thermostat in exchange for savings)
To their credit/discredit, when I said no I'm not giving that out it says not to they just moved on. Not sure why they even asked then.
Yes, it is so easy to enable this setting, they even keep sending us notifications to enable it. But once enabled, it is impossible to disable it.
It is a setting that let your power company to change your temperature settings when grid is under load. We wouldn’t mind it but they turned our heat way down during one freezing night while we were sleeping. Everyone woke up with cold next day.
The asymmetry in activating/deactivating may be because power companies discount rates (don't know if it is automatic or you have to contact the provider) for people with that setting active, and removing it dusqualifies you from the discount, so there is at least potentially an asymmetrical financial impact of toggling it one way vs the other.
> — no support group from a big company is going to call you. Ever
> - never give out codes sent to use via sms or push notifications to someone requesting them via phone or email. Never. The messages often even say that.
Chase bank still, as of last week, asks for these codes over inbound calls. Drives me mad. They do so when calling me about fraud alerts, not the other way around.
NEVER answer - like NEVER :) absolutely NEVER answer... calls or text... it is really simple. I also have Chase and I have blocked just about every single number they called me from (probably like 12 over the last decade)
You can hang up and call the number on the back of your card
100% this. Do it every time.
If you initiated the call (to the correct number) then SMS verification has a low likelihood of being a scam.
My phone is set to Do Not Disturb by default. Only 5 numbers can reach me direct to ring and that is immediate family only. I never answer calls from unsaved numbers. If they really need to reach me they can leave a voicemail.
When you answer a call your brain kinda loses its ability to step back and think. Almost like the same trick that those people who ask for directions and steal your watch do.
Security is not the main reason I do this but it has been nice knowing I can't be reached directly by scammers and hackers.
Doesn't any legit caller always leave a message? That way, you can think through the security issue before responding.
I stopped answering unknown numbers because everything that's important comes via email anyway. But a friend of mine has a job that requires them to answer calls from weird numbers, so it's tough.
[dead]
> never give out codes sent to use via sms or push notifications to someone requesting them via phone
Unfortunately, some call centers DO use that for verification in some cases (i.e. you call them, and they send you a code to your email/phone that you read back).
I’ve personally never had that happen. It should go on a name and shame list.
>I’ve personally never had that happen. It should go on a name and shame list
The key situation for giving out an SMS code that the gp is pointing out is the customer initiates the call to the support center.
For example, suppose somebody wants to add a credit-card to their smartphone digital wallet. They have to call the bank issuing their credit-card to do that. Once the customer support person answers the call, a common security verification (e.g. Chase Bank does this) is for them to send you a 6 digit code to your phone. You then repeat this code back to the support person on the call. They want proof of your identity and also proof that you physically have the smartphone with you. Repeating the SMS code to the customer support person is safe because the customer called the official 1-800 number on the back of their card.
That's a totally different sequence of steps from receiving a random call from somebody claiming they are from Chase Bank. Yes, in those cases, you never give out SMS codes to that untrusted person on the phone.
I agree with everything you said.
Note, however, that those are two "totally different sequences of steps" to you and I, and "completely analogous / equivalent sequences of steps" to my father in law :-/
Justifiable in a vacuum, but the end result is grandma knows "sometimes it's OK to give the code to the person on the phone"
How else are you supposed to do identify verification over the phone?
I think if the war against phishing online has taught us anything, it's that humans can't be trusted to not reveal secrets to scammers. Only machine-to-machine public key authentication (like TLS or WebAuthn or U2F) is truly phish-proof.
They should have users receive the code and then submit said code into the application for verification, with clear instructions that this code is produced as a result of a support call, and to confirm you are on an existing call when submitting the code.
Doing so would not force users to divulge codes over the phone, and enable support staff to verify identity all without training users that reading codes over the phone is acceptable.
Thoughts on that?
Still not foolproof. Attacker can MITM the connection by initiating their own call to the real support line and relaying instructions between the user and support.
The signin 2SV SMS verbiage used by Chase is: "Chase: DON'T share. Use code 12345678 to confirm you're signing in. We'll NEVER call to ask for this code. Call us if you didn't request it."
I assume in the case where the customer initiates the call and support is verifying their identity via SMS, they use different text (i.e. not "to confirm you're signing in"). Otherwise, that'd be pretty ridiculous.
found today’s optimist, congrats you win one warm fuzzy feeling.
the verbiage is the same.
I think I at one point ran into this with Chase and the verbiage was not the same. Are you speaking from experience?
Chase did this to me. A million alarm bells but even after hanging up and restarting the conversation from a phone number publicly listed on their website as a support contact they still did it. Wild.
Fidelity does as well, although the message switches to state only read the code if you've called them directly.
My bank does it. Chase will send OTP via the bank app to verify you're identity for phone support.
Chase bank…
Stripe Support does it for certain specific cases (email & phone). However, whenever they do it, it's a bilateral code generation: The support agent also gets a code they have to read out to the end user, which is featured prominently to them, saying the agent will have to read it out to get authentified.
A lot of credit unions using a certain call center / credit card provider use this exact authentication mechanism over the phone.
Who still uses GoDaddy LOL
Small business owners
Also me. Every 10 years my domains expire, and I can just pay a few hundred bucks again and forget about it, or I can do a bunch of work to move them somewhere and adjust A records and fuck around with stuff I don't remember and potentially have downtime.
Use AWS Route53 it is so much better.
Better than CF?
If you mean cloudflare I have never used it.
Check it out, it's much easier to use and they don't charge any markup.
One thing I like about Route53 is how granular the permission can be. This lets you automate things more easily and securely.
Yeah AFAIK people use Route53 when, e.g., there is a need to automate making subdomains for customers and stuff like that.
IAM permissions are almost always a pain to get right but they can be so useful when you can create an API key with permissions to do only exactly what it needs to do.
Yeah except I used to get legitimate calls from my bank's fraud department starting with "can you confirm your date of birth and address".
Yeah, insane. I think it was HSBC. This was a couple of decades ago so maybe they've fixed that. I don't bank with them any more.
Yep.
But over here our bank has also been sending out leaflets on how to avoid scams, and the top two are "if you need to call, call the number written on the back of the card" and "if you're not sure, come to the bank in person".
Same thing I tought my parents, and my mom actually got a call about some "personal info they needed to verify", said she'll come to a bank in person, they said "ok", she went in person, and they actually needed to verify some data (some EU regulation, she hasn't visited a bank in years).
Google business support called me to close the loop on an issue I had with a business listing. It was from a very busy and loud call center, and was made by someone with a heavy accent.
It's like they want us to get scammed?
During a Tracfone support call I made recently, they sent a 2FA text to me. I said to the rep, "The text says 'Don't share this code with anyone.' Can I share it with you?" They laughed and said yes. It was completely legit as I had called Tracfone for some service changes.
So some of these systems are very poorly designed.
I'm in the midst of a transfer of enterprise account ownership with with Apple, and I can assure you, the only way to complete it is to wait for a phone call from Apple Support from 1-512-884-5022. You can call this number back and verify it is indeed Apple Support and get notified it does not accept inbound calls, only outbound.
> Always use a third party like 1Password or similar.
Or even better, don't rely on a third-party hosted service.
I've been a Codebook[1] user since the old-days when they used to call it Strip.
They are old-school, local-system storage. With sync/backup done how you like it (all three encrypted before it leaves your computer):
[1] https://www.zetetic.net/codebook/The backup of a TOTP is just the seed, right? Print it out and keep it with your other sensitive papers
There’s something to be said for the setup and largely forget it nature of 1Password
There’s good reasons to use it over self managed solutions, just like there are other good reasons to use a self managed system like this.
Neither should be strictly dictated as better without first ascertaining what the user is looking for
Honestly if someone from Google Support calls me, my immediate response would be: "Google... Support? Now there's two words I've never heard in the same sentence before."
The danger with stating this in terms of absolutes like:
> no support group from a big company is going to call you. Ever.
Is, eventually, you probably will get a call from a support group at a big company, as many have noted in response, and then all of the other absolutes in the list also become "well, people say never, but I think this is one of those exceptions" instead of "it's never worth taking the risk of assuming it's the company who really called you".
A company, even big one people joke about having a complete lack of actual human support agents, may really call you one day. The other 364 days of the year it's probably a scam. The safe bet is to take the issue they called about and contact the official support channel yourself (being careful to get a real one and not an ad/fake site if you need to Google it). It may not always seem the most convenient, but it only takes one mistake to end up in a much more inconvenient place one day.
Has anyone invented something like the TLS three-way handshake, or a U2F challenge, that can use spoken words as a transport layer? People could then be "safely" tricked into reading back "correct-horse-battery-staple" or whatever, because they actually wouldn't have the ability to generate a usable sequence unless the attacker first provided something that only the real site owner could provide.
I'm imagining something with the non-phishability of U2F but the usability of an SMS 6-digit code. Maybe that's U2F.
Include SPAM call blocker in that list! Notably, both iOS and Android have that feature. Never pick the first call from an unknown number! If it's urgent and they are genuine, they'd leave either a voicemail or a text.
I used to manage the Google Ads account of a business I had in the past.
Google Support would call me all the time, and then first thing they would do is ask me to open the interface and repeat some code or another.
I am a big fan of keepass which I sync with dropbox, good apps exist for iphone/android/mac/windows/linux. But I don't know if that's more secure than a password provider like 1password. At least not fitting into the typical profile, and being able to control the data, open source code, and offline access feels like the optimal way for me.
AMEX fraud support group called me. A real live agent.
Capital One texts codes during live calls and requests the customer read the code to them.
A health care provider sends emails with links to 3rd party domain to provide encrypted email, because a) regular email isn’t supposedly not HIPAA compliant and b) apparently the health care provider’s web and app infrastructure which provides secure messaging is not secure enough for certain messages. It’s indistinguishable from a phishing attack.
Hospital direct invoicing by email, also includes 3rd party links, which takes the user to a site asking for personal information including SSN. It’s certainly phishing. Right? Nope, it’s legit, and no option to get a mailed bill once volunteering an email address.
I think half of mobile device users don’t know or can’t handle a best practices workflow.
The reality is the tech industry sucks, it’s bad at its job, gives shitty advice to everyone then goes and violates all of it leading to loss of trust.
regular email isn’t supposedly not HIPAA compliant
It isn't.
I work in healthcare, and if anyone in the company sends an email with PHI or PII in it, we're supposed to alert the Security department, or lose our jobs.
> — never give out codes sent to use via sms or push notifications to someone requesting them via phone or email. Never. The messages often even say that!
I tried making this point downthread but it bears repeating higher up. Per OP, this was account with Authenticator enabled. If you have a working authenticator setup, they aren't going to "ask for a code", since by definition you're already authenticated. And while I'm no expert, I really don't think there is such a thing. Recovery for a lost account never goes back to device-in-hand once you have enabled full 2FA.
Something is being skipped in the description of the phish here. I don't think OP is being completely honest.
The code I read to them was a Google account recovery code. That’s how they accessed my Google account. I, mistakenly, believed they needed to confirm I was still alive and the rightful owner of the account.
Then the attacker used Google SSO to perform the initial log in to my coinbase account. Then they opened Google Authenticator, signed in as me, to get the coinbase auth code so they could complete coinbase’s 2fac.
But... that's an email that would be sent to a non-gmail address, the one on file that you originally registered your account with. And while I don't have copies of the transactions in front of me, these things are not unclear as to their purpose or intent. They tell you straight up that they're resetting the authentication for the account and to be sure you are doing it intentionally. They're also accompanied by warnings that would be simultaneously sent to your active gmail address and to the Authenticator app.
I really think you're reaching here trying to ascribe blame. You... just got phished.
[dead]
My best guess is that this attack was purely social engineering, and that no email spoofing actually happened. I think that the email message in question is actually a legit email from Google.
I'm not familiar with the formal account takeover process at Google, but my best guess is that the attacker simply requested an account takeover via the official Google process, which triggered this email to be sent by Google legitimately. By reading back the code in that email, the attacker was able to claim the Google account as theirs, thus access the Gmail inbox to reset the Coinbase password and access the authenticator backups from the Google Drive.
I would be very curious to see the original message headers of the email though.
I don't think that email he posted from legal@google.com is legit.
Look at the first sentence of the first paragraph and the first sentence in the second paragraph. Two grammar errors which are a dead giveaway it's fraudulent.
> Thank you for your assistance and understanding during your recent support call, regarding a ficticious request aimed at accessing your Google account.
Comma doesn't belong there and "fictitious" is misspelled.
> To follow all guidelines of the internal review properly. Please keep a secure note with the temporary password which your support representative has provided to you.
Out of place period. Should be a comma.
Legit, canned emails like this (especially from legal@google.com) would be proofread much better than this. It's fake.
Yeah, that part doesn't add up. If the email was sent by the attacker, why did it have a code he needed to give the attacker?
Yes, at least two emails. One was the spoofed email from legal@google.com (which sadly convinced me this was legit) and the other was a Google recovery code email.
