As the other comment said, they should go after all their customers too. I can't believe they are thefts out there paying other thefts for theft-services...
Unrelated, but at the start of the year, a lot of Payoneer customers from Argentina lost their savings in the platform* due to someone having access to the OTP codes. Payoneer said it wasn't on their side the error, and evidence suggested that it was an error in Movistar, because all the victims were customers of that particular telco. As far as I know, Payoneer didn't return the money and Movistar was never charged or anything (rumours say it was a Movistar employee who sold SMS with the OTP).
And if you ask why a lot of Argentina people use Payoneer and keep their savings there, it's a bit long to explain but basically is their way to get paid in USD outside the country without paying taxes (fair and unfair ones) and without getting their payments converted automatically to ARS pesos using a bad rate.
"I can't believe they are thefts out there paying other thefts for theft-services..."
Completely seriously, you and everyone else reading this need to not just "know" this, but believe it and feel it.
Too often I feel like programmers are like fat 50-year-olds talking smack on the locker room about how doomed the other team is because they know the importance of MD5-hashing passwords in the database, and they have no idea they're going out on to the field against an NFL team.
Of course, where this metaphor breaks down is that these metaphorical lardasses will not be able to fail to notice them getting their asses handed to them, whereas in the security space, their real-world analogs may not even notice they were hacked.
It's brutal out there. Even the open source tooling is far more sophisticated that most people reading this realize, and that constitutes the baseline, not the top end. There's an underground economy, and it is sponsored by many entities with deep pockets, including large-scale criminal enterprises, some of which can rival "real" companies in scale, and government-backed operations of all sorts.
You're not up against a stray hacker bumbling into your system. If you've got assets worth anything, you're up against professional organizations. If you are responsible for anything that matters, take the threats seriously.
>Too often I feel like programmers are like fat 50-year-olds talking smack on the locker room about how doomed the other team is because they know the importance of MD5-hashing passwords in the database, and they have no idea they're going out on to the field against an NFL team.
why did you go out of your way to insult fat 50 year olds?
any NFL team would absolutely crush any allstar team of programmers in their 20s, even if they were selected for regularly doing triathlons and a lot of lifting. Any NFL team would beat the NCAA Division 1 champion football team. (for non-USA, that's a university team, the same teams that supply most of the players to the NFL, but only a fraction of even a championship team actually make it)
I wouldn't bet against a fat 50 year old retired NFL players team against any "we know MD5 squad"
You are only offended on behalf of hypothetical other people, seeing an opportunity to score political points.
Not only am I not impressed, I am disgusted. Being offended on behalf of other hypothetical people to score political points at other people's expense is a scourge on our culture.
I'm gravely naive to modern security methods (both defense and offence) but I work closely with some infosec guys in a big-fish company and they often share tales/experiences that I find fascinating because of their ingenuity and temerity.
Some examples:
We have had multiple attempts to use AI as imposters to convince well-wishing colleagues into doing things they shouldn't - a complicated technique that has seen success for the hackers on some occassions[0] - which requires infilitrating numerous accounts etc. This one is the "hollywood romanticized" idea of hacking because it is in realtime with actual people operating the stolen accounts, but using AI to mask their appearance and voice.
Sleeper infiltration - someone will find and breach an exploit, only to patch it, but leave a new backdoor. They then let it sleep for many months, eventually coming back to use it only to (attempt to) completely remove any trace of their presence. inb4 anyone says "ah but they probably copied/did something else you don't know about!" We've had those, too, but some really do just exploit, patch, then leave. Probably to deny someone else or something.
A really fascinating moment for me was watching a seceng spinup a honeypot and it took less than a minute for some attacks to start hitting it.
Absolutely, if there's a moderately anonymous way to get significant sums of money out of something, sophisticated attackers will spend significant effort and even % of funds to extract it. That includes bribery, phishing, spamming, as well as the usual hacking and cracking exploits.
As you mention, the other issue is that this is often invisible (or even hidden by) to those who created the system that allowed the extraction.
Talking about tooling, it’s kind of incredible how good John the Ripper is at cracking passwords. I think a lot of people would benefit tremendously from seeing how fast their “clever” tricks for coming up with passwords are demolished.
“If you got assists worth anything…” well finally I am in a positive position for being monetarily poor. The other great thing about being poor is I had to learn to be a backyard mechanic to fix my own broke down cars.
