> In just 40 minutes, the attacker shuffled my staked ETH and other tokens through multiple transactions, then drained the account.
One of the many, many benefits of irreversible transactions.
> I made mistakes, yes
His first mistake was keeping six figures worth of 'cash' in a wallet that anyone with less than 40 minutes of access to can swipe.
My brother (a tech professional in California) does not have any crypto or social media, and attackers still stole his phone number, which they used to steal his email account, which they then tried to get into a non-existent Coinbase account. He was only out of the time it took to get his phone number back (a couple of hours later).
Can somebody explain what exactly this means, and how it works?
We trolled each other in class with it a bit. But at one point some student not in our class sent out a mass email, which was against the rules. I replied with a From line as "Administrator" and a bunch of whitespace, telling the girl that she broke the rule and would be suspended for it. Our teacher made me apologize, and I was lucky that I didn't get into more trouble beyond that.
Basically, the from field on an email can be anything you want. It's like sending physical mail and using a fake letterhead with someone else's info, just type what you want. No verification.
That's sometimes a good feature. Like, a third party provider can send newsletters on behalf of company A. But can also be bad, when used for phishing.
However, the email doesn't just appear in your mailbox. It comes to your email provider by another server connecting to it and sending the email. Spf allows the owner of A.com to specify which IPs/servers are actually acting on their behalf. So if I get an email from something@A.com, I can lookup and verify that the sending server is one to trust. If not, the email client should reject or warn the user somehow.
I'm pretty surprised gmail didn't flag this at least. When I did it for a class in Uni, it always let me know that the FROM header didn't match the sender since that's a clear attack vector
I would also assume something as prominent as the Gmail website/app for iOS, and the google.com domain, would have all possible email security features correctly configured.
So.. is this not the case? Or is it, but due to bad UI, despite all this security, any schmoe can send email appearing to come from google.com, and I have to pore over unspecified details in the "full header" to spot a fake?
Apple Mail does allow you to see the actual sender if you tap on the name though. Outlook has been way worse in that aspect, by not letting you see the full sender. At some point it even saved these fake addresses automatically in your address book if it matched a contact's name or something. (I couldn't find the thread about it right now, but it has been discussed elsewhere.) It's a disservice to everyone except attackers to be honest.
What clued me in was that he said he couldnt share the estate documents with me until I gave him my popup 2FA code.
You cannot spoof an email from @google that will inbox
This was not spoofed.
One of the best features of Apple iOS 26 is the new call-screening feature[1].
[1] https://support.apple.com/en-gb/guide/iphone/iphe4b3f7823/io...
This will be great tho to help cut down on iOS users and scams hopefully
Yeah, I would be curious to see the actual email headers of what was received.
As an aside, fun fact, this would not be possible with @apple.com because Apple employees have old-school S/MIME signatures as an additional security layer.
In theory, third-party places like gmail could (should ?) automagically verify S/MIME sigs where a root cert is readily available.
There's no system in place to warn the user when there is no signature and that there should be one.
A few do, but most do not, and certainly Apple's automated-system e-mails do not.
https://undercodetesting.com/how-email-spoofing-exploits-spf...
~ dig _dmarc.google.com txt +short
"v=DMARC1; p=reject; rua=mailto:mailauth-reports@google.com"Deprecating SPF would do everyone a favour though. Especially for reasons like these.
Google owns and manages all of this, so they can send emails with a google.com MAIL FROM, a google.com header, and signed with a google.com DKIM key. And they could do likewise with gmail.com emails.
I'm not clear on why this isn't practical, perhaps there is something I'm missing though? I would appreciate your viewpoint.
Edit: I see you added a point about forwarding.
Your MTA can still check alignment for both HELO and SMTP From as specified by SPF's RFC(s) though and spam filters often do for extra information/signal.
DMARC's adkim/aspf aren't basically supported in practice. Nor they should be. For reasons already mentioned, as you already read.
Yes, SPF (the original design) is horribly broken and trivially bypassed. The most prominent design flaw is that the inbound SMTP service uses the SMTP (rfc5321) MailFrom address for SPF validation, which is not the same sender address shown to the recipient, they can only see the the message (rfc5321) 'From' header address. SPF originally didn't require the domains in the MailFrom and From addresses to match, so an attacker would simply use a domain they control in the MailFrom address, and the 'spoofed' domain in the From header.
That was in 10 years ago though. DMARC fixed this by adding the alignment requirement, meaning that the domains in the MailFrom and From address must match. By default the alignment policy is 'relaxed', meaning that the MailFrom and From domains can differ in subdomain, as long as they share the same organizational domain. Setting the SPF alignment to strict (aspf=s) like you mention in your post requires the domains to match exactly, with no subdomain differences allowed.
So, it doesn't matter that Google doesn't use strict SPF alignment in the DMARC policy, the fact that they have DMARC already adds the requirement to SPF validation that the domains must match.
Yes, google.com and gmail.com use the same IP ranges in the respective SPF policies, but Gmail will never allow you to send email addresses from a domain that you do not own. This is why domain validation is required when you set up Gmail with a custom domain.