The spoofed email was deleted by the attacker, but I have a copy because I forwarded the email to phishing@google.com (something ChatGPT told me to do). The attacker then deleted the original but when I got my account back an hour later, Google bounced back the email. So that is the copy I have and the headers are not super helpful.
"(something ChatGPT told me to do)"
You're going to get hacked again
Any check mark?
https://www.thesslstore.com/blog/wp-content/uploads/2023/05/...
Edit: I searched my email and it doesn't look like they are doing this at all with their accounts.
Edit II: Looks like it's on hold: https://blog.kickbox.com/gmail-bimi-exploit-what-you-need-to...
What was the process for getting your account back?
That makes sense, thanks for the clarification.
I think the attacker asked him to read an SMS code.
"reset the Coinbase"
You must be insane to use gmail for anything like banking, crypto, domains.
I lost access to my gmail account. I know the PW but I can't access the 2 factor authentication anymore.
This is why 2FA isn't all it's cracked up to be. Strong passwords kept in your head are less brittle than managing something you can lose. If you have a real support channel (like employer IT) to deal with loss it's workable. Online services with no support is just asking for trouble.
2FA can be all it's cracked up to be. A Yubikey you have to physically possess, and physically touch, to login to a site is completely immune to this.
Yes, you need to buy hardware, yes you need 1 or more backup yubikeys in a bank safe somewhere in case your primary one breaks, but it is actually safe.
Strong passwords in your head are bad because they're even more phish-able. Like, with FIDO2, my yubikey will not login to "fake-coinbase.com", the attacker cannot proxy the data they get from the yubikey. For 2FA TOTP codes and for passwords, a phishing page can just proxy through the stuff to the real coinbase and login (as happened in this attack).
1password + hardware keys - I am not a large target though and use crypto transactionally.
I'd certainly be insane to take security advice from people who don't use password managers
downvote all you want, this is third time in a month that basically "opsec" failure would've been prevented by a password manager that binds to domains, or passkeys. Both of which people regularly kvetch about here.
> Be skeptical of unknown calls. If something feels off, hang up and restart the conversation by contacting the company directly.
I wonder sometimes how many scams I've avoided simply by pretty much never answering my phone when someone calls unless I'm expecting a call or it's someone I know.
> The attacker already had access to my Gmail, Drive, Photos — and my Google Authenticator codes, because Google had cloud-synced my codes.
Ugh, google
I usually don't answer calls from numbers I don't recognise - but a couple of days back it was a scammer claiming to be from Amazon - said I had ordered an iPhone for £600 and was it a real order.
I was pretty suspicious but thought I would get them to authenticate their identity as someone really from Amazon by telling me the last thing I had really ordered was...
I must have stayed on the call for 20 minutes, eventually they ended up swearing at me - all the time I could hear other people in the same room trying the same lines on different people. I have no idea why I stayed on for so long....
Even when you know it’s fake, the whole thing is very disconcerting. I received a scam call ostensibly from a local utility and filed an identity theft report with local police naming the utility as “victim”. The caller even told me where they (probably really) were. Police do nothing, scams continue until something breaks.
A few years back I got a call from a scammer selling a device that would help stop scam phone calls - that actually took me a while to realise it was a scam (this is like 15 years ago).
Would (the actual) Amazon even agree to provide this kind of information over the phone to someone?
is talking to amazon on the phone at all even actually possible?
Yes, and it’s the best way to get support too! They’re real helpful.
That's the easiest way to spot a scam: "Hello this message is from Google customer service..."
I get this kind of call about 5-15 times a day
I do not answer calls
A lot of them phone me and ask for my wife by name "Can I speak to XYZ" - I usually reply "No" and end the call. Actually, for the last few calls I've not even been saying the "No".
Maybe 3 or 4 of these a day <sigh>
You should not even respond to these. Responding gives them some valuable information about your phone number. Just junk it + report as spam.
I wonder, how this in affects modern software stack that have AI with the AI Call Screening which will ask questions, you can automatically identify certain dimensions: phone is active -- phone has a plan,-- phone is a Pixel or iPhone with a specific minimum model and OS ver ?
Then because of the leak side channel effect they can further future target calls such as coming from google about your problem with "your pixel 9 or 10?"
The biggest red flag in all these stories is getting a call from a customer support person trying to help you. When it seems like it’s impossible to get ahold of them in a real emergency.
I've actually gotten legitimate calls from the bank, although the correct way to handle those is to say that you won't give any information to them but you'll call them back.
When my account had a fraud alert they called me just to say I should call them back immediately on the number on the back of my card.
I assumed this was normal.
Amazing they would call and request information, given how many institutions advise never to do that.
What a shit show.
I get legitimate calls from my health insurance company. When they call, they are not allowed to say the company they call from, it's a HIPAA thing. Once I say the name of the health insurance company, they will confirm it. It's weird, but it's the way it is now.
My health insurance company asks for me by name (“is this …?”). And it’s to a number they know.
It doesnt seem to be a red-flag. The caller was calling as an Attorney from Google General Counsel responding to an estate request. They followed up with a spoofed @google.com email with their name corroborating the call.
You're missing the point.
They're saying that the least likely part of the cover story is that Google would proactively reach out to you in order to help you personally with the service you are (most likely) paying zero dollars for, and assign one of their most expensive employees to the case.
As of late, I have one rule: Any unknown number I'm not expecting I let it go to voicemail, where I have a message along the lines of: leave your message and your number, and if it's important I'll call you back. The only time I pick up is when I am expecting, say, a delivery, or a doctor's call, etc, and in those cases I'm only expecting to hear about a delivery or a doctor's call, etc. Hoping that can filter and help on this front.
I have a 1-2 second rule. I pick up I say hello, if someone doesn't respond in 1-2 seconds, I hang up.
They have the scammers working off phone queues, it takes a little bit of time to get the call to the scammer, who has to start off with a script, so there's a delay.
Remember, the scammer, also likely not a native english speaker, also probably bored out of their mind, has to spin up, they have to read the name, understand how to say it and then say it out loud. Their is a mental startup time that a normal conversation doesn't have.
If someone calls you and isn't ready to immediately respond to "hello" it's a scammer.
I try to avoid picking up and saying anything because it seems like an advertisement "yes, this number is not only active but a real person who answers random calls - try calling back (possibly from a different number) later".
I don't even pick up calls from unknown numbers. I use call screen. Most people hang up as soon as they hear it, or they don't say anything at all. Once somebody did start speaking sensibly and a personal matter and I picked up and continued the call normally. Probably my favourite feature since upgrading to a reasonably modern phone.
https://support.google.com/phoneapp/answer/9118387?hl=en
In those 2 seconds, do you count the inevitable preamble of "Hellooooo... Hello? ... Heeeello? Yes now I can hear you." or is that just me?
Whenever I have bluetooth headsets in a 20m radius from my phone I do that too.
I use a variation of this. I answer but do not speak. A legitimate caller will speak immediately.
Not always true. My landlord recently had a contractor call me. I did my usual "pick up and don't say anything" routine for unrecognized numbers, and the contractor silently hung up and never called back. Thankfully my roommate actually answered the call, but pick-up-shut-up prevents legit people from leaving voicemails and sometimes prevents legit people from reaching you entirely.
Personally, I would utter a confused "hello?" if I was calling somone, the ringing stopped, and no one said anything, but I guess not everyone would.
I could easily see someone like a contractor calling from the road or otherwise not paying full attention to their phone. They likely never realized you answered and needed the "hello" to refocus their attention.
Let it go to voicemail.
As with 'craftkiller, I've noticed that I do need to make some kind of noise. I've settled on subtle light coughs or grunts (nothing anyone would think twice about, but which will definitely trigger a "oh this is a human!"). I figure it might still fool some percentage of automated systems which detect whether a human (and which human) is actually there or not based on automated transcription.
I've set my phone to not answer unknown callers (those not in my address list) and more importantly, I've done this for my parents as well and further instruct them as often as possible to not believe anything they get in email. With all of this, my mom still will reach out at least once or twice a year in a panic about some scam email she thinks is real.
Well easy to say, but if you are working in the real world, then unknown callers may be important - i.e. FedEx trying to push your package through the customs and if they can not contact you, your package goes either back or is destroyed.
Legitimate callers for events you initiated leave messages. The correct avenue for critical notifications not initiated by you is still paper mail.
But your child's school nurse might not, in an emergency.
Your child's school nurse would be exactly the type of person who would leave a message
Not necessarily. Ours would work down the list of numbers she had for me, my wife, and other emergency contacts without leaving a message. My wife got pulled out of a meeting at work once despite me being the parent at home because I missed a call from the school and they didn't bother to leave a message.
If you have an iPhone, the latest iOS 26 will answer unknown numbers not in your address book for you and ask what they want and then alert you to see if you want to take the call.
I didn't quite understand this part. Attacked has access to Google accounts because Google had cloud-synced my codes? What does that mean?
The other way around.
The attacker had access to the Google account which includes passwords from Chrome and also the 2fa codes stored in Google Authenticator, because those were synced to Google without the author noticing it.
So with passwords and 2fa the attacker could login to Coinbase too.
They gained access to the Google account by stealing the verification code over the phone, but then they had easy access to other accounts (e.g. coinbase) because they had access to 2FA codes because Google authenticator was backed up to the users Google account.
Ah, makes sense. The victim was social engineered first.
“never answering my phone when someone calls unless I'm expecting a call”
Friend’s mother got scammed. She’d contacted tech support and they said they’d call back. Then a scammer just happened to call her within that next hour…
Call center worker with a sideline business?
> Ugh, google
In my experience most authenticators cloud sync automatically, at least on iOS. For most people, this is a benefit. Otherwise, lose your phone and you're stuck, I doubt most people secure recovery codes properly either.
> I wonder sometimes how many scams I've avoided simply by pretty much never answering my phone when someone calls unless I'm expecting a call or it's someone I know.
The answer is almost certainly greater than 0.
In my experience organizations providing services to me for money nowadays ususally just send mail instructing me calling a central number where I can be in the 15th place of the call queue. In case they call they do whenever they please, which is the most inopportune occasion in most cases (in the loo, in transit, in a conversation, basically busy with life!). In best case leaving a message mumbling quickly in a sound quality sounding like sitting in a bucket in ungoverned Afghanistan, with the suspected sense of calling them back on the central number (incomprehensible).
Getting a procative call for my benefit would make me very suspicious about the authenticity of that call!
If you have to have use a phone, at minimum disable notifications and never answer it. First it removes all of the urgency. Second, the caller has to provide some way for you to contact them, which gives you a second point of contact to validate.
Never, ever, use a cloud password manager, that's just dumb. Combining these things together in some sort of master account -- be it Google, Apple, Microsoft -- is also terrible. It's like leaving all of your savings accounts, checking, and investments at a single bank.
All of this stuff is going to get way worse because of AI. You'll be talking to real people you know personally who are 100% not AI but were tricked in to asking you to do something by other AI enabled scammers. However aggressive I've suggested people be in the past probably isn't going to be enough for 5 years from now.
These things have always been possible, and have been done, but now they can be done at scale, with advanced testing to figure out what works on who, whereas before it was targeting the guy who kept posting pictures of expensive watches on his public Instagram.
> If you have to have use a phone, at minimum disable notifications and never answer it.
Great advice for someone who doesn't have children or family members with health conditions.
The charitable interpretation is that they meant to not answer a call from someone not already in your contacts.
> Never, ever, use a cloud password manager, that's just dumb. Combining these things together in some sort of master account -- be it Google, Apple, Microsoft -- is also terrible. It's like leaving all of your savings accounts, checking, and investments at a single bank.
Do people actually downvote this? Seriously???
It's honestly irresponsible to pick up phone calls at this point. Phishers are really good, and every human has some weakness, so you can't guarantee you wouldn't fall for something -- perhaps one day a new vulnerability comes out and your old guidance is no longer perfect. Answering the phone at all is just putting yourself at risk
I don't answer calls from numbers I don't know, period. (In fact I routinely have my phone in Do Not Disturb mode so only a few numbers, the ones I have in my favorites, will make the phone ring at all.) If it's urgent enough to the caller (either because they're legit or because they're a scammer and are trying particularly hard), they'll leave a voice mail. (I've had plenty of fraudulent voice mails.) If they claim to be from some company I have a relationship with, I check independently to see if something's up. This incident illustrates why, even if it seems like a call is legit, if you didn't initiate the call, you shouldn't even be talking.
I also don't leave any information I'm worried about someone stealing in my Google account. I find it hard to understand how anyone in tech could fail to see how risky that is.
I understand the dangers of answering scam calls, don't explain it to me
but you're assuming that "bank security" (or the like) will never call you to alert you to a scam, or that you will recognize their number. maybe they don't, you may know that, but I sure don't.
ignorance is not a defense.
It's true, unknown calls are 99% spam. That's on you if you'd want to believe otherwise; by your own admission, you don't know.
Yes, important companies you do business with you will come to store those in your contacts. You'll have specific account reps even. Services, apps, don't call you, for this very reason, they have in-app confirmation flows.