He wasn't calling you a fat 50 year old, he was just conjuring up a metaphor of an overweight middle aged guy thinking he can take on a pro NFL team. I thought it was a humorous way to convey the difference in strategies between corpo IT and organized cybercriminals, and the unearned confidence of the former.
> I can't believe they are thefts out there paying other thefts for theft-services...
Why wouldn’t there be? It’s not like an economy needs anything more than a medium of exchange and a kind-of-functional guarantee of nonviolence to arise. If you have that, you don’t need to arrange for a market, it will just happen, more or less. (Healthy or not is another question.)
Anyway, yes, there’s phishing for hire, bring-your-own-payload exploitation for hire, ransomware for hire, and of course DDoS for hire. Captcha solving for hire is legitimate enough to occasionally get posted on HN (and I don’t think it shouldn’t be). People’s residential or mobile internet connections for hire, hijacked via free VPN browser extensions and mobile ad SDKs, are legitimate enough to be sold via advertising conglomerates (but I think they shouldn’t be).
A market isn’t something you build, it’s something you have to actively prevent.
another example of this phenomenon are "free" markets in prisons, where the currency is usually cigarettes.
Other places where freedom is limited have similar characteristics, I remember that we had a sort of food market when I was a child at a boarding school.
As a side note, France has a thing called “fiscal stamps” (timbres fiscales) which I had to use to pay a ~60€ government fee of some sort. One time I did it I paid online and got an A4 thing I needed to print out, which, OK, sure.
The other time I couldn’t do that for reasons I don’t remember and paid cash at a store to get one. What I got was a tiny thing that looks exatly like a small postage stamp of the standard almost-square shape (which is itself funny because all the actual French postage stamps I used were twice as large) except it cost the aforementioned ~60€. Needless to say, I was terrified I’d lose it the whole hour or so before I handed it over to a clerk.
Wikipedia tells me this was a common approach once[1].
there's a whole underground economy. I recall hearing a story of how one guy was busted who used to build an exploit kit and sell it to people for a cut of their earnings.
The craziest one I’ve heard of was the app Anom which was supposed to be for criminals to communicate securely and secretly. Except it wasn’t, it was actually controlled by the FBI. I’m part way through a book about it now and it’s pretty incredible how the FBI took it over and essentially became world police.
Just listened to the Search Engine podcast episode [1] where the author talked about this story. It's wild. The author (Joseph Cox) is also a founder of 404 Media[2], which is a great tech blog.
I tried to set up a bank account in Argentina, and I will admit it was to buy cheap digital PC and Xbox game licenses. Incredibly hard to do so as a foreigner.
> Many other countries make it super easy for foreigners to get bank accounts.
This is false and I challenge you to name these countries. Also, not certain about your definition of "super easy". I interpret it as say "hi" to the teller, give my ID and get my bank account.
It's about that easy in China. (In addition to your ID you also need an +86 mobile number, which you can get in about 5 minutes by showing your ID at a China Mobile store.)
Are we talking about a bank account or a digital wallet. Your experience is atypical: https://wise.com/en-cn/blog/how-to-open-a-bank-account-in-ch... That being said, I read about them making it easier for foreigners to open digital wallets (though that still says nothing about real bank accounts).
If you do know a bank/branch that supports opening for tourist foreigners with just an ID+Phone, my email is in my account page and I'd appreciate if you pass that info.
1. Get a +86 phone number at any China Mobile. You only need your passport and some initial (e.g. 100RMB) cash
2. I opened a bona fide ICBC account at one of the ICBC branches in Shanghai with that +86 phone number, passport with 10-year tourist L visa, 100RMB initial deposit cash, and using my hotel address.
Note that not all branch tellers know HOW to open an account with a foreign passport. Go to one of the larger branches, not the hole-in-the-wall ones. If one branch refuses you the account on grounds of a tourist visa, try another branch. It's not illegal, just not every worker knows the rules. Their electronic system is most definitely able to handle it. I was able to open the account at the 2nd branch I hit up.
They did not ask for proof of address, proof of work, or residence permit. I just told them I frequently visit China for business and may relocate in the future for work (true at the time, I was there frequently for my startup), and the dude was cool with that.