The only scenario where your explanation would hold up, is if the attacker was able to gain control of the DNS of a subdomain of the google.com domain, and successfully validated it as a custom domain in Gmail, then send emails from that subdomain in rfc5321.MailFrom address and the google.com domain itself as the rfc5322.From domain.
https://easydmarc.com/blog/google-spoofed-via-dkim-replay-at...
There isn't any federal regulation at all covering your Bitcoin.
Unrelated, but for added spice, here's a thread from ten months where everyone agrees you're a fool unless you secure your coinbase account with google authenticator
https://www.reddit.com/r/CoinBase/comments/1h65zuh/account_h...
With my bank, I've been able to recover several thousand after a thief was able to bypass the 2FA app used to verify large transfers. (I still don't know how they were able to bypass the verification, and after investigating our bank never told us. Not sure that makes me feel all warm and fuzzy, but at least I was made whole with minimal fuss.)
With the former, your recourse is essentially zero. Banks won’t do anything, cops are useless.
With the latter, banks try to prevent it and it’s harder and riskier.
In USA, banks are actually required by law to reimburse fraudulent account activity if reported within 60 days. However, this does not cover cases where the account holder themselves made the transfers even if they were tricked into doing so.
But if someone gets your login and liquidates your bank account, in USA a least, the bank is 100% responsible for that fraud.
Credit card companies are 100% responsible for fraud regardless. Even if they try to market it as a perk "You're never responsible for unauthorized transactions". Yeah, no shit. It's the law.
Doesn't seem like there's a lot of middle ground between being responsible for your mistakes and being treated like you can't be trusted to make your own decisions.
I wonder sometimes how many scams I've avoided simply by pretty much never answering my phone when someone calls unless I'm expecting a call or it's someone I know.
> The attacker already had access to my Gmail, Drive, Photos — and my Google Authenticator codes, because Google had cloud-synced my codes.
Ugh, google
I was pretty suspicious but thought I would get them to authenticate their identity as someone really from Amazon by telling me the last thing I had really ordered was...
I must have stayed on the call for 20 minutes, eventually they ended up swearing at me - all the time I could hear other people in the same room trying the same lines on different people. I have no idea why I stayed on for so long....
I do not answer calls
Maybe 3 or 4 of these a day <sigh>
Then because of the leak side channel effect they can further future target calls such as coming from google about your problem with "your pixel 9 or 10?"
They have the scammers working off phone queues, it takes a little bit of time to get the call to the scammer, who has to start off with a script, so there's a delay.
Remember, the scammer, also likely not a native english speaker, also probably bored out of their mind, has to spin up, they have to read the name, understand how to say it and then say it out loud. Their is a mental startup time that a normal conversation doesn't have.
If someone calls you and isn't ready to immediately respond to "hello" it's a scammer.
Personally, I would utter a confused "hello?" if I was calling somone, the ringing stopped, and no one said anything, but I guess not everyone would.
The attacker had access to the Google account which includes passwords from Chrome and also the 2fa codes stored in Google Authenticator, because those were synced to Google without the author noticing it.
So with passwords and 2fa the attacker could login to Coinbase too.
They're saying that the least likely part of the cover story is that Google would proactively reach out to you in order to help you personally with the service you are (most likely) paying zero dollars for, and assign one of their most expensive employees to the case.
I assumed this was normal.
What a shit show.
I certainly don't. Every call I get from the school seems to come from a different number. And the camp she was at when she hurt her leg and had to be taken for immediate medical attention.
I get it, in your world, in your experience, it all works out. But in mine, it just doesn't. From experience, I _know_ this is true.
Never, ever, use a cloud password manager, that's just dumb. Combining these things together in some sort of master account -- be it Google, Apple, Microsoft -- is also terrible. It's like leaving all of your savings accounts, checking, and investments at a single bank.
All of this stuff is going to get way worse because of AI. You'll be talking to real people you know personally who are 100% not AI but were tricked in to asking you to do something by other AI enabled scammers. However aggressive I've suggested people be in the past probably isn't going to be enough for 5 years from now.
These things have always been possible, and have been done, but now they can be done at scale, with advanced testing to figure out what works on who, whereas before it was targeting the guy who kept posting pictures of expensive watches on his public Instagram.
Great advice for someone who doesn't have children or family members with health conditions.
Do people actually downvote this? Seriously???
The answer is almost certainly greater than 0.
Friend’s mother got scammed. She’d contacted tech support and they said they’d call back. Then a scammer just happened to call her within that next hour…
Getting a procative call for my benefit would make me very suspicious about the authenticity of that call!
In my experience most authenticators cloud sync automatically, at least on iOS. For most people, this is a benefit. Otherwise, lose your phone and you're stuck, I doubt most people secure recovery codes properly either.
Ever since then I've been getting hundreds or thousands of Google notifications I've had to decline. Anyone know how people are able to send out hundreds of 2FA gmail notification popups without Google blocking this?
Most clued-up places enable you to register a Yubikey as 2FA.
