1. I believe it began with the hacker getting DOB/SSN.
2. Called wireless provider, and hacker forward all calls and texts to a burn phone. Eventually, the hacker ported my wireless phone to another provider/number (not sure which), and the phone registered to my provider did not work anymore. The landline phone was also forwarding calls to another number.*
3. Hacker gained access to email (as that email was also within the telco's site). At the beginning, the hacker did not reset the password. After I changed the email's password, hacker was still gaining access to our emails and he/she eventually reset the email blocking my access. (reason was all the text and calls was forwarding to his/her burn phone so he/she can reset the pass anytime)
5. Requested 2FA from bank.
6. Gained access to bank account.
This was over a course of 3 months. It was a nightmare to resolve and paranoia still remained. The hacker later on went opening several bank accounts. Fortunately, this was discovered early. The entire situation was communicated to the FBI, local police, and bank institutions, but I do not think anyone cared.
*I saw two numbers that were being used within my wireless account site to forward the calls.
> The entire situation was communicated to the FBI, local police, and bank institutions, but I do not think anyone cared.
Why would they care? It happens dozens of times a day, and the criminals are out of their jurisdiction.
If only the police, FBI, politicians, etc. could go after the banks and telcos to improve their security. But no... they see it as their job to destroy security, in order to make you "safe".
Did you file a report with FBI? I once was scammed on ebay for a laptop worth $1200 around year 2002. The local police did not get involved so I went to the FBI website and filed a report. I thought nothing is going to happen. They eventually caught the guy and I got my payments in installments (restitution) over several years.
They won't go after an attacker if there's not a high amount of damage, like $250K or more. FBI guys are swamped with people calling, and there's just not enough agent time to go around. Same for bank fraud. Ever wonder how people get away with popping someone's bank account, transferring to another local account, and walking off with the cash? For a couple grand, no one's gonna spend the time and effort to track you down.
Liability for data breaches limited to companies over X size would be a good idea though.
Maybe we should increase the number of agents investigating this stuff, then? Fraud affects many more people than terrorism, but nobody gives the "there's just not enough agents" excuse for that.
Also, only investigating fraud when there's lots of money involved means we're only helping rich people, who need the least help. Losing less money doesn't mean less impact on someone's life if that's all they have.
Because people are more terrified about a random bomb hitting a random place once in a while more than their accounts getting hacked and then finding themselves in a big trouble?
And yet then you see things like this [1], where the 4 year old case of a very minor eBay scammer is personally prosecuted by a state Attorney General. I guess it depends on who has time to kill. These two guys are looking at decades in prison for a scam that looks to have netted about $3K.
Why do you think he personally prosecuted it? His name's on the complaint, but it's on all the complaints referenced in their press releases. The press release says the case "was investigated and is being prosecuted by the Attorney General’s Fraud Unit".
Which is interesting because it should be the other way around. If you have $250k stolen, it is bad but you are probably wealthy enough you won't go in deep trouble stress.
If your whole account is $2k it might be a different world for you and you might relying on these to pay rent, medical expenses which is more serious than an investor not having access to his $250k.
Not meaning it is fine to steal $250k from wealthy people but that poor ones being affected (at $2k) is more urgent from a humanitarian perspective.
>> If you have $250k stolen, it is bad but you are probably wealthy enough you won't go in deep trouble stress.
Or it might be your entire life's savings and if you can't get it back you kill yourself from the stress of losing 40+ years of work. It's very dangerous to make assumptions about other people's money.
I have all my life savings in a checking account. So in my case if I got hacked and my money from that account stolen I would be in big trouble and have suicidal thoughts very likely.
>>I'm not saying that investigating the $250k is not important; but just not more urgent than the $2k theft.
Absolutely not. Ignore the case when this 250k was your entire life savings (30-40 years of saving remainder of your salary every month and slowly building savings for retirement).
It could be mortgage money which you are about to buy a house with or it could be company money for payroll. Suddenly employees of a small business don't get paid. Those employees of course have to pay mortgage/rent/medical bills and suddenly paycheck they counted on doesn't come. This could affect many people in very negative ways.
I think $250k stolen should definitely get a priority to be investigated by agents over $2k stolen as it is more likely it will mess up lives of many people in a bad way.
Interesting. When two crimes both take similar effort to commit, and similar effort to investigate, I'm not sure if the higher dollar amount should be defacto prioritized.
I am going away from SMS based 2FA where I can. For services where it is used, anyone have opinions on using 2FA via a SMS to VOIP number with a provider who has better account security/authentication tools than most telcos (e.g. google, etc)?
The argument for giving more priority to higher amounts is that since criminals are stealing the money, they can commit more crime with more money(in simple terms - you can buy more drugs/guns with 250k than with 2k)
"I'm not sure if the higher dollar amount should be defacto prioritized."