I don't think security at most bank will ever call you about a transaction. At best they may text you. But if you get some communication there's a problem, if you talk to someone, you should call the official number rather than someone who calls you.
They can leave a voicemail.
Bank or government use to call me about important stuff (when I messed up tax report, because of my mortgage, etc.), so not answering is not always a good idea.
And nobody use voice mail in EU, it seems to be an US thing.
You don't need a spoofed email to steal someone's crypto. Criminals can just hold a gun to your head and demand your keys.
It's happened lots of times and it's why traditional banks are way more secure than crypto.
Well done to the author for talking about it, but I hope the real lesson is learned that crypto isn't a real store of wealth and can be stolen at any time....
True - but a phone call scales much easier than driving to someone's house with a gun.
Not just scale either. On the phone you're dealing with people having less fear from local repercussions, from reprisal, less care for the community, etc.
I've been told that scammers aren't interested in making scams too good, the idea being that you want to select for people who are bad at recognizing a mediocre scam, because they'll be more likely to play along for the entire scam.
> Criminals can just hold a gun to your head and demand your keys.
Sure, but this is Hacker News, not Mugger News.
You miss the point. You can't mug someone for their Vanguard account. Robbery risk is limited to cash on hand, or arguably whatever the ATM limit is on your bank account.
Aren't elderly phone scammed out of huge amounts from bank accounts often??
Yes, but it's more involved. They typically get the victim to withdraw the money themselves, then send it to the scammers via wire transfer.
Like crypto, wire transfers are difficult to track and irreversible.
So what is stopping someone from holding a gun to your head and forcing you to conduct a wire transfer over the phone or internet?
Online banking wire transfers are subject to a relatively low daily limit. You must appear in person and show ID to wire large amounts of money.
The victim may also have a chance to cancel the transfer, because they’re not instant. (especially outside of business hours)
It’s just not an attractive way to mug someone, it’s easier to take them to an ATM.
This is only true in the crappy system of the US.
In Europe a wire is instant with no recourse.
Most banks have processes for giving money back in some of these cases.
There's nothing easier to track than a wire transfer. Banks just don't want to do it.
Not sure about the distribution, often it’s cash or jewelry that’s already home. Bank tellers and even taxi drivers get increasingly educated to stop such suspicious withdrawals/meetings.
you're suggesting that the poster is shoving his hate of crypto currencies into this conversation, and not making a sincere statement about security that withstands even the tiniest amount of scrutiny?
Actual risk is lower than that since you’ll possibly get your money back from a real bank.
People do get taken hostage until they give up their crypto accounts sometimes. There was a prominent one in NYC recently that was on the news again due to--basically-- the alleged involvement by one of the stars of a popular reality tv show.
In cryptocurrency, you can use a multi-signature account to define your own security setup.
For example, even a 2-of-2 setup with a trusted authority like a bank is straight-forward improvement in security over the conventional bank system.
You can go further, for example consider a 3-of-5 setup with 2 keys in security deposit boxes, 1 key on a laptop, 1 key on a phone, and 1 key on a hardware token. You can set the hardware token to erase its keys when the wrong pin is entered, making it pretty rubber hose proof.
But no one will require that. When you do, no new money will flow into crypto and the music stops. And no one in crypto wants that.
So you want there to be as low of a barrier of entry as possible, which is how we get here...
Especially when transactions can't be traced
It doesn't need to be required of anyone. People are responsible for their own funds and have their own security/effort profiles. The "right way" of doing things will be discovered through natural selection.
If some idiot leaves all of their funds on an exchange like this, and it gets hacked, then good. That's how the market evolves and money moves out of the hands of the incompetent and into the competent.
Multisignature wallets are the answer to this. Also helps spendthrifts (to require group concensus for bitcoin redemption).
Of course, this doesn't help if you don't have trusted associates — and can be (even more) dangerous with multiple people responsible for crypto custody.
Also helps if you have offline ("cold wallet") storage, which would require hours to importPrivKey and redeem. Slow them down...
https://xkcd.com/538/
There's a non-zero chance someone can just roll a new key and it happens to be yours, and poof, your money is gone with no recourse.
It's a tiny, infinitesimal chance: but it's a heck of a lot greater of a chance than the same thing happening with a bank account, especially the "no recourse" part.
I think you're misunderstanding how small the chance of creating the same wallet as someone else is.
There are 2^256 wallets. There are 2^72 grains of sand on earth.
The chance of your bank screwing up is a lot higher, by trillions.
The odds of the bank making an error related to your account and crediting you money is far greater than the odds of generating the same keypair as someone else.
Let's be realistic.
I'm a huge critic of the cult of crypto, but the odds of a key collision are smaller than the odds of <some highly improbable series of mistakes/coincidences/malice happening that result in you losing your money in the traditional banking system>.
The odds of a 'someone gets access to your account/wallet and instantly drains it with no recourse' are much higher in the crypto space, as the author of the post experienced.
The load bearing question is, why didn't the attacker also clear out OP's bank account, retirement savings, and max out his credit cards? Unfortunately, the difference is that banks care literally at all about their customers accounts being emptied.
What I specifically mean by "care literally at all" : banks have a policy of reimbursing people who had their accounts emptied despite taking reasonable precautions. This creates sane, linear incentives: banks care 1000x more about a $100,000 fraud than a $100 fraud; they care 1000x more about a scam affecting 100 people than a scam affecting one person, etc.
Unrelated, but for added spice, here's a thread from ten months where everyone agrees you're a fool unless you secure your coinbase account with google authenticator
https://www.reddit.com/r/CoinBase/comments/1h65zuh/account_h...
It's not linear at all. We had our identity stolen through an insurance scam (somebody used our bank account and somebody else's name to open a policy with Progressive, which apparently does not validate ACH debits). This resulted in premiums of ~$300, $300, ~$500, $1002.96, ~$900, ~$900, and ~$3000 as the attacker presumably racked up huge fraudulent claims on the insurance company. The first 3 bills were reversed by Wells Fargo because their fraud policy covers fraudulent charges under $1000. The 5th and 6th were reimbursed because they were reported within 60 days of being made (and were under the limit anyway). The 7th didn't go through because we had detected the fraud and closed the account by then. But the 4th was just over the $1000 limit that they would reimburse, and so they were like "Sorry, nope, you're on your own for that one." We even filed a police report and waved that at them, and they said "We don't care. Company policy." So the very counterintuitive and non-linear result was that they paid for the $300, $500, $900, $900, and $3000 charges, and stuck us with the $1000 one, just because it was $2.96 over their limit. (Part of me really regrets declining to prosecute, but I had a ton of other stuff going on at the time and the last thing I wanted to do was get involved in a court case.)
This is one of the main reasons I don't like crypto. If you get hacked, even if you did everything right, then you're out of luck. The funds are (generally) unrecoverable.
With my bank, I've been able to recover several thousand after a thief was able to bypass the 2FA app used to verify large transfers. (I still don't know how they were able to bypass the verification, and after investigating our bank never told us. Not sure that makes me feel all warm and fuzzy, but at least I was made whole with minimal fuss.)
If you got hacked, you didn't do everything right
This is elitist nonsense. Maybe this user didn't do everything right but people are hacked regularly through zero fault of their own.
It's your responsibility to secure your own hardware
How about https://xkcd.com/538/ ?
I'll take the $5 wrench and $10,000 hitman attack that I'm aware of instead of the $0 push-button attack that you don't discover until it's too late.
In my actual real world experience of digging my elderly mother out of $25,000+ of scam debt, banks do not care at all unless they can be shown to be at fault, and then they weigh the loss expense vs the likely legal expense.
What kind of scam debt in particular? I’m not blaming your mom, but there’s a big difference for a bank between “someone stole my identity to falsely authorize this transfer“ and “someone tricked me into authorizing this transfer”.
Never thought about it this way before, but phishing an individual is way higher ROI than identity fraud. So we should be extra vigilant about the former.
With the former, your recourse is essentially zero. Banks won’t do anything, cops are useless.
With the latter, banks try to prevent it and it’s harder and riskier.
> banks have a policy of reimbursing people who had their accounts emptied despite taking reasonable precautions
In USA, banks are actually required by law to reimburse fraudulent account activity if reported within 60 days. However, this does not cover cases where the account holder themselves made the transfers even if they were tricked into doing so.
But if someone gets your login and liquidates your bank account, in USA a least, the bank is 100% responsible for that fraud.
Credit card companies are 100% responsible for fraud regardless. Even if they try to market it as a perk "You're never responsible for unauthorized transactions". Yeah, no shit. It's the law.
Banks really don't mind fraud, because they can use fraud to justify higher fees, which they ultimately make more money off of than the fraud actually costs them.
yubikey is better
The flip side of that of course being that they increasingly force you to do your banking on a locked down smartphone for the same reason.
Doesn't seem like there's a lot of middle ground between being responsible for your mistakes and being treated like you can't be trusted to make your own decisions.
And transferring money from a bank or brokerage account takes time. Enough time that anyone paying attention should be able to report the transfer as fraudulent before it completes and have the account frozen.
It depends. In UK a transfer is instant. In most of EU it happens the same day, many times in hours.
EU is mostly instant too,IBAN at least.
the banks don’t give two shits about it :)
The difference is that you have leverage to force the banks to care.
There isn't any federal regulation at all covering your Bitcoin.
Bitcoin exchanges like Coinbase are regulated by the CFTC in the US. This case is more of a Google problem though.
I don't believe the CFTC has any rules requiring crypto exchanges to reverse fraudulent transactions.
this isn't fradulent - you being silly and allowing someone full access to your account is your fault as much as leaving a wallet a strip club and calling owner joe for a refund
It is absolutely fraudulent. If you intentionally misrepresent yourself as the real account holder to the financial institution (by presenting credentials that do not belong to you), the institution relies on this misrepresentation, and damages result, that is fraud. Full stop.
It's generally impossible to reverse crypto transactions so such regulation would be pointless. CFTC could force Coinbase to use 2FA but that was already enabled.
what federal regulation is there where it is your fault that you allowed someone access into your account? name a statute (any state or federal)? :)
Fraud is fraud. There’s plenty of laws against it.
The question is not whether it's legal to defraud someone, but what a financial services provider's obligations are if their customer gets defrauded. The answer here is quite different for banks and brokerages than for crypto exchanges.
it really is not. no bank is going to refund you money cause you are a moron (we have all been morons, I am not trying to disparage the person that got scammed, I sympathize with him)
This is untrue. https://www.consumerfinance.gov/rules-policy/regulations/100...
Banks do care because they are on the hook. If someone commits identity theft and steals money from the bank via your account, its on them.
There is no such thing as identity theft. That is a term made up by banks to pass the blame for their insecure means of authentication.
There is such a thing, if you equate “identity theft” with the fraud it enables. Stealing credentials just the first step.
this is not identify theft :)
As long as he didn't give out credentials to his bank account, he's well covered.
he's most definitely not covered. I would run this scam 24/7 with every bank in America if I was "covered" :)
but crypto exchanges/wallets give even fewer shits :)
I’m struggling to understand the chain of events, because the story starts midway. Is the claim that JUST the 2FA code was enough to pwn everything with no other vulnerabilities? If that’s the case, then that’s a way bigger problem.
Or (given the password database link at the end), is the sequence:
1) various logins are pwned (Google leak or just other logins, but using gmail as the email - if just other things, then password reuse?)
2) attacker has access to password
3) attacker phishes 2FA code for Google
4) attacker gains access to Google account
5) attacker gains access to Google authenticator 2FA codes
6) attacker gains access to stored passwords? (Maybe)
7) attacker gains the 2nd factor (and possible the first one, via the chrome password manager?) to a bunch of different accounts. Alternatively, more password reuse?
I guess the key question for me, was there password reuse and what was the extent, or did this not require that?
Disclaimer: work at Google, not related to security, opinions my own.
I think the attacker had my password, and they just needed a recovery method, which was the code I read over the phone.
I have no idea how they had my password, I never share passwords or use the same password. But I hadn’t changed my Google password in a while.
No, if they had had the password they wouldn't have needed to do all of that. They could have just logged in, perhaps just needed the 2FA code. However, you say that you gave them both enhanced security codes (I'm guessing this was a gmail backup key), and you also gave them the 2FA SMS code. These are the only two things you need to take over any gmail account, and it doesn't require knowing the password. It's just purely social engineering.
The only question mark is the email from google. It sounds like it was a scam email, so it would be interesting to know whether/how it was spoofed.
Gotcha, thanks for clarifying!
And did you have passwords using chrome password manager as well (which were also compromised by the Google account access, and this is how they got access to e.g. Coinbase?), or did they get passwords through some other means and just needed 2FA?
I did have saved passwords in Chrome password manager but they were old. My guess is that the attacker used Google SSO on Coinbase (e.g., "sign in with Google"), which I have used in the past. And then they opened up Google's Authenticator app, signed in as me, and got the auth code for Coinbase.