So then it doesn't matter if you loose your OTP app and your backup codes because you've still got a Yubikey.
(And those that don't allow Yubikey, almost certainly will have SMS as a secondary option).
Still, better to just not do SMS auth. These days Yubikeys are not that expensive. Get three, register them all at the most important places, and put one at a parents’ place or similar.
But the point I was making that IF the website does not allow Yubi THEN SMS is almost certainly available, and you should use that as a backup mechanism.
Why ? Some sort of backup mechanism is better than none at all.
And what happens if you lose your Yubikey or it stops working? You're back to needing backup codes or an additional 2FA device
That's why you own N+1 Yubikeys ;p
Any place that offers Yubikey auth will enable you to register multiple Yubikeys against your account.
In all my time on the internet I have only ever seen one place that allows Yubikeys but restricts you to one key.
I've lost 2FA codes. It's complicated but if you have a financial relationship with the vendor you're going to be able to get everything sorted out. I imagine as this happens more there will be common internal policies which aid customers in this situation.
You have to weigh the amount of potential hassle against the value of potential losses. Why you would have $100,000 of value stored somewhere and only secured by a loose-lipped third party app is beyond me.
Google Authenticator can be local-only or synced to the cloud.
In local-only mode, the authenticator is bound to a specific device. You can manually sync it to additional devices, but if you lose access to all those devices, it's game over, you will get locked out of whatever accounts you secured with authenticator as the second factor.
In cloud-synced mode, it's synced to your google account, so if you lose your phone, you can restore authenticator state. But if your google account gets taken over, it's game over, the attacker has your authentication codes.
Never understood this convenience and never will. This is exactly the wrong way to deal with people losing their authenticator secrets.
Google took forever before adding cloud-sync to their TOTP app even though pretty much all the other ones did it from day 1. And I bet a non-trivial amount of people got locked out of their accounts because they hadn't reliably stored recovery codes.
Financial services are actually the least of your worries since you can get ahold of customer service and eventually recover your credentials even if it takes a few days and some snail mail. However if you lose access to Gmail or Facebook, good luck unless you know an employee.
Yeah, I do. Do you? Because it's certainly not what you're implying
I'm not sure if I have the same password reset flow as OP, but when I try to reset my password and even provide the 2fa code, it basically doesn't let me get past a certain point without contacting my backup email address or making me use a phone which I'm logged in on to complete the reset
A warning to auth engineers: if an account is using a Gmail address, then auth codes from Google Authenticator should not be considered a second factor.
I think I requested the reset with various details, then had to wait 24 hours before continuing.
About a decade ago I had suggested to Google at an identity forum that they embrace a local government/organization model for their hard-landing account recovery process (since it can ultimately devolve to an ID check) by having a mechanism where you can start the account reset process and get something which could be taken to a third party to approve after they do an ID check. As people increasingly depend on things like email accounts for everything there are a constant stream of people who will lose access to their phones but could easily visit a notary, library, DMV, police station, etc. and pass a check against a pre-registered government ID.
I don’t use Google but at least in the Apple world you also get a fairly different prompt for enrolling a new iCloud Keychain device than simply logging in. Obviously that’s not perfect but there is a good argument for not getting people accustomed to hitting okay for both high and low impact challenges using the same prompt.
Incredible take. I don't know what's worse here — suggesting gmail address = google authenticator, thinking you can know the source of "auth codes", or the fact this is coming from an auth engineer. I'm switching to handwritten HMACs on paper napkins today.
I use the super-sophisticated method of manually copying everything important to an external storage another every 5 weeks or so. That has never failed me.
At least now more companies include a "never read this over the phone" note in their authentication texts.
Why do banks have to "know their customers" and telephone providers don't?
I have read that one problem are VOIP systems which can spoof outgoing phone numbers. It sounded like these are easy to attack. Or maybe scammers just make fake VOIP calls from overseas.
Part of the blame should be levied on Coinbase if this is the case.
(I'm assuming this guy at least uses unique passwords...)
> Google had cloud-synced my codes.
> That was the master key. Within minutes, he was inside my Coinbase account.
The author wrote "codes", not "passwords".
Coinbase has many ways to secure your account if the user enables them
also physical Yubi Keys would prevent anyone from withdrawing or steals funds as it would have to be plugged in and tapped to process them.
It kinda sucks that in 2025, voice calls are now near-zero trust.
Is there really no velocity behind any open/consortium replacement to traditional voice calls?
Never act based solely on an unsolicited telephone call or email.
I do see why Google did it; it's going to be difficult to educate users to always set up 2FA both on a primary and a backup device. Much easier and convenient to automatically sync different devices. But your story makes it obvious that something isn't quite right here.
And yes, Google could have added an extra encryption password. But users forget/lose passwords, especially if they normally never need them. So I can see why Google didn't go that route.
[1] https://www.reddit.com/r/2fa/comments/pmow4k/switching_from_...
Google has dozens of properties and it is easy to generate an email from one of them that seems to confirm the attacker's identity. Never trust any of these to identify a legitimate representative.