Why not? Higher net worth equates to higher taxes paid - the 250k victim has been paying the investigators a more substantial sum, and should receive a more substantial response from them. "Size matters" sums it up to me.
That's not how modern Western societies work. Plutocracy has been tried, and found to be devastating for society, human dignity, and the human condition in general, not to talk about the rampant corruption it invites.
No, they are not. But ideally the advantage the 'richer' party has in influencing the effort of the investigators/judiciary to put forth more effort on their behalf is not written policy, it is corruption/cronyism. Should we create policy that prioritizes investigating an auto theft of a $100,000 automobile with more resources and severity that the theft of a $20,000 one, simply because the value is larger, or weight the effort based on the tax contribution of the victim? I would say absolutely not.
I guess the theft of a more expensive car should be investigated with higher priority because selling it gives criminals more money to work with and leads to more severe crime. A group that can steal and sell a Lamborghini likely runs a much larger and more organized operation than a group which steals and sells old cheap cars.
This is all guessing though, I'd love to see more data on it.
This assumes a linear margin on units of stolen cars to value. Smaller ticket items are easier to fence specifically because they are common. It's hard to sell the Mona Lisa. It's easy to sell a mass-produced TV. Cops would spot a stolen Lamborghini as soon as the APB comes in. Not so much for a Toyota Camry.
Yeah, and that's why I said that a group that can actually steal and sell a Lamborghini successfully should be investigated with more resources, since you are more likely to find a well organised criminal organisation behind it, if they can shift Lamborghinis the can probably shift drugs and guns too.
We disagree then, I think they absolutely should prioritize that because of the tax contribution of the victim. If I pay someone $1000 for a job, and you pay the same person $100 for an opposing job - you should lose. That's only my capitalist opinion, but I don't think it's an unpopular one.
Probably disagree on some aspects, and I may not have choosen the best example, or clarified my position enough. In a situation where two parties are voluntarily engaging in competition(for a job applicant), the party who offers more value usually does win, and I think that's appropriate. And I support allocating resources to fight crime based upon the effect of the crime's proceeds in supporting or leading to further crime. In mandatory participation systems like public civil services I am for at least a baseline allocation of resourses not directly correlated to financial input of the particular recipient.
I was using google voice for this for a while but if you are worried that someone may have access to your computer / email, then they may effectively access to your google voice as well. voice.google.com
Taking money out of an IRA into your checking bank account is usually two clicks with my bank, I'd get a warning about losing interest if I take the money out but I can do it anyway and the money is available instantly - for all intentions and purposes it might just as well be in a checking account, and it certainly won't make any different to an attacker who got into my account.
>>I'm not saying that investigating the $250k is not important; but just not more urgent than the $2k theft.
I'd argue that it's a lot more urgent. What if you were paying for a house tomorrow, and the money is gone, so you lose the house? Or you are a small company that has to pay its tax bill for the year, but the money is gone? Or you have to pay for an expensive operation that won't go forward otherwise?
2k is not as important in a way that if you are really short of 2k, then there is a plethora of options to come up with 2k on a short notice(some astonishingly bad like payday loans but there are options) - while if you are out of 250k and need 250k then most likely you are absolutely screwed.
Again, to repeat my final point - don't make assumptions about people's money.
We are in dire need of specific cyber security public divisions are people can go to. FBI I believe will have many problems to deal with, and as far as I know, there isn't any cyber-police division capable at the city/state level.
Atleast nothing capable of handling incidents like the one mentioned above. The debate of who's job it is can get hairy. Especially with the future where internet is becoming more pervasive, there can be more damage.
The FBI claims jurisdiction on crimes committed by foreign national against Americans. It's just hard to investigate and arrest individuals who aren't on US soil, but not absolutely impossible. They arrested a Russian ID theft a while back, but they had to lure him out of Russia to do so, as the Russian authorities didn't cooperate.
The is a direct correlation between security and fraud related interest/insurance in regards to the cost of use and exposure to fraud.
They aren't out to "destroy" your security, it's a liability threshold calculation. At the end of the day secure yourself in life, this include choosing banks that are more stringent based on your needs and what you want to pay.
Most Dutch banks (except for ING, which does still use SMS) use hardware devices that use the chip on your debit card to authenticate. You unlock the chip with your PIN, enter the challenge code supplied by the banking website for the transaction, and the device shows you a one time code you enter in the banking website. This is a decade old technology that works rather well.
Same in Ireland. In France I've also seen a combination of SMS and pre-shared secret (SMS asking for a code from a grid printed in a small card you can store in your wallet).
I don't know but I've been using this technique for a year or two now with great success. The Google authenticator just stores its secrets in the salute db every app gets.