I was able to link that ICBC account to AliPay and WeChat and use everything normally, including flight, train, and hotel bookings. Access to day-to-day mobile payments was the main reason I created the account.
This was 2016, by the way, I don't know if anything has changed, but my account still works fine.
Caveats:
- Your +86 phone number will not work outside China and you cannot enable global roaming until you have had the number for 6+ months according to what I was told. So before you leave China, switch it to the cheapest phone plan and load the account with prepaid cash so that the phone number doesn't expire and disappear. If it disappears, your bank account's electronic UI may also become inaccessible (due to the stupid SMS verification) until you go back in-person to the branch and show them your ID and get it re-linked to a new phone number.
- After your passport expires, all bank transactions including WeChat/AliPay transactions will also fail. You will need to go in-person to a branch with your new passport to get that updated.
> I can't believe they are thefts out there paying other thefts for theft-services...
You might enjoy "Lying for Money: How Legendary Frauds Reveal the Workings of the World", which talks a bit about frauds as existing as a parasitic economy with its own parasites, etc.
I was in a call today showing scams around the world and it's insane how out in the open some of these scams are.
One was showing products advertised on FB at an extremely cheap price. You think you're buying a widget but instead deep in the language you're buying a weekly service that shoots up to $100 a week. If you call to complain against the company you bought from, they tell you they won't cancel as you signed a contract.
In this particular case the security researcher reached out FB (privately, reporting it did not work) and showed the vast web of accounts buying ads and promoting it, which were soon banned.
It’s frustrating to me how broken the (automated?) moderation system is on Facebook (though for all I know every other social media is as bad, Facebook just gives more transparency as to what happens after a report).
You see tons of messages of just random new accounts, posting to strangers commenting on like a meme post, saying “I love your posts, I’d like to get to know you better, dm me on telegram…” or “I have earned $123,456 in 4 days thanks to the crypto genius Steve Bob [link to other fake profile]” - reporting them usually results in a “we didn’t take down the content” result. Any human knows this is pure fraud.
I think it's security by popularity: You can't be blamed if it's "industry standard". Meanwhile it's 10x less hassle than trying to get people to use an authenticator. Passkeys aren't perfect privacy wise (and everything google touches is suspect), but they are easy.
Not only that, but mandatory authenticators would also create a support (and security) nightmare the moment you stepped out of the upper-middle-class, privileged tech worker world.
They work great if you assume that everybody has a smartphone (as opposed to a feature phone), that they don't have their phones stolen every other month, that they know how to set up an authenticator app, that they'll remember to reconfigure everything properly when migrating to a new phone and won't immediately throw the old one away and so on.
This problem is made even worse by the notoriously bad UX of most authenticator apps, notably the lack of automatic iCloud / Google Drive backup functionality and their inability to automatically show the code on screen whenever it's needed.
The nice thing about SMS is that you can outsource most of the support burden to carriers, which have to handle it anyway. Carriers have the advantage that they usually speak the user's language, have an office relatively nearby, and can verify your government ID in person if need be.
> They work great if you assume [...] that they'll remember to reconfigure everything properly when migrating to a new phone and won't immediately throw the old one away and so on.
This would be a terrible assumption even for upper-middle-class people!
Did the carriers agree to take on this role of securing SMS messages for authentication? If I were a carrier, I would be actively fighting this nonsense.
The carriers basically have to do this anyway, one way or another, because people want to get their phone number back when something bad happens to their phone. This would be true even without SMS authentication.
A part of it is mandated by regulation, most countries require carriers to let their customers port their phone numbers out. When handling those port out requests, they don't necessarily have enough data to decide whether the request is legitimate or not, yet refusing such requests too often would draw the ire of regulators, which is something no carrier wants.
How secure do they need to be? It's a single ephemeral factor. Every cell tower a numbers station. Sometimes I relay my OTP code to my friends in FB chat if I think the number has cool properties. I don't tell them anything else about the sign-in, so my self-breach has a rather limited risk factor. Didn't that LifeLock guy advertise his SSN everywhere?
I'd say reliability counts for more in these cases, and SMS was designed for unreliability, like UDP. So I'd be more concerned about the relationships and gateways from MFA services to send out their codes, and ensure that they can be received in a timely fashion. This message will self-destruct in ten minutes.
> "You can't be blamed if it's "industry standard".