Sadly for the scammers, that number didn't match. But, I note it was part of his script to sound confident and give a working URL. Pretty strong.
EDIT: to be clear, the fix has arrived: had he used passkeys, this attack would have been impossible and every login would’ve been faster and easier. There are edge cases but this is literally the reason why U2F was created a decade ago.
At some point people have to accept responsibility for their own stupid actions.
A little secret which will help you in life: everyone makes mistakes, even people who don’t think they will, even you. Looking all the way back to last week and 2 major NPM hacks ago, you can get access to a lot of systems simply by hitting someone when they’re busy and distracted.
Title: I Was Scammed Out of $130,000 — And Google Helped It Happen Heading: Google failed me in two ways Body: Google has become the vault of our digital lives — and that vault had cracks.
If Ford adds seatbelts and you decide to take them off because they annoy you; when get into a crash you can’t claim Ford failed you since the seatbelts weren’t forced upon you more.
> Phishing emails from “@google.com” made it into Gmail.
> Google enabled Authenticator cloud sync by default.
Both of these seem like fair points where one could reasonably expect one of the largest companies in the world to spend a tiny amount of money on security improvements which would make it harder to attack their customers. Not following Apple’s lead on security for Authenticator is especially disappointing since they have no shortage of good security engineers.
That being said, there are a few approaches that might leave such an impression to people unfamiliar with their email client.
Computing the the set of Unicode characters that would result in a homograph of a latin alphabet word is non trivial. Now do this for relevant/trusted domains, now put in place a mechanism to mark a domain as trustworthy that also minimises your liability.
But we aren't talking theory. In this case solutions exist, just not in this app?
Also, the triviality point is puzzling, are we only allowed to criticize professionals for trivial fails? (though using a different font is one of the trivial mitigations)
> that also minimises your liability.
How is that a factor, what is their liability now without any mechanism and will it increase if they add some?
Without them providing the headers this is just idle guessing, but I’d argue my guess is likelier to be the truth.
It's happened lots of times and it's why traditional banks are way more secure than crypto.
Well done to the author for talking about it, but I hope the real lesson is learned that crypto isn't a real store of wealth and can be stolen at any time....
Sure, but this is Hacker News, not Mugger News.
Like crypto, wire transfers are difficult to track and irreversible.
The victim may also have a chance to cancel the transfer, because they’re not instant. (especially outside of business hours)
It’s just not an attractive way to mug someone, it’s easier to take them to an ATM.
In Europe a wire is instant with no recourse.
Most banks have processes for giving money back in some of these cases.
It's a tiny, infinitesimal chance: but it's a heck of a lot greater of a chance than the same thing happening with a bank account, especially the "no recourse" part.
I'm a huge critic of the cult of crypto, but the odds of a key collision are smaller than the odds of <some highly improbable series of mistakes/coincidences/malice happening that result in you losing your money in the traditional banking system>.
The odds of a 'someone gets access to your account/wallet and instantly drains it with no recourse' are much higher in the crypto space, as the author of the post experienced.
There are 2^256 wallets. There are 2^72 grains of sand on earth.
The chance of your bank screwing up is a lot higher, by trillions.
For example, even a 2-of-2 setup with a trusted authority like a bank is straight-forward improvement in security over the conventional bank system.
You can go further, for example consider a 3-of-5 setup with 2 keys in security deposit boxes, 1 key on a laptop, 1 key on a phone, and 1 key on a hardware token. You can set the hardware token to erase its keys when the wrong pin is entered, making it pretty rubber hose proof.
So you want there to be as low of a barrier of entry as possible, which is how we get here...
Especially when transactions can't be traced
If some idiot leaves all of their funds on an exchange like this, and it gets hacked, then good. That's how the market evolves and money moves out of the hands of the incompetent and into the competent.
Of course, this doesn't help if you don't have trusted associates — and can be (even more) dangerous with multiple people responsible for crypto custody.
Also helps if you have offline ("cold wallet") storage, which would require hours to importPrivKey and redeem. Slow them down...
On the plus side, iOS and Android now have features for auto-answering and filtering so thankfully I have that.
— no support group from a big company is going to call you. Ever.
— never give out codes sent to use via sms or push notifications to someone requesting them via phone or email. Never. The messages often even say that!
— Don’t put all your private info behind one password, so don’t use Google Authenticator backed by your Google Account as your password manager. Always use a third party like 1Password or similar.
— Don’t have the same email you use banking and investments be the email that the world knows. Create a new email for that. If you use Chrome, even use a separate profile with that email, and only have your password manager as an extension. No others.
Unfortunately, some call centers DO use that for verification in some cases (i.e. you call them, and they send you a code to your email/phone that you read back).
- godaddyThe key situation for giving out an SMS code that the gp is pointing out is the customer initiates the call to the support center.
For example, suppose somebody wants to add a credit-card to their smartphone digital wallet. They have to call the bank issuing their credit-card to do that. Once the customer support person answers the call, a common security verification (e.g. Chase Bank does this) is for them to send you a 6 digit code to your phone. You then repeat this code back to the support person on the call. They want proof of your identity and also proof that you physically have the smartphone with you. Repeating the SMS code to the customer support person is safe because the customer called the official 1-800 number on the back of their card.