By enabling cloud-sync, Google has created a massive security vulnerability for the entire industry. A developer can't be certain that auth codes are a true 2nd factor, if the account email is @gmail.com for a given user because that user might be using Google's Authenticator app.
Hmm, I see what you mean, although technically this is still a 2 factor compromise (Google account password + 2FA code). Just having one or the other wouldn’t have done anything. The bigger issue is the contagion from compromising a set of less related two factors (the email account, not the actual login).
Specifically, the most problematic is SSO + Google authenticator. Just @gmail + authenticator is not enough, you need to also store passwords in the Google account too and sync them.
Although, this is functionally the same as using a completely unrelated password manager and storing authenticator codes there (a fairly common feature) - a password manager compromise leads to a total compromise of everything.
You used Google SSO for Coinbase?
Did you reuse that password on another site?
I don’t see how this happens if you use strong passwords without reuse.
500+ comments in this thread and there's still no information as to what the hella actually happened.
I sleep fine at night, this is a Hallmark of these "omg I got owned and it could happen to you!" posts that never quite add up.
Passwords don't matter if you have access to the inbox and 2fa codes, you can just reset passwords.
But if you get access to the inbox, then you have a compromised device or the password via some other means right?
Inbox access is a fairly big compromise, even without the 2FA codes.
Inbox is the biggest compromise of them all IMO. I realized this a decade ago and use a different email for every account that I have. None of them have anything to do with my name in any way, I use 4 random words to create new email for any new account that I need. Accidental takeover of any one account does not lead to total take over of my life :)
You're right, seems they already had his inbox credentials.
No, it sounds like they got him to create backup codes, which (along with SMS 2FA code, which he also gave them), that is all they need to take over the gmail account. Job done.
We're a bit light on detail here but it's worrying that it's 2025 and Google isn't flagging "looks like" @google.com messages.
I'm assuming this is a dirty unicode hack and not something worse: no DKIM or an actually compromised sender.
The whole thing stinks.
I never considered Unicode domain names a good idea. Looking at it today, it appears that the only people who use Unicode in domains are scammers and criminals.
Thanks ICANN!
I can't believe he omitted that detail. How did they appear to send an email from a google domain? This is especially puzzling given that he says he works in security.
Looks like the attacker set "legal@google.com" as expeditor name, so that's what showed on the author's phone, that's it.
Which should trigger every automated alarm bell, as well as SPF/DKIM checks. Which is where this falls apart slightly because in my experience, Gmail is pretty alert about flagging basic things like this.
The headers uploaded are the report email being sent to Google, not the original incoming email. We still don't know how this was spoofed.
I just put it into subject and that's how it looks like in my inbox
https://imgur.com/a/Ki2cciH
minimal efforts, won't pass any scrutinity but someone panicking might miss it.
Thanks OP for the thread, very enlightening.
The screenshot in TFA shows the subject was "Recent Case Status" and the sender was Google <legal@google.com>. This wasn't as simple as a dodgy subject.
I wonder how many people would fall for that though.
What exactly is "expeditor name"?
I notice none of the pieces of advice are "don't keep a hundred thousand dollars in a Coinbase account".
I split my crypto assets between Coinbase and what is now a corrupted hard-drive I've yet to recover.
The funniest hacker news comment I've read all year. Funny because I'm essentially in the same situation. I'd bet we are legion.
I keep mine on a broken raid 5 array (seagate flood drives - two failed within hours of each other) in a shoe box. It’s super secure.
RAID is cool but It's not much of a backup then if it's always plugged into a running computer. Half of risk comes from some process "intentionally" the erasing the data.
I use the super-sophisticated method of manually copying everything important to an external storage another every 5 weeks or so. That has never failed me.
I do the same, but then you should have two copies, encrypted-at-rest and one offsite.
I recommend not investing in crypto at all because it’s an attractive nuisance and has no useful purpose other than speculation and money laundering.
There needs to be a standard way for customers to authenticate employees representing companies, sorta like a reverse-text-message-code. Maybe, as a customer of a website, I can login to the site (authenticate myself), then generate a code that only myself and someone inside the company can see. Then, I can ask him to read the code back to me so I know he's legit. Does that already exist? I've never heard of it.
It seems unfair, yeah.
But the main way to know is that companies never call you these days. No company should have and few do have a workflow where an employee will call you "cold" with a problem. Instead, companies email, snail mail or text about a problem and you call them back.
But if someone somehow sounds legit, you ask for the official number and whatever info is need to identify your supposed problem. Then go to the website and verify. Call the number at the website (that you find from your own search, not the caller's info) and then have them verify you.
> Note: if you’re a developer and your users have gmail accounts, an authenticator code is NOT a 2nd factor, if that user is using Google Authenticator.
So many people and developers do not understand two factor authentication. If the necessary information is automatically sync'd to another device, you likely don't have two factor auth.
Example: If you log in from a Macbook, and the second auth is sent to your phone, Apple will helpfully forward that code to the Macbook, completely removing the second factor.
There’s threats and there are threats. Second factors largely exist to prevent password stuffing from password reuse. Even if the second factor is the same device as the device where you are initiating a login this works just fine.
If your goal is to stay safe even after one of your devices is owned then you’ve got a rarer (and way more difficult) threat model.
How did this user Coinbase account get hacked anyways? Did they reuse passwords? Did the attacker even have passwords?
It doesn’t work because people don’t understand it. They understand they are getting harassed all the time and in a state of terror because you might get locked out from your accounts because you lost a device or because something went wrong with your relationship with Apple, Google, Microsoft and other large unaccountable vendors —- something you may or may not get an explanation of.
Since you’re getting harassed all the time and dealing with opaque rules it is no wonder people are fatigued, make mistakes, are inclined to panic when they get a scary call and hand over the keys, etc.
To add to that, having anything to do with crypto is to put a big target on your back and make yourself vulnerable.
[dead]
Two factor usually means "something you have + something you know". So your MacBook + your password is two factors.
I've seen references to "three factor" auth which is often a push notification to a phone, and then there's more secure second factors, like yubikeys or code-protected passkeys.
I don't know my passwords: They are stored on my MacBook.
Does your MacBook require you to enter a password to log in?
MFA is a cargo cult these days.
My mantra: trust no inbound communications. If something is in fact urgent, it can be confirmed by reaching out, rather than accepting an inbound call, to a number publicly listed and well known as representative of the company.
These scams will only get better, they will impersonate your loved ones, your best friends, your children, and plead with you to save them by handing over money or information, but it will all be a ruse. The only things that can prevent this outcome are: positive ironclad proof of identity / personhood / company representation, or ongoing rejection of belief in inbound communications.
I used to think sophistication was the game, but when I brought up the obviousness of Nigerian prince scams with someone, I was told that the poor quality is a tactic. That is, these scams use scale, so the idea is that mediocre scams will weed those people out who are able to discern the scam and select for those who are easily manipulated. This increases the chances that you'll be able to scam the person.
https://www.microsoft.com/en-us/research/wp-content/uploads/...
``` By sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor. ```
It's so frustrating reading this, because this blog has about 75% useful information, with 25% just left there unsaid.
> On iOS, Gmail doesn’t let you view full headers
True! But Gmail on desktop does provide full headers. Why not post them so the rest of the community can step in and help out?
I lost the original email—the attacker deleted all evidence and then cleared my trash (and yes I tried using the Google tool to find deleted emails, but the attacker cleared that too). The reason I have this email is because I forwarded this email on to phishing@google.com, before the attacker deleted everything. When I got control of my account, and removed the scammer recovery methods (he added a windows device—I don’t use windows, and a Brazil phone number), the email bounced back from phishing@google.com (apparently Google doesn’t accept that address). So what I have is the bounced-back copy.
I updated the post and include the headers & html of the bounced-copy, although I don't think it's very useful.
I'm not seeing the headers anywhere in the post.
Ok, I see them now...for some reason it took a while for the article to be updated.
They're not saying they can't get the headers, the point is that if you're using iOS you don't have access to the headers to validate
I avoided this exact scam. The most important thing is to never trust an incoming phone number. If they can't give you a publicly posted phone number that you can call inbound, they are a scammer.
Google has dozens of properties and it is easy to generate an email from one of them that seems to confirm the attacker's identity. Never trust any of these to identify a legitimate representative.
I too avoided it; I had an interesting interaction with the (American) call center scammer -- he called, said his story; he gave me a callback number when asked; I asked him for a web page I could verify a callback number. He quickly rattled off a legitimate Coinbase webpage URL, I believe their ToS page, which does include a phone number. He then hung up rather quickly.
Sadly for the scammers, that number didn't match. But, I note it was part of his script to sound confident and give a working URL. Pretty strong.
They frequently have nicely done webpages, which have this phone number on them. So you need to find the URL yourself.
It's already hard to verify if a phone number is legitimate, and I think it will get harder. And on the other hand, easier to get a search engine AI to incorrectly spit out the wrong number.
Does anyone know how the email from (or appearing to be from) @google.com works? Wouldn't the Apple account reject it because it fails DKIM/etc?
Yeah, I don't understand how it passed DMARC and why it wasn't rejected immediately by his mail server (Apple Mail?).
From the article he uses gmail I think
They probably sent it from gmail which would pass the SPF check (google.com and gmail.com have the same SPF). They wouldn't have it signed to pass DKIM, but google doesn't use strict alignment checking so to pass DMARC either SPF or DKIM are acceptable.
What you're saying makes little sense.
Yes, SPF (the original design) is horribly broken and trivially bypassed. The most prominent design flaw is that the inbound SMTP service uses the SMTP (rfc5321) MailFrom address for SPF validation, which is not the same sender address shown to the recipient, they can only see the the message (rfc5321) 'From' header address. SPF originally didn't require the domains in the MailFrom and From addresses to match, so an attacker would simply use a domain they control in the MailFrom address, and the 'spoofed' domain in the From header.
That was in 10 years ago though. DMARC fixed this by adding the alignment requirement, meaning that the domains in the MailFrom and From address must match. By default the alignment policy is 'relaxed', meaning that the MailFrom and From domains can differ in subdomain, as long as they share the same organizational domain. Setting the SPF alignment to strict (aspf=s) like you mention in your post requires the domains to match exactly, with no subdomain differences allowed.
So, it doesn't matter that Google doesn't use strict SPF alignment in the DMARC policy, the fact that they have DMARC already adds the requirement to SPF validation that the domains must match.
Yes, google.com and gmail.com use the same IP ranges in the respective SPF policies, but Gmail will never allow you to send email addresses from a domain that you do not own. This is why domain validation is required when you set up Gmail with a custom domain.
The only scenario where your explanation would hold up, is if the attacker was able to gain control of the DNS of a subdomain of the google.com domain, and successfully validated it as a custom domain in Gmail, then send emails from that subdomain in rfc5321.MailFrom address and the google.com domain itself as the rfc5322.From domain.
I'm pretty confident gmail's servers don't let you send with headers matching @google.com email addresses you don't control though.
Can't practically require both SPF and DKIM with DMARC anyways. Doing so would also be dumb as it would break forwarding (even when DKIM would otherwise remain intact).
Deprecating SPF would do everyone a favour though. Especially for reasons like these.
SPF alignment ensures the MAIL FROM domain matches the From header. DKIM alignment ensures the From header matches the domain in the DKIM signature header. In the DMARC policy, you can set both adkim=s and aspf=s.
Google owns and manages all of this, so they can send emails with a google.com MAIL FROM, a google.com header, and signed with a google.com DKIM key. And they could do likewise with gmail.com emails.
I'm not clear on why this isn't practical, perhaps there is something I'm missing though? I would appreciate your viewpoint.
Edit: I see you added a point about forwarding.
DMARC specifies that SPF alignment is checked for the domain in the MIME From. The domains in SMTP and MIME From do not have to be the same (nor both align).
Your MTA can still check alignment for both HELO and SMTP From as specified by SPF's RFC(s) though and spam filters often do for extra information/signal.
DMARC's adkim/aspf aren't basically supported in practice. Nor they should be. For reasons already mentioned, as you already read.
So any message from Gmail is treated as legitimate for google.com, and yet Gmail can't do its own checks on outgoing mail to ensure that unauthorized people don't put legal@google.com in the From: header? Seriously?
No, gmail will never let you send from an address you don't own.
I've received a phishing email from an @paypal.com email address. (The From: header showed an @paypal.com email address.) Fortunately, the text of the email itself was fishy enough to make me realise it wasn't legitimate. I have no idea how it passed spam filters. I reported the email to both PayPal and my email provider, and I never heard back.
Can you download the email as EML and paste the content here?
> Wouldn't the Apple account reject it because it fails DKIM/etc?
Yeah, I would be curious to see the actual email headers of what was received.
As an aside, fun fact, this would not be possible with @apple.com because Apple employees have old-school S/MIME signatures as an additional security layer.
> this would not be possible with @apple.com because Apple employees have old-school S/MIME signatures as an additional security layer
A few do, but most do not, and certainly Apple's automated-system e-mails do not.
How would recipients know to expect an S/MIME signature though. It's not like it's enforced by MTAs like DMARC is.