Thankfully, that's not true. Class action lawsuits can and
do successfully target widespread industry malpractice. My first job out of college was as a paralegal, helping over 90 million American plaintiffs sue nearly every major life insurance company in the country for the previously common "standard behavior"
of insurance agents convincing policyholders to periodically "roll over" their accounts, to the sole benefit of the agents and their employers. The settlement payout for each participant was typically meager -- but the malpractice was stopped.
> If Payoneer was using sms based auth codes, then it was clearly Payoneers error for doing something so incredibly stupid.
It's sort of ironic that the Krebs article indicates that these dudes were specifically targeting the "most secure" OTP methods we know: authentication apps, rather than SMS or email codes.
They were simply using social engineering and human trust to bypass the industry's best technical practices.
SMS and email are side-channel communications, so the attacker would need to intercept them, and hopefully suppress the legitimate receipt as well. I'd get kind of worried if my bank sent me an unsolicited code. But a consumer may be more credulous when their "bank" calls in to request one from them...
Schools really need to teach kids not to trust the identity of anyone who initiates contact them unless they can physically see them in person and already know them personally. If the general population had this skill ingrained in them, all phishing scams would poof away into uselessness.
That's less of a scam and more of a personal responsibility problem. Like gambling, it doesn't necessarily involve any dishonesty, just encouraging you to imagine you'll sign up a lot of members or sell a lot of product. Further into the less-scammy direction is you buy a toy for your kid but he doesn't like playing with it. Were you scammed into buying a useless product? In a way, yes, but also there has to be some point where people are allowed the freedom to make their own mistakes.
A person could easily get the impression the UK didn't police crime online, simply because crimes like DDOS attacks, cryptolockers, cryptocurrency scams, identity theft, fake tech support callers and suchlike are all typically cross-border crimes where the police have basically no powers.
The reality is the police are more than happy to act when the criminals involved can be identified, and are under their jurisdiction, and you can get the attention of the right department - that's just a very rare set of circumstances.
The UK police do have powers though, accessing computer systems without permission or committing fraud is a crime in the UK regardless of geographic location under the Computer Misuse Act 1990.
The Act explicitly mentions prosecution of offences committed abroad.
It's just really hard to do anything useful when the perpetrators, even if identifiable, are never going to set foot in the UK nor any country which has an extradition treaty with it.
If they had committed a less sophisticated crime they probably would have because in the UK there is a lot of crime that goes completely uninvestigated by the police. For example if they had gone out and stolen a motorcycle, even if that bike was fitted with a tracker that would give the police a lead as to where they were taking the bike to remove the tracker, the police would (at least in my area) not even investigate. As in just give the poor ex-bike owner a crime number for insurance via email and not visit or follow anything up at all.[1]
[1] Source: I am that poor ex-bike owner and I know anecdotally my experience is not unusual. I live in a nice area and a person in my neighbourhood had the steering wheel of their car stolen (for some reason) again, the police did nothing.
> do something as stupid as this and think they can get away with it in UK
They did get away with it for two years (2019 to 2021) and the article states there are other small groups doing exactly the same thing right here right now, so it isn't that stupid to think you could get away with it if you are very careful (and at least a bit lucky) and know when to cash out & move on.
Here's me thinking that at that age, half way through university, I could slap together a web page that looked like it came from the 80s (in the naughts); if these guys had applied the skills used here to something decent they could have actually done well for themselves.
I am trying to think on how this could be mitigated and I am not sure there is a good way. Just before we even begin, using an unknown third party is a risk and companies have no problem using whatever providers. Just dropping OTP is not exactly ideal either so we are stuck between rock and a hard place.
TOTP is a simple and nice solution, but it is susceptible to real-time phishing attacks.
Webauthn is a more complex alternative and it is phishing-resistant, because each credential is tied to a domain, which means that a look-alike phishing website doesn't work. But you need to use a hardware token or a special service like Windows Hello or Apple's FaceID to manage your credentials. https://en.wikipedia.org/wiki/WebAuthn
That's true of SMS 2FA too, though, as well as many TOTP implementations. Being able to copy credentials to a new device is a major usability plus, consequently it is widely implemented.
Physical webauthn tokens are obviously better, but software webauthn is the second best thing. Software TOTP is a good bit worse, and SMS OTP shouldn't even qualify as a secure method
Definitely, so for scenarios where I want the strongest possible 2FA, I use a hardware authenticator.