That's a totally different sequence of steps from receiving a random call from somebody claiming they are from Chase Bank. Yes, in those cases, you never give out SMS codes to that untrusted person on the phone.
Note, however, that those are two "totally different sequences of steps" to you and I, and "completely analogous / equivalent sequences of steps" to my father in law :-/
Doing so would not force users to divulge codes over the phone, and enable support staff to verify identity all without training users that reading codes over the phone is acceptable.
Thoughts on that?
I think if the war against phishing online has taught us anything, it's that humans can't be trusted to not reveal secrets to scammers. Only machine-to-machine public key authentication (like TLS or WebAuthn or U2F) is truly phish-proof.
I assume in the case where the customer initiates the call and support is verifying their identity via SMS, they use different text (i.e. not "to confirm you're signing in"). Otherwise, that'd be pretty ridiculous.
the verbiage is the same.
My reply involved the effort of sending a test message from my Chase account, to capture the exact text used. If you want people to engage with you in good faith, you should put similar effort into your replies, rather than just use Reddit-speak for "I think you're wrong."
To their credit/discredit, when I said no I'm not giving that out it says not to they just moved on. Not sure why they even asked then.
It is a setting that let your power company to change your temperature settings when grid is under load. We wouldn’t mind it but they turned our heat way down during one freezing night while we were sleeping. Everyone woke up with cold next day.
It's like they want us to get scammed?
I tried making this point downthread but it bears repeating higher up. Per OP, this was account with Authenticator enabled. If you have a working authenticator setup, they aren't going to "ask for a code", since by definition you're already authenticated. And while I'm no expert, I really don't think there is such a thing. Recovery for a lost account never goes back to device-in-hand once you have enabled full 2FA.
Something is being skipped in the description of the phish here. I don't think OP is being completely honest.
Then the attacker used Google SSO to perform the initial log in to my coinbase account. Then they opened Google Authenticator, signed in as me, to get the coinbase auth code so they could complete coinbase’s 2fac.
I really think you're reaching here trying to ascribe blame. You... just got phished.
Or even better, don't rely on a third-party hosted service.
I've been a Codebook[1] user since the old-days when they used to call it Strip.
They are old-school, local-system storage. With sync/backup done how you like it (all three encrypted before it leaves your computer):
- Dropbox
- Google Drive
- Local folder (which you can then sync with using your own mechanism)
- Recently (only this year) they introduced a totally optional hosted subscription cloud-sync option for those who want it
There’s good reasons to use it over self managed solutions, just like there are other good reasons to use a self managed system like this.
Neither should be strictly dictated as better without first ascertaining what the user is looking for
> - never give out codes sent to use via sms or push notifications to someone requesting them via phone or email. Never. The messages often even say that.
Chase bank still, as of last week, asks for these codes over inbound calls. Drives me mad. They do so when calling me about fraud alerts, not the other way around.
- from a number with no results on Kagi search
- claiming to be the online banking support of my bank
- asking me to read them a code sent to me via SMS
and when I refused to do that, they blocked my login credentials for online banking and sent me a sternly worded (paper) letter that my account could not be upgraded automatically for their software system migration because I had refused to engage with their support agent.
I then had to create a new login in their app, call the phone number on their letter and read that guy the SMS code and, to my surprise, that was the only !!! authentication needed to activate the new login credentials that I had just created.
(BTW, this was one of the top 100 largest banks worldwide)
It's almost like some companies are training you to fall for scams.
EDIT: This specific instance was Deutsche, but Chase has the exact same horrible habit of calling and then asking for an OTP code.
"New online banking and new app
From 25 August 2025, you will benefit from the upgrade for online banking and Deutsche Bank app.
[..]
From 25 August, you will be able to simply reset your PIN yourself.
[..]
after logging in, you can also see accounts for which you are an authorised signatory."
But out of fairness, let me just mention that Chase behaves the same way. I think all of them just don't really care about small- and medium-sized businesses.
The worst part of this (for BECU) is that they've been warning their customers about phishing attacks from entities claiming to be BECU.
If anything even remotely similar happened to me, I'll instantly close all accounts and move my business to another bank.
On another occasion the bank called me regarding my house insurance and asked me to identify myself with their dongle.
Like, there is a wonder I have any money at all in my account. But then again, giving away plastic cards with a magic number on that you gave to strangers for them to withdraw an amount of their choosing from your account was the norm for decades ...
Maybe the wisdom is "Security through no security"?
Sometimes the rep is understanding, and acknowledges that he would have the same reaction, but other times it's like they don't realize they're asking their customers to do something Very Stupid™.
Sensible. But this whole “we called you now prove to us who you are” mess is stupid.
“Hey, this is Carol from Le Bank. Please just give us a call back at our main number found in the app or on our website. Then you can reach me directly at extension 123.”
It was also difficult that when people asked whether they could call back, we encouraged them to, but couldn't guarantee they'd then speak to the same person. They'd need to just talk to whoever they got. That was usually enough to put the person off and they would just take the risk (unfortunately).