IIRC, if you're using Apple's Mail client it gets validated against the root cert shipped with MacOS/iOS. You get a little black tick next to the sender.
In theory, third-party places like gmail could (should ?) automagically verify S/MIME sigs where a root cert is readily available.
Support for verification is indeed widespread, but if it's missing there's nothing to verify.
There's no system in place to warn the user when there is no signature and that there should be one.
Probably not the same attack vector, but I've gotten phising emails from a real googlemail.com addresses by the scammer abusing backscatter spam and the reply-to address.
There have been cases recently of exploits that successfully spoof valid DKIM credentials too:
https://easydmarc.com/blog/google-spoofed-via-dkim-replay-at...
I use gmail and i was attacked almost identically and the email came thru to my gmail with a @google origin account
More details would be great, like the headers.
How Email Spoofing Exploits SPF and DMARC: A Cybersecurity Deep Dive.
https://undercodetesting.com/how-email-spoofing-exploits-spf...
I’ve heard scammers use Google tools like Google forms or Google cloud to send out fraudulent emails that appear like they come from Google.
The latest attempted scams I’m getting on my gmail account are fake postmaster bounces “from” google.com.
I got scammed because somebody put a fake bank location into Google Maps and so the Google voice caller ID said it was my bank. Luckily, I realized I got scammed and called the bank up right away and they got the charges reversed, which is why I still use that bank. Moral of the story: never trust inbound calls. They are the easiest vector for scammers to spoof.
It's insane that telephone service companies aren't getting greater scrutiny in all of this. For marginal profits they're allowed to create giant financial craters in the lives of citizens.
Why do banks have to "know their customers" and telephone providers don't?
Telephone companies are required to implement the STIR/SHAKEN protocols to authenticate phone calls. But it doesn't seem to have stopped the flood of scammers.
I have read that one problem are VOIP systems which can spoof outgoing phone numbers. It sounded like these are easy to attack. Or maybe scammers just make fake VOIP calls from overseas.
Same for emails. If you didn't reach out to the person first, don't trust ANY email with alarming call-to-action text, especially if it contains a link to where you can take care of the issue.
Mistake cost him 80k. Author is feeling burnt, but the cost is the cost at transaction time.
Extending this further, based on the stated value it looks like he probably had 40 or 50 ethereum. He might have bought them for a fraction of today's price - say $50 - so might only be out $2500 based on cost at transaction time...
If someone made away with all my retirement savings, I wouldn't say I was only out the cost basis.
That was pretty much my point!
Yeah, I missed that.
Your analogy is different. They bought for X, then when it was stolen it was worth 80k, and at this random time today, it's worth $120k and he's saying he lost $120k.
Value is arbitrary, and only crystallises at liquidation. I have a painting I paid £300 for. Works by that artist are now selling for £10000. Does that make my painting worth £10000? I can send it to be appraised but even if it is valued at £10000 that value could only ever be realised if I send it to auction. If I wait too long the artist may fall out of fashion and the work may be worth less than I paid. The real value is the pleasure it gives me each day when I look at it. Is that worth more or less than £10000?
I have a feeling if ETH went down in the meantime, blog post would reflect 80k, not the lower value.
Incorrect. Author may not have had the required savings to rebuy the position he wanted.
The author can simply buy a "position" in Monopoly Money instead. It's just as useful as cryptocurrency, and as a bonus harder to steal!
But harder to resell for a multiple of the buying price later.
> I answered
This is honestly the cause IMO. I refuse to any call from any number not in my phone book, UNLESS I am expecting a very specific call and if it’s not who I expect, I hang up with no conversation.
I think there is relatively cheap way to reduce such scams: make it mandatory for banks etc to perform “training” of the clients. Regularly make a call to clients asking for sensitive data. Then block account if client provides this data.
I was targeted by this exact same attack several months ago. It sounded incredibly real, the emails looked legit, down the domains, Google even has a process for this exact scenario. The only thing that tipped me off is that they sent a login request to my phone. Nothing about the login request seemed off- it even originated from a Mountain View IP. But it was the fact they had sent me a login request which prompted me to drill the voice on why they needed a login request instead of some other form of verification. The disembodied voice soon became agitated and eventually told me that I should expect to lose access to my Google account soon since I hadn't complied with their request.
It was only after I checked Twitter that I saw Garry Tan's callout of the exact same scam. After experiencing it myself, I wouldn't fault anyone who fell for it. The only other tip-off was that the voice was pretty monotone and unemotional, but that only appears obvious in hindsight, not in the moment where you're slightly panicking that someone might be trying to claim access to your account.
Heck of a job, Google!
Email spoofed from legal@google.com and he read it in Google's Gmail app for iOS. The original title was correct: "Google Helped It Happen"
except its not a spoofed email. It's really from Google. You cant spoof emails from Google that inbox.
You can use Google Cloud or Google Sites to trigger emails to anyone that legit come for Google email addresses and servers or submit forms on Google that will send legit emails to Gmail users/targets.
They simply either just embed their scam text into these emails or use the emails from legal@ as a scare tactic and pretext for their scam when they call you.
> except its not a spoofed email. It's really from Google
Read the text shown in the screenshot in an article. I am 99.9% sure that is not from Google. The wording screams scam to me, most likely from someone who is not a native English speaker.
Among many many other red flags, it specifically says not to try and change your password for 6-12 hours and to not share the details of the email with anyone.
How did they get the passwords to his Google and Coinbase accounts? He reused passwords? The same one for Google as for Coinbase? Or did they reset his Coinbase password via his Gmail? The post doesn't make this explicit, but it warns against password reuse.
I believe they logged into coinbase with Google SSO. And then they used my Google Authenticator codes which were cloud synced as the second factor auth method.
A warning to auth engineers: if an account is using a Gmail address, then auth codes from Google Authenticator should not be considered a second factor.
This isn't something "auth engineers" can control, there's no magic Google Authenticator flag on a 2fa code - it's all HMAC and numbers, you don't know if the code came from Authy, Google Auth, a homebrew code generator, a dongle, etc.
It sounds like we're back to physical Yubikeys as the only secure auth.
Seems reasonable if you need to secure five figures or more in crypto.
Passkeys also solve this even if they’re not hardware backed. He was able to give them a code but wouldn’t have been able to do a passkey handshake for a domain which isn’t Google.com. Plus they’re easier to use and faster.
I don't know about that. If they can hack your Google/iCloud account they can add a new device, sync all your passkeys to that device, then log into all your other accounts.
How do they do that if you are incapable of giving them a valid authentication code?
I don’t use Google but at least in the Apple world you also get a fairly different prompt for enrolling a new iCloud Keychain device than simply logging in. Obviously that’s not perfect but there is a good argument for not getting people accustomed to hitting okay for both high and low impact challenges using the same prompt.
But they can't hack your Google or iCloud account if it's secured with a passkey, unless they have some other non-phishing means of doing so, which the attacker in this story presumably did not.
I had to reset the 2FA for a domain admin account for Google Apps earlier this year — I'm not sure if my password manager somehow lost the passkey, or if I missed creating one before some deadline. (It's a little-used domain.)
I think I requested the reset with various details, then had to wait 24 hours before continuing.
I feel like a lot of things would benefit from that time delay and, perhaps, an in person check like the notary ID verification AWS used to use.
About a decade ago I had suggested to Google at an identity forum that they embrace a local government/organization model for their hard-landing account recovery process (since it can ultimately devolve to an ID check) by having a mechanism where you can start the account reset process and get something which could be taken to a third party to approve after they do an ID check. As people increasingly depend on things like email accounts for everything there are a constant stream of people who will lose access to their phones but could easily visit a notary, library, DMV, police station, etc. and pass a check against a pre-registered government ID.
Exactly. Google created vulnerabilities for the whole industry by introducing cloud synced Authenticator codes.
Similarly the SSO sign in, which I think is much worse. Though arguably Coinbase is at fault for that one.
>A warning to auth engineers: if an account is using a Gmail address, then auth codes from Google Authenticator should not be considered a second factor.
Incredible take. I don't know what's worse here — suggesting gmail address = google authenticator, thinking you can know the source of "auth codes", or the fact this is coming from an auth engineer. I'm switching to handwritten HMACs on paper napkins today.
Google/Chrome Password Manager?
But how did they get his Gmail password in the first place?
I'm not sure if I have the same password reset flow as OP, but when I try to reset my password and even provide the 2fa code, it basically doesn't let me get past a certain point without contacting my backup email address or making me use a phone which I'm logged in on to complete the reset
The article gives advice to change your passwords because of leaks. So as the post above suggests, it really sounds like they reused their google password somewhere. Then had Google sign-on for Coinbase, or had their Coinbase password in Google.
> So when he asked me to read back a code — supposedly to prove I was still alive — in a moment of panic, I did.
I am not clear how the account access occurred. What code did he read? He voluntarily read his own 2FA code from his Authenticator?
Seems likely to be an SMS code, Google will use a phone for recovery if you claim to have no other access.
This person read an SMS code — one that explicitly says not to give it to anyone — and then they said "I work in tech. I design authentication experiences. I know you’re not supposed to share verification codes! And yet, I got phished."
This person's greatest mistake was answering the phone to a stranger. Who knows what hell can be unleashed on one's emotions nowadays with AI. One cannot expect to be rational in a lion's den.
They are royally fucking up their PSA by throwing Google under the bus rather than telling people to avoid answering their phone to scammers. I suspect this PSA will help approximately no one because of that. Not getting your voice captured (for AI synthesis) is, by itself, a great reason not to answer random calls like this.
> Who knows what hell can be unleashed on one's emotions nowadays with AI
This is key. I would "never" fall for a scam like this. But who knows for sure? I would also never cheat on my partner, but can I say with 100% certainty that some insane situation can't possibly ever come up where my many layered defenses are compromised? Can some sufficiently charismatic individual deliver a perfect AI script to me based on info from 5 other breaches, in my brother's voice, to make me give up a 2fa token in an emergency? Maybe! So just never answer the phone, ever
Every day Google is trying to foist Gemini on me yet spam like this waltzes right through Gmail. Perhaps once we have finished our Dyson sphere powered AGI we will be able to block emails spoofed from @google.com.
I'm get tons of email from @google.com, not spoofed, but somehow they send some email to $myname@google.com, which doesn't exist, and it google server returns back to my $myname@gmail.com telling me that with a huge CTA from the spammer. That bypasses all spam filters since it's an actual email from google.
The key takeaway is: we are all human. And humans are easily hackable under the right circumstances.
Your story is humbling, and a good reminder that anyone can get “got”. We shouldn’t think ourselves above such incidents.
IMO the takeaway is the author had very poor security.
You can literally tie a yubi key to your Coinbase account and no one can withdraw funds unless a yubi key is physically plugged in and pressed.
One can also use the Coinbase Vault system where it would be impossible to steal any funds from his account had he enabled it.
You should also never use cloud sync for Google Authenticator as evidence here as why.
My two cents: 1. When somebody communicates with you and tells you it's urgent it's usually scam. They are trying to make you do stuff because of the urgency and so scam communication will always be urgent. Here in Greece one of the most common scams is to call older people and tell them that "your son has had a car accident and we need 5000 euros right now to operate on him, bring the money in a bag"
2. (More general) When a person initiates a communication with you it is for his benefit, not yours. If it was for your benefit then you'd initiated the communication to benefit from it. This is not only about scam but also about selling stuff or answering to polls or whatever. Be always sceptical when somebody you don't know contacts you.
Greece is 20 years behind Romania with that scam
Same exact scam happened to me three weeks ago and I almost fell for it. The guy was very sharp and sounded very authentic.
Ever since then I've been getting hundreds or thousands of Google notifications I've had to decline. Anyone know how people are able to send out hundreds of 2FA gmail notification popups without Google blocking this?
This means you should still have the email from legal@, right? In that case you can solve the mystery of how they managed to pass DMARC by sharing the headers from it.
> Google enabled Authenticator cloud sync by default.
Never understood this convenience and never will. This is exactly the wrong way to deal with people losing their authenticator secrets.
The convenience is that people don’t drop their phone in the toilet and suddenly lose access to all of their accounts.
Why would you have passwords/credentials to your accounts (including financial accounts with tens of thousands of dollars) on a device that not only you can drop in the toilet, but also lose, or get stolen, or hacked? Do you have any idea what access all your cute apps have to the contents of your device?
Both mobile OSes offer pretty strong app isolation and mitigation against malware, most people don't need to worry about Pegasus level of threats.
Google took forever before adding cloud-sync to their TOTP app even though pretty much all the other ones did it from day 1. And I bet a non-trivial amount of people got locked out of their accounts because they hadn't reliably stored recovery codes.
Financial services are actually the least of your worries since you can get ahold of customer service and eventually recover your credentials even if it takes a few days and some snail mail. However if you lose access to Gmail or Facebook, good luck unless you know an employee.
> Do you have any idea what access all your cute apps have to the contents of your device?