Autocorrect kicked in there... sqlite* (it is absurdly difficult to put an asterisk at the end of a message on HN. it seems to require a trailing whitespace[1] for it to show up, however the input is trimmed, so...)
I have not, but I have extracted the backup with https://sourceforge.net/projects/adbextractor/ and inspected the contents, visually confirming the secrets are there. Even if a restore doesn't work, I can re-enter them manually from the information in the sqlite database. However I fully expect a restore to work.
Thats exactly why I copy and save every 2fa QR Code in my KeePass database, along with backup codes. Phone changed? No worries, install Google Auth, rescan those QRs, and voila, your 2fa system is back and running !! :)
Most 2FA services that allow authenticators offer recovery codes. I keep the recovery code saved in my password manager, and if I ever lost my phone I use that to log into the site and then get a new QR code.
Yes, that's also a way, but why not save the QR code first time you see it, instead of loosing it, resetting with recovery code, and then again getting a new one? Recovery codes are fine, and should be kept safe and such, but also the Original QR code can also be saved and screenshot. That way, phone lost? open database, load QR code, scan in new phone.
I have used Yubico's U2F key since shortly after they came out (Nov 2014). They are very robust and relatively cheap. Moreover, in contrast to some cheaper keys, they require physical confirmation by a finger press.
"What is better? Authenticator apps/hardware devices?"
Mobile signature (SIM-based)(0) is the most secure method as far as I've seen in banks. Citing wiki: "supporting the authentication on the Internet with a parallel closed network like mobile/GSM and a digital signature enabled SIM card is the most secure method today against the man in the middle attack."
The ACH model is fundamentally insecure: anyone who knows your account number can pull money from it, and the protocol makes no allowance for the bank to check with you first. I don't think choice of bank matters very much.
You can manage your risk somewhat by:
1) Using credit and not debit cards for day to day spending.
2) Maintaining your long term wealth in separate accounts at separate institutions and not linking them directly to anything except your checking
account. This minimizes what can be stolen if your checking account is compromised, and makes it less likely that your savings can be stolen directly (account number is used in fewer places).
3) Turning on all the alerting and notification settings you can find, so that you'll hear about unauthorized activity immediately.
I read somewhere that companies that do a lot of ACH payments use different accounts for receiving and sending payments. The receiving account is locked so that it can't send and the sending account is supposed to stay secret. I don't know if that actually works in practice, though.
Yeah but for 90%+ of transactions, if you are being paid by a company, you can almost always request a paper check instead of an ACH transfer (sometimes with a fee). In that case they either have yet another account for check writing (which won't be "secret") or they give away their "secret" ACH account.
Why they keep that system? In most of Europe you got "normal" banking system where you can give everyone your account number and worse thing they can do is to put some money there.
In US it seems #freemarket is putting externalities (security) on the customer.
ACH is a service of the Federal Reserve, actually.
It also provides wire transfers, which are a little more secure because they're push only, but also less secure because they're instantaneous and irreversible. All banks charge at least ~$15 per transaction and they're really only used for high value, time sensitive deals.
For SEPA-DD, 8 weeks is for no questions asked refund; in general for non-authorised payments you have 13 months to request a refund, but if it's 8+ weeks they can verify the lack of direct debit mandate before hand - but it seems to be the policy of most banks that they'll refund anyway immediately and let the merchant handle the problems.
So what? Someone set up a direct debit, he can just cancel it and get the money back. Of course it will take a bit (a few seconds with online banking nowadays) but you wouldn't lose any money. There's no way someone can get money from a UK bank account by just knowing the account number, assuming that you check your account regularly.
I had somebody buying products on Amazon using my company's IBAN numbers. Amazon were super frustrating to deal with. They kept asking for my amazon account details and I kept explaining that the company doesn't have an amazon account. They didn't know how to proceed ! But in the end they did reverse the charge.
My girlfriend had somebody buying groceries using her numbers. They just write numbers in and signed the sheet of paper at the store. The store refused to take responsibility for doing this without ID-ing the person. The police were more understanding.
My CEO went to a local large bank and demanded as a condition of his business with them that they have an out-of-band communication (a phone call or SMS or whatever) with him before any outbound wire transaction can be attempted. They rejected his condition because they interpreted it as both (1) added liability due to all of the customers that could potentially claim they should have been similarly protected and (2) too much effort/cost/resources/whatever.
I don't deny that there are _corporatist government regulations_ (which largely prevent the best qualified engineers/entrepreneurs from wanting to tackle the consumer fintech problems), but banks are dragging their feet and the #freemarket hasn't developed a viable alternative yet.
The business model of all fintech is to ensure straight-through processing for as close to 100% of transactions as possible; if you have slightly more manual processing than competitors, then you can't be competitive price-wise.