Edit: Just wanted to add that I personally didn't want the people to make an exception to their unknown caller scepticism. Perhaps this bugged me more than others, but I would strongly encourage them to call back, and then do my best to get the call-back transferred to me. For that and many other reasons which I like to think of as preferring quality over quantity, my stats were as bad as you'd imagine!
When that bank did really try to tackle this issue, they quickly realised that there was more than one level of risk, and for the vast majority of the calls, we could get by with very little of that customer verification process - basically just that we had called them on a number they had provided, and they stated their name (which I think was more as a recorded verification that they were at least stating they were the correct person). For the much smaller number of outbound calls with more risk, we could then ask the person to call back. Once the risk peeps were on board, it was vastly improved fairly easily.
I'm not in that space at all now, but it seems far easier than it was back then. A few banks I'm a customer of send notifications right into the online banking app, which the customer approves, confirming that they at least have access to that. I don't know what they do if you don't have the app installed. I do find it a little sad that it is yet another thing pushing you to need a smartphone (and to install yet another app). On the other hand, I think all of those banks require me to have the app to use as an authentication token to do any kind of online banking even on a desktop browser, so if you're going to do that, may as well take advantage of it everywhere.
Edit: My bad, I misremembered. It wasn't that they truncated them, it was that they were case insensitive. Which is... objectively worse.
There will always be people that are "wallet inspector" stupid that you can't really shield from scams. But common sense practices and consistent messaging would solve a lot of the problem. There needs to be better accountability for companies that have these insecure practices. The same way they'd be held accountable for a data breach. Oh, wait...
She had to do some additional work to resolve my issue but it did get fixed.
If it did and even included details like the person‘s name, that would make me feel safe. If it’s a generic OTP that could be used to log into my account or reset its password, though…
I called them about my Fitbit warranty and the rep needed to verify my account and wanted me to give him the code from SMS that explicitly said in the SMS not to give it to anyone!
No my account did not get hacked afterwards. Yes it was a legit service rep because afterwards he was able to pull up info on my previous warranty claim.
Google Support would call me all the time, and then first thing they would do is ask me to open the interface and repeat some code or another.
Capital One texts codes during live calls and requests the customer read the code to them.
A health care provider sends emails with links to 3rd party domain to provide encrypted email, because a) regular email isn’t supposedly not HIPAA compliant and b) apparently the health care provider’s web and app infrastructure which provides secure messaging is not secure enough for certain messages. It’s indistinguishable from a phishing attack.
Hospital direct invoicing by email, also includes 3rd party links, which takes the user to a site asking for personal information including SSN. It’s certainly phishing. Right? Nope, it’s legit, and no option to get a mailed bill once volunteering an email address.
I think half of mobile device users don’t know or can’t handle a best practices workflow.
The reality is the tech industry sucks, it’s bad at its job, gives shitty advice to everyone then goes and violates all of it leading to loss of trust.
It isn't.
I work in healthcare, and if anyone in the company sends an email with PHI or PII in it, we're supposed to alert the Security department, or lose our jobs.
When you answer a call your brain kinda loses its ability to step back and think. Almost like the same trick that those people who ask for directions and steal your watch do.
Security is not the main reason I do this but it has been nice knowing I can't be reached directly by scammers and hackers.
Yeah, insane. I think it was HSBC. This was a couple of decades ago so maybe they've fixed that. I don't bank with them any more.
But over here our bank has also been sending out leaflets on how to avoid scams, and the top two are "if you need to call, call the number written on the back of the card" and "if you're not sure, come to the bank in person".
Same thing I tought my parents, and my mom actually got a call about some "personal info they needed to verify", said she'll come to a bank in person, they said "ok", she went in person, and they actually needed to verify some data (some EU regulation, she hasn't visited a bank in years).
I'm imagining something with the non-phishability of U2F but the usability of an SMS 6-digit code. Maybe that's U2F.
> no support group from a big company is going to call you. Ever.
Is, eventually, you probably will get a call from a support group at a big company, as many have noted in response, and then all of the other absolutes in the list also become "well, people say never, but I think this is one of those exceptions" instead of "it's never worth taking the risk of assuming it's the company who really called you".
A company, even big one people joke about having a complete lack of actual human support agents, may really call you one day. The other 364 days of the year it's probably a scam. The safe bet is to take the issue they called about and contact the official support channel yourself (being careful to get a real one and not an ad/fake site if you need to Google it). It may not always seem the most convenient, but it only takes one mistake to end up in a much more inconvenient place one day.
So some of these systems are very poorly designed.
Some services even say that when they are indeed codes you are _supposed_ to read back to them. Which clearly helps further train people to ignore that language.
I'm assuming this is a dirty unicode hack and not something worse: no DKIM or an actually compromised sender.
The whole thing stinks.
minimal efforts, won't pass any scrutinity but someone panicking might miss it.
Thanks OP for the thread, very enlightening.
I wonder how many people would fall for that though.