Yeah, I do. Do you? Because it's certainly not what you're implying
I agree. I wonder if there is a good compromise between convenience and security, though. For example, before allowing Google Authenticator to sync for the first time on a new device, maybe notify the user on all devices and enforce a 72-hour delay, or wait until the user approves the new device using an old device (in a way that is hard for a scammer to pass off as legitimate).
I always read these stories and worry that I will fall for something like this at some point. With all the complexity around authentication, 2FA, backup codes, text messages, cloud-sync, pass keys etc, I find it impossible to be confident that you won't be phished/spoofed/hacked.
I worry more about aging parents/relatives, many of whom aren't exactly tech-savvy to begin with. Many of these scams are becoming increasingly sophisticated, at the same time that being able to perform verification in meat-space is disappearing (companies don't have local support reps that answer phones, etc.)
I got a nasty one of these recently. Attacker had my wife’s CC, and made purchases they knew would flag our bank and look sus and pop up on the app. Then I get a call from my “bank”, correct number, I ask them to verify and they say look at the number. All they ask for is the customer support code in my banking app to cancel to fraudulent transactions. At that moment I insist on calling back and they hang up, but I was very close.
Can someone please explain to me what it means for authenticator codes to be “cloud-synced”? Is that solely dependent on whether you’re using the Google Authenticator app while signed in to your Google Account? Is it possible to not have them “cloud-synced” if you are signed in?
Google Authenticator app defaults to backing up the TOTP secrets so if you log in on a new device you have them there. Pretty poor default for security, and you can disable it, but not the first time I've heard of this biting someone.
The risk of not syncing — when you lose/reset your phone, so does your OTP app. If you don't have backup codes saved, you're cooked.
> you're cooked.
I've lost 2FA codes. It's complicated but if you have a financial relationship with the vendor you're going to be able to get everything sorted out. I imagine as this happens more there will be common internal policies which aid customers in this situation.
You have to weigh the amount of potential hassle against the value of potential losses. Why you would have $100,000 of value stored somewhere and only secured by a loose-lipped third party app is beyond me.
> The risk of not syncing — when you lose/reset your phone, so does your OTP app. If you don't have backup codes saved, you're cooked.
Most clued-up places enable you to register a Yubikey as 2FA.
So then it doesn't matter if you loose your OTP app and your backup codes because you've still got a Yubikey.
(And those that don't allow Yubikey, almost certainly will have SMS as a secondary option).
You really shouldn’t use SMS 2FA. SIM swapping does happen. This kind of depends on the jurisdiction though. In some countries operators won’t reassign the phone number willy-nilly.
Still, better to just not do SMS auth. These days Yubikeys are not that expensive. Get three, register them all at the most important places, and put one at a parents’ place or similar.
I agree entirely.
But the point I was making that IF the website does not allow Yubi THEN SMS is almost certainly available, and you should use that as a backup mechanism.
Why ? Some sort of backup mechanism is better than none at all.
> Most clued-up places enable you to register a Yubikey as 2FA. So then it doesn't matter if you loose your OTP app and your backup codes because you've still got a Yubikey.
And what happens if you lose your Yubikey or it stops working? You're back to needing backup codes or an additional 2FA device
> And what happens if you lose your Yubikey or it stops working?
That's why you own N+1 Yubikeys ;p
Any place that offers Yubikey auth will enable you to register multiple Yubikeys against your account.
In all my time on the internet I have only ever seen one place that allows Yubikeys but restricts you to one key.
Which is why most apps with sync have two sets of credentials: one to login on the platform and one master password for encryption. That helps in those scenarios.
An alternative to syncing is to add the TOTP code on multiple devices, so that losing one device is not catastrophic.
Yes. There are other ways of syncing (I have images of the setup QR codes save in an encrypted file) but most people wouldn’t be able to manage this.
You mean to say that if it were enabled on my Google account, then the TOTP numbers for my other accounts are visible via authenticating into Google Account on some other unknown device? Sounds like it could be convenient if you lose your phone, but still risky if an attacker can sign into your Google Account.
Yeah. And this is on by default. Without an additional secret.
https://security.googleblog.com/2023/04/google-authenticator...
Google Authenticator can be local-only or synced to the cloud.
In local-only mode, the authenticator is bound to a specific device. You can manually sync it to additional devices, but if you lose access to all those devices, it's game over, you will get locked out of whatever accounts you secured with authenticator as the second factor.
In cloud-synced mode, it's synced to your google account, so if you lose your phone, you can restore authenticator state. But if your google account gets taken over, it's game over, the attacker has your authentication codes.
I've noticed a lot more phishing emails making it through gmails filters recently.
A lot of them ultimately (if carefully inspected) come from @gmail.com addresses. And many of them look pretty convincing.
Did gmail change something for the worse, or have phishers found a new way to circumvent Google's spam filters?
> The attacker spoofed the “From” field ... On iOS, Gmail doesn’t let you view full headers, so I had no way to double-check in the moment.
Is this a victory of Google's UI designer's quest for a "clean look", over basic security essentials?
This sounds like a classic account recovery scam where the scammer uses Google's account recovery feature to gain access to the account. Once they have the 2FA code, they're in. This time the scammer used an account takeover as the pretense for needing the code.
As for the email, this blog post ( https://sammitrovic.com/infosec/gmail-account-takeover-super... ) from about a year ago notes that somehow scammers were/are using Salesforce to spoof emails from Google that appear legitimate. Seems like something similar happened here, but there's no way to be sure without the headers which the scammer seemingly cleaned up.
The FTC reported that scam losses totaled 12.5 billion last year. These scams are elaborate and convincing even for folks who make a living in tech. ( https://www.ftc.gov/news-events/news/press-releases/2025/03/... )
At any rate, sorry this happened OP. Stay safe, folks.
I have a cell phone with an area code where I no longer have any connections or ties. Almost all the spam calls I receive come from that area code. By simply ignoring or blocking calls from that area code, I can avoid nearly all of the spam.
I've enjoyed that state of affairs for over a decade but now I'm moving back to where my area code matches my physical location. I'm sad I'll be losing this easy filtering trick.
On the plus side, iOS and Android now have features for auto-answering and filtering so thankfully I have that.
Coinbase STILL doesn't freeze user accounts for a token amount of time, 24 hours or so, after resetting a password‽
Part of the blame should be levied on Coinbase if this is the case.
(I'm assuming this guy at least uses unique passwords...)
Coinbase offers Vault though. You can lock your funds into a Vault and it takes like 2-3 days to unlock them + you have to get approval from multiple different email accounts to even begin the unlock.
Coinbase has many ways to secure your account if the user enables them
also physical Yubi Keys would prevent anyone from withdrawing or steals funds as it would have to be plugged in and tapped to process them.
The attacker had the passwords and 2fa codes from the Google account so Coinbase couldn't really distinguish them from the right person (tho presumably for large transfers they may require some extra checks, dunno)
The article is poorly written and not clear. It sounds like you're suggesting the author let Chrome save his Coinbase password and Google synced that to the attacker as well?
> Google had cloud-synced my codes.
> That was the master key. Within minutes, he was inside my Coinbase account.
The author wrote "codes", not "passwords".
The author clarified that he had enabled Sign in with Google on his Coinbase account. So if the attacker was logged in with his Google account, then they had access to his Coinbase account without needing a password.
Isn't "Sign in with ______" (Google/Facebook/Etc) discouraged, because if for whatever reason Google/Facebook/Etc decides to ban your account, you can no longer log in to those services?
I believe you can lock it to specific outgoing addresses though & ones not on the list have a long delay - like a week
I get 5 calls and texts a day about my Google and Coinbase accounts. So many that if either Google or Coinbase really did try to contact me, I wouldn't see it.
Always confirm such things by calling the official contact number that you already have and asking about the case. Do this before you discuss the matter further.
Never act based solely on an unsolicited telephone call or email.
If someone calls and claims to be from an big tech company, its is always a scam and you are going to loose money.
I don't understand. What combination of actions and app features allowed the scammer to send an email that is indicated to be from google's domain?
That's the big question. I've heard attackers have used Google's own tools like Google forms or Google cloud to send the email through Google's servers so it wasn't flagged. This is a major vulnerability that Google needs to fix. I'm quitting Google because I'm worried about other vulnerabilities like this.
The big tell was someone that operated via a telephone. Google would never do this.
Their Adwords people seem to, occasionally.
At least when trying to drum up business from formerly-large accounts that have greatly reduced their spending.
every 6 months. They also rotate on you to have a reason for calling again, out of the blue
My favourite Pixel feature is Screen Call.
My primitive security precautions:
1. DO NOT use your Gmail for recovery. Use another email provider.
2. Use a family member's phone number for recovery.
3. DO NOT install your bank's app. Somehow the Royal Bank of Canada's app was used as an attack vector. If the RBC app can get hacked, smaller banks are even more vulnerable.
4. Use incognito mode on your browser for banking so a thief or hacker can't use your browser history to find out your bank.
> 4. Use incognito mode on your browser for banking so a thief or hacker can't use your browser history to find out your bank.
You can buy that information. Databrokers will sell it. Your bank sells your transactions.
Thanks for sharing. I already had it in the back of my mind that this cloud sync thing in Google Authenticator was not very secure. I'm getting rid of it right now.
I do see why Google did it; it's going to be difficult to educate users to always set up 2FA both on a primary and a backup device. Much easier and convenient to automatically sync different devices. But your story makes it obvious that something isn't quite right here.
Authy has solved this though. The cloud sync is opt-in, and encrypted with a password. This makes it immensely more involved to compromise.
Ironically, Authy's cloud sync feature may have been what pressured Google to add cloud sync[1].
And yes, Google could have added an extra encryption password. But users forget/lose passwords, especially if they normally never need them. So I can see why Google didn't go that route.
[1] https://www.reddit.com/r/2fa/comments/pmow4k/switching_from_...
I'm super curious how this hack worked, but I feel like the story is just about the last step. What did the attacker have such that this last step did it?
My guess is that the attacker had the google password, and also the login for Coinbase was somehow stored in Google, so the attacker getting into google also exposed Coinbase. I just looked at Coinbase, and it does have a "Sign In With Google" feature.
If you want to live the stripped-down TOTP lifestyle, you have to love this 20 line Python solution. Does not depend on weird libs, and the last edit is 4 years ago. Write the seed on a Post-It and you're all set. Not so convenient, but sound sleeping! https://github.com/susam/mintotp
I'd complain to Google about this, maybe through a lawyer if needed to get them to take it seriously. They won't accept full responsibility, and in general people need to be aware of the risk of spoofed email, but Google should be able to stop fake emails from google.com from appearing in a Gmail inbox. You'd think they would also have the ability to recover an email deleted immediately after an account takeover, or at least work out how the spoofed email was delivered from other internal logs. Google should investigate whether their negligence contributed to the success of this attack.
If you want to keep $100k in a crypto exchange, it doesn’t cost much comparatively to purchase a few yubikeys.
The thought of having all my online services centralized with a single provider for email, SSO, 2FA, and so on is scary. Especially at Google, where you can lose all access at the drop of a hat, with no recourse.
There are some weird things (like the fact that Google doesn't tend to call the owners of consumer-level accounts and the fact that the email is phrased very oddly), but wow.
I wonder, though, did "Norman" just guess you had tens of thousands in crypto lying around, or was this step two of a phishing attack?
> The attacker already had access to ... my Google Authenticator codes, because Google had cloud-synced my codes.
This was such an obvious mis-feature I can't believe they actually rolled it out. For those using Google Authenticator you can and should disable cloud sync of your TOTP codes.
I can understand it. Ordinary users were getting locked out of their accounts when losing their phones. Some of those stories hit HN.
Don't disable cloud sync unless you have a backup of all your TPTP secret keys. It's dangerous to advise people to disable cloud sync without mentioning backups. Being locked out of thousands of dollars in your crypto account is as damaging as losing that crypto to hackers.
In that case wouldn't you be better off just disabling 2FA? The problem with the cloud sync is that users like the one in the article think they have 2FA but in fact if their Google account is compromised all their accounts using Google Authenticator TOTP second factors are also compromised.
It's the same thing with Apple Passwords.
TOTP isn't that great, you should definitely use a hardware and/or pass key for important and financial services. That said your cloud synced Google Authenticator can be behind a Google account with strong 2FA (i.e. not SMS nor TOTP), then it's mostly fine.
The lesson here is really not to ever share codes you receive by SMS, and preferably disable phone as recovery and second factor.
2 weeks ago, I got these SMS messages via the official Bitpanda SMS number (the one that sends you the 2FA normally):
——-
Your sign-in code was successfully reset. If this wasn't you, contact us immediately on +43 1 3950657516
Reference: FPQ92
——
And this one
——-
You signed in from a new device in Beijing (China) through a Ledger Live API. If this is NOT you, call us on +43 1 3950657516
Reference: FPQ92
—-
Looks completely legit and I was really spooked at first. I can see how people fall for this stuff.
>I work in tech. I design authentication experiences. I know you’re not supposed to share verification codes!
To Me this quote says so much about the crypto space more than anything.
Also not shocked it was crypto theft.