A requirement "out-of-band communication [..] before any outbound wire transaction can be attempted" easily turns the processing cost (not price) from $0.02 to $20+ per transaction, a thousandfold increase, and that's assuming that this'd be offered as standard product and not a special case for a single customer.
If it's not made as a standard product, then it's really painful - it would mean that either the whole staff&systems would have to be trained for that customers needs (not likely unless you're bringing 10+% of the whole bank's revenue) or the customer wouldn't be able to use any standard banking channels ever, not the normal branches, not the normal online services, not the normal call centres, only directly through your private bankers.
I never experienced this directly, but when Chip'n'Pin first came out, wasn't it the case that some European banks held customers responsible when it got hacked? The theory was apparently that it was "impossible" to hack Chip'n'Pin so something must have been the customer's fault...
Isn't it still impossible? You can only hack it if you can guess the PIN or in cases where the victim wrote it on the card. The latter happens quite often and this is where banks sometimes refuse to pay.
If you keep your PIN secret it's a very secure system (unless the attacker is very lucky).
> 1. I believe it began with the hacker getting DOB/SSN
We [the US] dramatically over-rely on SSN. At least one upside to ubiquitous biometrics will be that we can start layering more authentication measures in an effective and consumer friendly way.
Relying on it is not the problem. Treating it (or "date of birth" or "mother's maiden name") as a secret for use in authentication is a big problem. These things are not secret, and having me say mine does not prove that you're talking to me.
In my (shared) office, everyone knew each other's last 4 SSN digits, because whenever on the phone to some random customer service rep, we had to give them to "authenticate".
It would be just fine to rely on SSN as an identifier, even to a much larger scale as USA does now, if only it would be clearly assumed that this number isn't secret.
Yeah, Identity theft is one of those crimes where the authorities don't really care. It can be quite lucrative for the folks carrying it out since there are no consequences.
The police are so overwhelmed and typically it is out of jurisdiction so their options are 0 to none to prosecute.
The only way to guard against it is to keep your foot print small and give as little info as required.
> Yeah, Identity theft is one of those crimes where the authorities don't really care.
There is no such thing as "identity theft". You can't steal who someone is, that's bullshit. It's rather some party not making sure it's actually you they are talking to, and then claiming that you are responsible for it anyway because they fell for someone else's scam.
Unfortunately, it doesn't work that way. The Uniform Commercial Code (in the US) has provisions about what constitutes accepting an instrument of payment taken in good faith, and that indemnifies a business. Maybe those laws should not exist and insurance should be the mechanism to cover loss stemming from fraud, but it doesn't work that way.
The problem with the phrase "identity theft" is that it puts the onus of security onto the consumer to secure their personal details instead of onto the bank/telcos/etc to secure their systems.
We should call it what it is: fraud. Whether that's bank fraud, computer fraud or wire fraud, banks should be responsible for compensating individuals for the losses incurred. One way to encourage this change is a change in the language we use surrounding these crimes.
> The problem with the phrase "identity theft" is that it puts the onus of security onto the consumer to secure their personal details instead of onto the bank/telcos/etc to secure their systems.
And it's really even worse than that, as you are assigned blame for something that the party blaming you is itself forcing you to do. Like, they won't open an account for you unless you tell them your SSN, but then they blame you if you don't keep your SSN secret.
It's reasonable to some degree to expect that you keep your password secret. It's a different thing altogether to take information that is unavoidably known to lots of parties, or in many cases even outright essentially public info (like, stuff you can just buy as a database) as proof of identity, and then insist that you are legally responsible for a contract or whatever they made with someone who knew your DOB or something.
It's really not much different than just throwing darts at a phone book, and then pretending that the fact they hit your name proves that you now have a contract with them ... no, it doesn't, and it's your fucking problem if you think it does.
1. I believe it began with the hacker getting DOB/SSN. 2. Called wireless provider, and hacker forward all calls and texts to a burn phone. Eventually, the hacker ported my wireless phone to another provider/number (not sure which), and the phone registered to my provider did not work anymore. The landline phone was also forwarding calls to another number.* 3. Hacker gained access to email (as that email was also within the telco's site). At the beginning, the hacker did not reset the password. After I changed the email's password, hacker was still gaining access to our emails and he/she eventually reset the email blocking my access. (reason was all the text and calls was forwarding to his/her burn phone so he/she can reset the pass anytime) 5. Requested 2FA from bank. 6. Gained access to bank account.
This was over a course of 3 months. It was a nightmare to resolve and paranoia still remained. The hacker later on went opening several bank accounts. Fortunately, this was discovered early. The entire situation was communicated to the FBI, local police, and bank institutions, but I do not think anyone cared.
*I saw two numbers that were being used within my wireless account site to forward the calls.