The headers uploaded are the report email being sent to Google, not the original incoming email. We still don't know how this was spoofed.
Thanks ICANN!
My primitive security precautions:
1. DO NOT use your Gmail for recovery. Use another email provider.
2. Use a family member's phone number for recovery.
3. DO NOT install your bank's app. Somehow the Royal Bank of Canada's app was used as an attack vector. If the RBC app can get hacked, smaller banks are even more vulnerable.
4. Use incognito mode on your browser for banking so a thief or hacker can't use your browser history to find out your bank.
You can buy that information. Databrokers will sell it. Your bank sells your transactions.
I recently got a Google scam call from someone using Google Voice in the bay area (650 number) claiming to be with Google and that an unauthorized device was trying to access my account. Eventually realized they were just trying to get my to unlock my account probably to drain bank accounts.
> So when he asked me to read back a code — supposedly to prove I was still alive — in a moment of panic, I did
This was an account with authenticator enabled. I'm no expert, but I really don't think there's a recovery process that works as simply as "read back a code". Certainly not in the SMS 2FA sense I'm sure we're all expected to interpret.
Honestly it seems like the author is trying to blame Gmail's UI, when some other more involved phishing technique was actually the novel part here.
if the scammers had spoofed the email, they would already have that code, and if they hadn't spoofed that email... I mean it looks like a case ID, why would they need it?
Maybe the reading back the code was to get buy in, then there's a missing step here like they had him hit "allow" on a 2fa prompt. Or maybe the email was legit, since it references a "temporary code" and the case ID allowed access with that code?
Good chance my reading comprehension is shot and I'm missing something, I suppose, but I don't understand.
That's more charitable than me. My UnreliableNarrator sense is tingling really badly here.
> In the Gmail app on iOS, it looked completely legitimate — the branding, the case number, everything. Even the drop-down still showed “@google.com.”
> So when he asked me to read back a code — supposedly to prove I was still alive — in a moment of panic, I did.
The sentences do not refer to the same thing.
The code was not in the email... The narrator was asked to read back "a code" not the case ID in the email. "A code" here referes to a 2fa push notification code. The email was used to rattle the narrator / build trust to get them to comply.
Did they send the fake legal email and at same time trigger a recovery code to be sent?
Is this like the same thing in discord where they ask you for your email to join a server then ask you for a code sent to verify you own that email but really they submitted the email for password reset. The victim doesn't realize it's a real recovery code sent by Microsoft, etc instead in the moment thinking it is a "discord code". Once you submit the code in discord they have your account stolen in seconds.
Is this what the article is attempting to describe?
So many people and developers do not understand two factor authentication. If the necessary information is automatically sync'd to another device, you likely don't have two factor auth.
Example: If you log in from a Macbook, and the second auth is sent to your phone, Apple will helpfully forward that code to the Macbook, completely removing the second factor.
I've seen references to "three factor" auth which is often a push notification to a phone, and then there's more secure second factors, like yubikeys or code-protected passkeys.
If your goal is to stay safe even after one of your devices is owned then you’ve got a rarer (and way more difficult) threat model.
Since you’re getting harassed all the time and dealing with opaque rules it is no wonder people are fatigued, make mistakes, are inclined to panic when they get a scary call and hand over the keys, etc.
To add to that, having anything to do with crypto is to put a big target on your back and make yourself vulnerable.
The thought of having all my online services centralized with a single provider for email, SSO, 2FA, and so on is scary. Especially at Google, where you can lose all access at the drop of a hat, with no recourse.
Don't do that. Don't put your 2FAs somewhere else than in an unsynched app. Not in Bitwarden, not in any online account, nowhere else than "Something you have".
And would you say that using something like authy with encryption using a totally unique password is safe?
This was such an obvious mis-feature I can't believe they actually rolled it out. For those using Google Authenticator you can and should disable cloud sync of your TOTP codes.
Don't disable cloud sync unless you have a backup of all your TPTP secret keys. It's dangerous to advise people to disable cloud sync without mentioning backups. Being locked out of thousands of dollars in your crypto account is as damaging as losing that crypto to hackers.
TOTP isn't that great, you should definitely use a hardware and/or pass key for important and financial services. That said your cloud synced Google Authenticator can be behind a Google account with strong 2FA (i.e. not SMS nor TOTP), then it's mostly fine.
The lesson here is really not to ever share codes you receive by SMS, and preferably disable phone as recovery and second factor.
I am not clear how the account access occurred. What code did he read? He voluntarily read his own 2FA code from his Authenticator?
This person read an SMS code — one that explicitly says not to give it to anyone — and then they said "I work in tech. I design authentication experiences. I know you’re not supposed to share verification codes! And yet, I got phished."
This person's greatest mistake was answering the phone to a stranger. Who knows what hell can be unleashed on one's emotions nowadays with AI. One cannot expect to be rational in a lion's den.
They are royally fucking up their PSA by throwing Google under the bus rather than telling people to avoid answering their phone to scammers. I suspect this PSA will help approximately no one because of that. Not getting your voice captured (for AI synthesis) is, by itself, a great reason not to answer random calls like this.