What does it say about crypto space?
Otherwise rational and educated people are willing to suspend disbelief about anything as long as it supports their crypto yacht dreams. In this case the concern that their yacht dreams were being lost. Which ironically caused their dream to be lost.
As soon as I read the headline, I knew that the problem was...
> In just 40 minutes, the attacker shuffled my staked ETH and other tokens through multiple transactions, then drained the account.
One of the many, many benefits of irreversible transactions.
> I made mistakes, yes
His first mistake was keeping six figures worth of 'cash' in a wallet that anyone with less than 40 minutes of access to can swipe.
Also if you have crypto you should never mention anywhere that you do. No forums, social media, etc.
They still attack tech professionals living in California. Saying you have crypto will probably move you to the top of the list, but they'll still get to you eventually.
My brother (a tech professional in California) does not have any crypto or social media, and attackers still stole his phone number, which they used to steal his email account, which they then tried to get into a non-existent Coinbase account. He was only out of the time it took to get his phone number back (a couple of hours later).
I get scam calls with Google in the caller ID everyday.
It kinda sucks that in 2025, voice calls are now near-zero trust.
Is there really no velocity behind any open/consortium replacement to traditional voice calls?
Use a password manager and use a SEPARATE second factor authenticator not tied to the password manager. I personally use Authy (though I think it's been deprecated) and Bitwarden.
I recently got a Google scam call from someone using Google Voice in the bay area (650 number) claiming to be with Google and that an unauthorized device was trying to access my account. Eventually realized they were just trying to get my to unlock my account probably to drain bank accounts.
Same. I don't store my 2FA with my passwords. I also use Authy, I'd like to move to something else but as long as it's working. I was annoyed they got rid of the Mac app.
Same, the desktop app worked great. Probably for the best though, ideally you want to pull your codes from a phone and password from your desktop device.
Yeah, I won't argue that it doesn't make sense security wise. It does.
Absolutely. If you are looking for a new 2FA/TOTP app- Aegis is good, also Proton Authenticator as it's independent of a Proton account.
Change your passwords today. Don’t wait. 16 billion passwords have leaked recently, and yours is probably among them.
Never share a verification code. Scammers use urgency and fear (“you must resolve this in the next hour”) to get you to act.
Based on the second warning, I've decided not to trust the first.
Can someone explain how reading the code from the spoofed email compromised his account?
> The attacker spoofed the “From” field so it looked like the emails came from @google.com — something Google’s filters should have blocked outright. On iOS, Gmail doesn’t let you view full headers, so I had no way to double-check in the moment.
How is this basic fail still possible?
I'm pretty shocked that Gmail will deliver mail that claims to be from @google.com . Is that really what happened?
I bet the fact it is omitted and "lost", it was probably something like g00gle or googIe.
I don't know what the Google Authenticator team was thinking, if at all, when they did that deplorable implementation of the sync feature.
One click on the "backup codes" on main screen and boom, no confirmation or anything. Your keys are in the cloud. I couldn't find a place to undo it. Article says it's enabled by default now. This is shameful.
oof that sucks. Luckily I'll never answer the phone
> Luckily I'll never answer the phone
One of the best features of Apple iOS 26 is the new call-screening feature[1].
[1] https://support.apple.com/en-gb/guide/iphone/iphe4b3f7823/io...
Pixel Call Screen has been a godsend for me since its debut, akin to using uBlock Origin for browsing.
Would this actually work if it's more of a targeted attack? It seems like not, because they could just kind of lie to your call-screener.
Apple once again just implementing ideas from Android lol
This will be great tho to help cut down on iOS users and scams hopefully
What did the account did the email actually come from? Was it legit from legal and he just submitted the request or was it a real spoofing
It was not legit from legal, I had the same attack on me two weeks ago. They were pretending to be from Google General Counsel responding to an estate request to my Google account being handed to another party who was supposedly the inheritor.
What clued me in was that he said he couldnt share the estate documents with me until I gave him my popup 2FA code.
Were there any further login attempts that they tried to do to access your Google Account? It almost seems like the attack being described in the article is very sophisticated that the attackers aren't just contacting random people but might have certain people in their radar.
It was legit from Google email and servers.
You cannot spoof an email from @google that will inbox
They clearly did.
You can trigger emails from Google on behalf of other users or use a platform like Google Cloud or Google Sites to trigger emails that come from real Google servers.
This was not spoofed.
The key takeaway from this imo should be to only use password managers with a secret key like 1Password.
> On iOS, Gmail doesn’t let you view full headers, so I had no way to double-check in the moment.
This should be the real highlight of the issue here. I always check headers on my Samsung whenever I feel suspicious.
why were you synchronizing your 2fa codes? that requires opt in, even in the form of a signed in google account combined with google authenticator as a choice of 2FA code storage
why were your coins not in a cold wallet? that is how you stop this permanently
why did you acknowledge any kind of inbound communication? ignore it. always. or call outbound to a confirmed number to make sure.
btw you were scammed out of $80k, as you admit in your article, the headline is misleading for seemingly no reason except the larger number
> an authenticator code is NOT a 2nd factor, if that user is using Google Authenticator.
it is still a second factor, because it is something you have instead of something you know; it's just that you converted it to something you know when you read it and transmitted it to someone else
all that being said, yeah, legal@google.com (as a homograph attack) should probably be blocked.
convenience is nearly always a tradeoff with security
This is the world we're building for everyone, if passkeys + attestation get baked in everywhere and the bigtechs hold everyone's authentication keys.
Why do people still answer phone calls from unrecognized numbers? Just don’t. If it’s actually someone that needs to reach you, they can leave a VM.
But 99.99% of the time, phone calls from unrecognized numbers are spam/scams.
My takeaway is to never answer the phone when an unknown number is shown.
He posted about it on Twitter and the replies are full of those "this company helped me get my funds back" scammers, hilarious
Even HN has a few of those guys who just don't stop posting, they're banned so no harm, but man they keep at it.
If you're running a service with things of value, slow down big actions - please - like why allow large money transfers without an 8 hour wait period and extraordinary verifications.
This is indeed a sophisticated and alarming attack, but…
> the attacker shuffled my staked ETH and other tokens through multiple transactions, then drained the account.
Live by the decentralized, irreversible, climate-destroying, scam-and-slavery-enabling currency, die by the decentralized, irreversible, climate-destroying, scam-and-slavery-enabling currency.
> Google enabled Authenticator cloud sync by default.
Adding that to the list of reasons I use FreeOTP instead (https://f-droid.org/en/packages/org.fedorahosted.freeotp)
> On iOS, Gmail doesn’t let you view full headers, so I had no way to double-check in the moment.
Apple's Mail.app also doesn't allow this and it's driving me nuts.
> The attacker spoofed the “From” field so it looked like the emails came from @google.com — something Google’s filters should have blocked outright. On iOS, Gmail doesn’t let you view full headers, so I had no way to double-check in the moment.
Can somebody explain what exactly this means, and how it works?
No clue how it works functionally these days. But it reminds me of tricks we pulled back in high school programming class. Our school was using Novell NetWare, and some students were given email addresses for various purposes. We discovered you could edit the From field, so it would display any text as your name and then your email address after it to the recipient on Novell's email client. If you added enough text, including whitespace, it would push the actual email address off screen(I don't remember if you could scroll to it or not).
We trolled each other in class with it a bit. But at one point some student not in our class sent out a mass email, which was against the rules. I replied with a From line as "Administrator" and a bunch of whitespace, telling the girl that she broke the rule and would be suspended for it. Our teacher made me apologize, and I was lucky that I didn't get into more trouble beyond that.
Dmarc/spf https://en.m.wikipedia.org/wiki/DMARC
Basically, the from field on an email can be anything you want. It's like sending physical mail and using a fake letterhead with someone else's info, just type what you want. No verification.
That's sometimes a good feature. Like, a third party provider can send newsletters on behalf of company A. But can also be bad, when used for phishing.
However, the email doesn't just appear in your mailbox. It comes to your email provider by another server connecting to it and sending the email. Spf allows the owner of A.com to specify which IPs/servers are actually acting on their behalf. So if I get an email from something@A.com, I can lookup and verify that the sending server is one to trust. If not, the email client should reject or warn the user somehow.
DMARC does check the from field in the mail, so I don't know how could this happen
Yeah, sorry if that wasn't clear in my explanation. Without these in place, you will accept anything from anyone claiming to be @A.com,but with dmarc the whole point is to flag when they're only pretending to be.
Assuming I follow what you want to know, the wikipedia page on email spoofing should provide the info you desire. https://en.m.wikipedia.org/wiki/Email_spoofing
I'm pretty surprised gmail didn't flag this at least. When I did it for a class in Uni, it always let me know that the FROM header didn't match the sender since that's a clear attack vector
His phrasing is very confusing - claiming the "from" field was spoofed, but that if he could see the "full header", he could have spotted the spoofing.
I would also assume something as prominent as the Gmail website/app for iOS, and the google.com domain, would have all possible email security features correctly configured.
So.. is this not the case? Or is it, but due to bad UI, despite all this security, any schmoe can send email appearing to come from google.com, and I have to pore over unspecified details in the "full header" to spot a fake?
It could indeed be that some MUAs only display the comment section. In theory you can use a MIME from like '"Google <google@google.com>" foo@example.com'. Though most spam filters heavily frown upon garbage like that. Things like '"Foo (google@google.com)" <foo@example.com>' will likely pass though. (It's commonly done by shit forwarders.)
Apple Mail does allow you to see the actual sender if you tap on the name though. Outlook has been way worse in that aspect, by not letting you see the full sender. At some point it even saved these fake addresses automatically in your address book if it matched a contact's name or something. (I couldn't find the thread about it right now, but it has been discussed elsewhere.) It's a disservice to everyone except attackers to be honest.
On obvious spoofs I see "legal@gmail.com <via scamdude@askjdfaskldfj.net>". I think he means that it didn't indicate the latter. And if gmail phone app didn't fail to display headers he could have looked
It's my understanding that emails have headers, just like http responses, and the app might have displayed that fake header instead of verifying the provenance of the email and displaying where it actually came from. So it is a UI/UX issue.
Why email clients have started hiding/not providing access to headers is beyond me. It seems like an anti-pattern. There have been many times recently where I've wanted to check the headers because an email was suspicious, only to find I couldn't.
It would be helpful to see the relevant headers to understand how it was spoofed, and if it would have been obvious from looking at the headers.
I never pick up calls from numbers that I don't know. If it's important they leave a message. And if I think it is important, I call them back through official phone numbers
This is a great lesson on 2FA fundamentals. Picking time-based codes for 2FA is equal to picking something you know twice. That isn't strong 2FA. That is 1FA with an extra step (1.5FA). To make it all the way to 2.0FA, you must pick something you know (password) and a private key (Yubikey, smart card, etc.) that does operations in-situ, that cannot be computed anywhere else, to then match to an expected value on the server. It therefore isn't something you know twice. It is something you know + something you have uniquely generated.
Strong 2FA is holding your cryptocurrency in a multisignature setup instead of an exchange that holds your keys for you and can disregard the 2FA whenever it wants.
The security bottleneck is the one institution that holds all of the responsibility. It cannot be fixed by giving more hoops to authenticate themselves to the one institution
3rd/4th party trust and has little to do with auth
Knowing how impossible is to get a hang of anyone at Google in case things go wrong, it is probably very safe to just assume they will never ever ever call you.
Holy Ahriman. Google does not call you.
Any call from Google is a scam.
One thing I really hate is that some companies with poorly design customer service flows actually REQUIRE you to read a code they text you over the phone to a rep.
At least now more companies include a "never read this over the phone" note in their authentication texts.
The first reason I knew this wasn't real is that Google doesn't have support...lol
i always tell my mom that no legitimate business would ever call, email, or send a letter about anything.
i regularly check reddit scams to know about the scams and i recently dodged one which wanted my details !
The email has some obvious spelling issues. Not exactly a masterfully executed attack.
They reached out to you. Created a sense of urgency.
Let this be a lesson to everyone who hasn’t been scammed yet.
If you have not done it yet, file a case with the FBI
the biggest mistake was thinking google actually provides customer support
> And Google helped it happen No, it doesn't, you were just stupid. That field has always been modifiable.
Every action you did is what you hear multiple times every week about people falling in pishing, and you continued.
Finally, it was just some crypto shit so not a big deal.
> I answered.
I never answer the phone.
Do not answer unknown numbers ever. I repeat ever.
Coinbase not doing MFA? That makes them the other kind of MFA.
But yeah tel tell with Google is if someone from Google calls you then you know it is a scam by the fact that Google called you. Google doesnt give a fuck about you. Even if you spend millions on ads.
As a rule, I never give any private or secret information on received calls. I had a doctors office that their automated system would call and ask for my social security number, and I'm like, nope... not happening. Even when I knew it was likely legit.
Healthy levels of paranoia aren't so bad.
just realized google auth cloud sync was enabled in my device even though Ive never explicitly enabled…
so thanks for the advice!