For everything else, WebAuthN based on a software authenticator is both more secure and more convenient than passwords, and realistically even than TOTP (having a higher takeover risk but lower phishing risk).
I think the guy who stole my phone used one of these services, a couple of days later I received a notification with a temp code and then a url where to enter it, as I had to confirm that the phone was mine since it was found
Hackers had the banking customer’s login and phone number.
When they would log in to the bank, the service otp.agency would robocall the customer saying that someone was fraudulently accessing their account which was insidiously true, but then the resolution was false, the service would ask them to enter their one time passcode that was texted to them by the actual bank.
This is funny because sms could already be intercepted vis SS7 and is inherently insecure for one time passcodes that banks swear by, but this service wasn't doing that.
I'm convinced that the standard form of these text messages is wrong. A (legitimate) example I received recently read
Your CorpName verification code is 305825. Do not share this code. CorpName will never call you for this code.
It's clear CorpName is trying to defend against this exact sort of attack in the last two sentences, but it's boilerplate we've all seen many times before. Who reads it anymore? The bigger problem is unaddressed: "ABC verification code" is vague. This is security information devoid of security context.
A better written message would read,
A computer in Seattle, WA is logging into your account on the CorpName website. If this is you, enter 384909 to authorize.
Or,
A wire transfer of $300 to X has been requested using your debit card ending in 9934. To authorize the transfer, enter 468909.
I think asking people for authorization without atomically telling them what they're authorizing is properly viewed as a type of vulnerability.
The funny thing is; most banks hat I've experienced will plaster warnings all over the SMS and apps not to give this information to someone who calls you etc.
The issue is that people are afraid (to lose their money) and aren't educated about the risks, and who/what they should pay attention to, so they hand it over anyway.
I think it works because banks have nonsensical security already
Even if you are educated, you’re still confronted with insecure security measures and stonewalled by the customer service agent that’s asking you to complete a measure, until you complete it
Getting a call with another nonsensical security measure would be onbrand
> I think it works because banks have nonsensical security already
Like FirstDirect changing the password requirements for their app from the already far from best practice "between 5 and 9 case-sensitive alphanumeric" down to "6 digits" and making a show and dance about this being "just as secure as before"…
Suffice it to say that I've spread my financial resources a bit more widely than that one organisation now (and I'm considering a more complete move, but a lot of the competition is no better). I want there to be more than my unlocked phone and give digits between the bulk of my money and anyone who wants access to it.
This is just so messed up. I’ve spent so much time trying to teach the more vulnerable people in my life how to protect their accounts, only to have their f’n bank call them up and ask them to do the exact opposite.
Yeah, my bank hasn't done it in a while, so I'm hoping they've sorted them selves out, but it happened a lot years ago.
They'd call me to confirm a payment and ask me to identify myself, it wasn't even a payment I was making at that moment. At least now with the current tech it's done via the app etc at point of sale.
Because they are convicted criminals. This isn't a case of showing photographs of suspects. They've all pled guilty.
Showing their faces accomplishes three main things.
1. It disambiguates them from people who share their names. You can now see that it isn't the Callum Picari you went to school with.
2. It acts as a warning to the community. You may have been a victim of these people, but not known their names. Seeing a photo might jog your memory and enable you to report further crimes.
3. It is a disincentive. If you are planning on committing a crime, you will know that your face will be in the media if caught.
False convictions are a completely different problem. Now, this is a good reason not to show suspects that are not found guilty, but once found guilty that's a different story.
Hence, if you're found guilty and it's false, you need an exoneration.
Unrelated, but at the start of the year, a lot of Payoneer customers from Argentina lost their savings in the platform* due to someone having access to the OTP codes. Payoneer said it wasn't on their side the error, and evidence suggested that it was an error in Movistar, because all the victims were customers of that particular telco. As far as I know, Payoneer didn't return the money and Movistar was never charged or anything (rumours say it was a Movistar employee who sold SMS with the OTP).
And if you ask why a lot of Argentina people use Payoneer and keep their savings there, it's a bit long to explain but basically is their way to get paid in USD outside the country without paying taxes (fair and unfair ones) and without getting their payments converted automatically to ARS pesos using a bad rate.