One wrong point in this. Google Authenticator does not cloud sync by default. You specifically have to accept the cloud sync option that you are prompted with.
Lucky for you Coinbase have set up a fund for people who got scammed through social engineering attacks due to their recent security fuckup.
Regardless of whether you received an email from Coinbase notifying that you were affected, the attack they suffered is much larger than they let on to the SEC.
https://www.coinbase.com/blog/protecting-our-customers-stand...
>Fall for spoofed email sender
>Keep your crypto on an exchange
This gets the same level of sympathy as a person without backups suffering from data loss.
I think that’s a pretty unsympathetic take. Hindsight is 2020 but there are factors outside the author’s control (synced MFA, Gmail not detecting the spoofed address)
Cloud sync is not out of one's control, and complaining that Gmail did not automatically detect the spoofed address is an inversion of assumption. It's like dropping your icecream and then being mad nobody caught it for you.
Is the average user (someone who "works in tech" even!) really so uninvolved in their own security? Are they not expected to hold any responsibility whatsoever?
No more deserving than any other of the crypto cultists.
Whether you fall for an elaborate phish, or if your Ponzi-token predictably loses value after your 'investment' was cashed out as an earlier adopter's profit, it's all the same to me.
Alternatively your hardware wallet bricks itself or three of your disks fail at once.
I don't care. You lost the money when you first exchanged it for worthless tokens.
This would probably have helped:
https://serverthiefbait.com/
No it wouldn’t have.
OP said the coin base account was drained within “minutes”. Server thief bait can take up to 24h to notify you when someone takes the bait.
> We'll put a tiny amount of cryptocurrency in a wallet, but probably still enough to attract the attention of automated scripts. We notify you when it's taken within 24 hours.
I've had a few calls where they are from legit places (I confirmed later) and they ask me verify my identify. I counter, that they need to verify who they are. They were confused and we couldn't go forward, because I wouldn't answer their questions until they answered my question.
The first clue should have been that you were talking to someone from a company notorious for not using real humans for customer support...
If you're gullible enough to "invest" in cryptocurrency you're certainly gullible enough to send your 2fa codes to a scammer.
I no longer answer calls from a number not in my contacts. If it's a real call that I need to take care of, I figure they'll leave a voicemail and I can decide whether I want to call back.
Something isn't adding up here. The author is excruciatingly rigorous with documenting lots of stuff here, including the screenshots. Then glosses over this bit awfully fast:
> So when he asked me to read back a code — supposedly to prove I was still alive — in a moment of panic, I did
This was an account with authenticator enabled. I'm no expert, but I really don't think there's a recovery process that works as simply as "read back a code". Certainly not in the SMS 2FA sense I'm sure we're all expected to interpret.
Honestly it seems like the author is trying to blame Gmail's UI, when some other more involved phishing technique was actually the novel part here.
I also feel like the article doesnt completely explain what happpened. Where is this code from?
Did they send the fake legal email and at same time trigger a recovery code to be sent?
Is this like the same thing in discord where they ask you for your email to join a server then ask you for a code sent to verify you own that email but really they submitted the email for password reset. The victim doesn't realize it's a real recovery code sent by Microsoft, etc instead in the moment thinking it is a "discord code". Once you submit the code in discord they have your account stolen in seconds.
Is this what the article is attempting to describe?
If the scammer is attempting to login to the actual account (which requires 2fa), asking the scammee for the code will allow the scammer to login and do all the things. The scammer is using the victim as the 2fa directly.
I don't get this part either.
if the scammers had spoofed the email, they would already have that code, and if they hadn't spoofed that email... I mean it looks like a case ID, why would they need it?
Maybe the reading back the code was to get buy in, then there's a missing step here like they had him hit "allow" on a 2fa prompt. Or maybe the email was legit, since it references a "temporary code" and the case ID allowed access with that code?
Good chance my reading comprehension is shot and I'm missing something, I suppose, but I don't understand.
> Good chance my reading comprehension is shot and I'm missing something, I suppose
That's more charitable than me. My UnreliableNarrator sense is tingling really badly here.
Ah, I think I get it. Article says:
> In the Gmail app on iOS, it looked completely legitimate — the branding, the case number, everything. Even the drop-down still showed “@google.com.”
> So when he asked me to read back a code — supposedly to prove I was still alive — in a moment of panic, I did.
The sentences do not refer to the same thing.
The code was not in the email... The narrator was asked to read back "a code" not the case ID in the email. "A code" here referes to a 2fa push notification code. The email was used to rattle the narrator / build trust to get them to comply.
Yes, that is how I read it as well. Email was just for fun, and the code came by a different channel (of course). The email the scammer sent wouldn't contain a code they can use to take over his account (of course).
Oh, the fake email also contains a code, so I thought that was it.
I came to the comment section to see if anyone had (1) noticed this omission and (2) explained it. I see we're at 1 still...
Someone keeps trying to hack into my main Google account (I keep getting 2FA requests), which unfortunately was part of some early crypto activity and was traced back to me, and I don’t know what to do.
I myself can keep denying them but I have a toddler and if he accidentally accepts one of them, I’m screwed.
And since it’s impossible to reach anyone at Google, WTF do I do?
Is changing your password to at least stop {some of, all} the 2FA requests not helping?
It’s account recovery, not 2FA, my bad
2FA or account recovery? I keep getting account recovery requests and it's pissing me off.
Account recovery, my bad
Zak just posted this eye opening behind the scenes look at what these scammers are doing...
https://x.com/0xzak/status/1967592307714379934
Is there a service that can “de-twitter” links like this?
https://xcancel.com/0xzak/status/1967592307714379934
https://xcancel.com/0xzak/status/1967592307714379934
xcancel.com
Wow - that is really interesting, to hear the hacker's voice, the absence of guilt, the thinking of "it's a game to steal".
A Horrific threat.
Another company that sends 2FA over SMS codes, then wants them over the phone is Family Mobile. Its a Walmart T-Mobile derivative.
Its not a GREAT carrier, but I have a legacy plan for unlimited everything at $20 a line.
But if I have to call in, they do send a 2fa SMS code, and require to tell them over the call. Its absolutely ridiculous. But, Ive only had to call in 4 times in the last 9 years, so, yeah.
The scary thing is that the only filter people have now is "workflow". If someone calls you, you can't tell who they are but if you call them, from a number you find one the official website (that you find rather than someone telling you), then they're likely legitimate.
But that's hard because many people work on markers of legitimacy, not algorithms.
Is it an advantage of crypto that someone can rob you with no recourse?
> I was doing yard work when my phone rang. The number showed up as Pacifica, CA — (650) 451-5708. I answered.
Ah yes, and all millennials are immune to the attack in one fell swoop.
Spoofing email and phone caller ID is actually really common these days, but line-tapping is also active in some places.
Call the persons extension back from an out-of-band line, but after checking the contact phone number on the old web page or government business registry.
This is effective against most forms of line tampering, as targeting an unknown random line number is much more difficult to predict.
Most nuisance calls we get are the classic foreign operator message repurposed language translations trying to get people to "press 1 if you like ice cream" which bills 3rd party long distance calls. There was a local dubious calling card scammer arrested twice for this con. Just hang up, and report/block the number =3
> On June 19th, my life changed with a phone call. I was doing yard work when my phone rang. The number showed up as Pacifica, CA — (650) 451-5708. I answered.
I'm not trying to undermine the idea behind this article, but I was raised to never answer the phone and that was in the 90s
Out of curiosity, does anyone know if there is any scenario where Google would legitimately call you? I assume the answer is no, but it would be interesting if some extreme edge case existed.
Edit: Obviously not “you work at Google and your boss calls you” or whatever
I was considering adding a page to my personal web page where people could add phone numbers for me to whitelist. I have been getting 5 to 15 spam calls a day recently so I essentially have to whitelist.
This is why I don't like cloud syncing OTP secrets. The hassle of migrating them is proportional to their security. They should only exist on one or more phones/watches/computers and on paper backups.
I get these inbound communications all the time and many banks actually use them to communicate with you. Each time, I have always sheepishly said "This is kind of how people get scammed right. Do you mind setting it up so that if I call back the account exec will know what to do? It's just I'd feel foolish if I got scammed this way" and then I end up calling back and with a little work get where I wanted.
I think the reality is that people think "Oh couldn't be me and am I going to be the weird security guy" so it isn't whether you know software and security etc. that determines it. It's whether you're willing to be embarrassed frequently in these conversations.
I've had the banks call me, Coinbase scammers call me, all sorts. I'm at the point where I block my own area code (which is from a different state where I have a few people whitelisted fortunately) and that's eliminated a lot of it.
I don't mean I can't be scammed. Just that perhaps some mitigation comes from willing to be socially awkward and insisting to someone that you want to do it by the book.
>On iOS, Gmail doesn’t let you view full headers, so I had no way to double-check in the moment.
The most infuriating part of the story by far.
[dead]
[dead]
[dead]
TLDR: You should NEVER sync your Authenticator 2FA codes with a Google account.
[dead]
[dead]
Sorry but it’s stupid to blame Google when it’s 100% your fault. This is a scam that is 10+ years old and you fell for it in 2025. It’s not googles fault at all.
It isn't Google's fault that an attacker was able to spoof mail from "legal@google.com"?
Proof of that remains to be seen.
That being said, there are a few approaches that might leave such an impression to people unfamiliar with their email client.
The attacker doesn’t need to spoof anything, this is known as a homograph attack:
https://en.m.wikipedia.org/wiki/IDN_homograph_attack
https://www.xudongz.com/blog/2017/idn-phishing/
We don’t know yet that that’s what actually happened in this case.
It seems likelier than a @google.com spoof landing in the person’s inbox.
Without them providing the headers this is just idle guessing, but I’d argue my guess is likelier to be the truth.
If it's a known attack, Google has a known defence in its apps?
Something being known doesn’t mean a solution exist.
Computing the the set of Unicode characters that would result in a homograph of a latin alphabet word is non trivial. Now do this for relevant/trusted domains, now put in place a mechanism to mark a domain as trustworthy that also minimises your liability.
> Something being known doesn’t mean a solution exist.
But we aren't talking theory. In this case solutions exist, just not in this app?
Also, the triviality point is puzzling, are we only allowed to criticize professionals for trivial fails? (though using a different font is one of the trivial mitigations)
> that also minimises your liability.
How is that a factor, what is their liability now without any mechanism and will it increase if they add some?
Seems like a good use for the .google tld
Spoofing email addresses has been around since the 90s.
Yes, and the industry has been responding to it since approximately 5 minutes after Canter & Siegel started cranking out that green card spam in 1994. We have SPF, DKIM, DMARC, etc. _and_ more importantly, the victim in this case was using Google's mail client to access Google's mail service so they don't even need complex protocols designed to inform 3rd parties about whether a message is legitimate. If Gmail refused to accept any messages claiming to be from google.com which didn't originate from their servers, it'd be quite defensible given the ratio of attacks to the handful of legitimate cases where someone needs to do something like post to an outside mailing list using their @google.com email address.
This is like saying it’s not Ford’s fault that they didn’t put in seatbelts and safety glass because people knew driving was unsafe. When bad outcomes happen at scale, you need a system-level fix.
EDIT: to be clear, the fix has arrived: had he used passkeys, this attack would have been impossible and every login would’ve been faster and easier. There are edge cases but this is literally the reason why U2F was created a decade ago.
The author knew that the scam existed and he even was skeptical. Then chose to rely on it being true despite all the red flags. That’s his fault.
At some point people have to accept responsibility for their own stupid actions.
Yes, they made a mistake. They were honest about that.
A little secret which will help you in life: everyone makes mistakes, even people who don’t think they will, even you. Looking all the way back to last week and 2 major NPM hacks ago, you can get access to a lot of systems simply by hitting someone when they’re busy and distracted.
There's a difference between taking accountability for your mistake and blaming other people for your mistake. Blaming others when you are clearly in the wrong is reprehensible.
That's a very harsh position to take and one I struggle to find support for in the post. I hope that you are never in the position where you make a mistake and others apply that standard to your response.
Per TFA
Title: I Was Scammed Out of $130,000 — And Google Helped It Happen Heading: Google failed me in two ways Body: Google has become the vault of our digital lives — and that vault had cracks.
If Ford adds seatbelts and you decide to take them off because they annoy you; when get into a crash you can’t claim Ford failed you since the seatbelts weren’t forced upon you more.
It’s weird that you think blaming other people for your own self-admitted mistakes is acceptable.
Good thing neither I nor the author did that, then.
> The attacker already had access to my Gmail, Drive, Photos — and my Google Authenticator codes, because Google had cloud-synced my codes.
Don't do that. Don't put your 2FAs somewhere else than in an unsynched app. Not in Bitwarden, not in any online account, nowhere else than "Something you have".
Just wondering what is the plan in case this thing you have gets lost?
And would you say that using something like authy with encryption using a totally unique password is safe?
Typically you print out recovery codes and keep them somewhere safe
most thefts are inside jobs, so somewhere safe would be to give them to a total stranger