This is key. I would "never" fall for a scam like this. But who knows for sure? I would also never cheat on my partner, but can I say with 100% certainty that some insane situation can't possibly ever come up where my many layered defenses are compromised? Can some sufficiently charismatic individual deliver a perfect AI script to me based on info from 5 other breaches, in my brother's voice, to make me give up a 2fa token in an emergency? Maybe! So just never answer the phone, ever
Its not a GREAT carrier, but I have a legacy plan for unlimited everything at $20 a line.
But if I have to call in, they do send a 2fa SMS code, and require to tell them over the call. Its absolutely ridiculous. But, Ive only had to call in 4 times in the last 9 years, so, yeah.
Your story is humbling, and a good reminder that anyone can get “got”. We shouldn’t think ourselves above such incidents.
You can literally tie a yubi key to your Coinbase account and no one can withdraw funds unless a yubi key is physically plugged in and pressed.
One can also use the Coinbase Vault system where it would be impossible to steal any funds from his account had he enabled it.
You should also never use cloud sync for Google Authenticator as evidence here as why.
> On iOS, Gmail doesn’t let you view full headers
True! But Gmail on desktop does provide full headers. Why not post them so the rest of the community can step in and help out?
Healthy levels of paranoia aren't so bad.
This is honestly the cause IMO. I refuse to any call from any number not in my phone book, UNLESS I am expecting a very specific call and if it’s not who I expect, I hang up with no conversation.
>Keep your crypto on an exchange
This gets the same level of sympathy as a person without backups suffering from data loss.
Is the average user (someone who "works in tech" even!) really so uninvolved in their own security? Are they not expected to hold any responsibility whatsoever?
Whether you fall for an elaborate phish, or if your Ponzi-token predictably loses value after your 'investment' was cashed out as an earlier adopter's profit, it's all the same to me.
Alternatively your hardware wallet bricks itself or three of your disks fail at once.
I don't care. You lost the money when you first exchanged it for worthless tokens.
Email spoofed from legal@google.com and he read it in Google's Gmail app for iOS. The original title was correct: "Google Helped It Happen"
You can use Google Cloud or Google Sites to trigger emails to anyone that legit come for Google email addresses and servers or submit forms on Google that will send legit emails to Gmail users/targets.
They simply either just embed their scam text into these emails or use the emails from legal@ as a scare tactic and pretext for their scam when they call you.
Read the text shown in the screenshot in an article. I am 99.9% sure that is not from Google. The wording screams scam to me, most likely from someone who is not a native English speaker.
Among many many other red flags, it specifically says not to try and change your password for 6-12 hours and to not share the details of the email with anyone.
To Me this quote says so much about the crypto space more than anything.
Also not shocked it was crypto theft.
The guy who called me said "I can send you an email to show it's official" and I thought of that immediately when I read this article. No dice, he refused to give me a number to call back on, so I knew it was fake.
EDIT You can spoof from email addresses and you can spoof phone numbers - if someone is calling from a legit number on caller id it means NOTHING. You have to call back to a legit number to be sure it's real.
The guy who called me on friday felt like a targeted attack, I've been getting a TON of pokes at trying to reset my google password. It really made me feel like there's less and less you can trust online. Scammers are winning the arms race, and have the resources to create really good looking pages.
Well, SEO, I get that this kind of gaming is hard to prevent, not at Google's scale.
But the AdWords scams? Or all the other fake ad scams, chumboxes and god knows what? The complete lack of audits around something that actually causes money to change hands should be outright banned.
At the high end of ads, think large brand TV spots, you got entire teams of lawyers involved to make sure licensing, actor releases, technical details, corporate identity and a myriad of other things are taken care of.
But at the low end? Some rando from St Petersburg can post an ad for a book "uncovering Western lies about NATO expansion", some Indian can post an ad for "Norton Removal", some American an ad for a f2p game with content that clearly does not describe the actual gameplay or some Chinese can post an ad for penile enlargement pills - and none of the four will get even one human eye on the ad before the campaign goes live and the ads are displayed to actual users, even though all four either violate Western laws outright or are at least banned by the providers/networks.
And the problem isn't just limited to Google, Youtube, AdWords, Unity Ads [1], Taboola [2], Outbrain [3], Facebook/Insta [4] - it's everywhere, the entire low range of ads is infested to the core. Self-service ad platforms should be shut down, period - the industry has shown that "self regulation" doesn't work.
[1] https://discussions.unity.com/t/does-anyone-screen-these-ads...
[2] https://www.vice.com/en/article/taboolas-content-chum-boxes-...
[3] https://www.skeptic.org.uk/2021/01/the-outbrain-drain-why-ne...
[4] https://www.vice.com/en/article/instagram-and-facebook-are-o...
It is all about balance. Google could do more here, however the answer is not as obvious as you might think. Especially in an age where identities get stolen often and the lag time on catching said fraud is quite long.
The issue is that the entities mentioned are doing...nothing at all. Not even basic MANUAL identity checks and payment checks. Automated checks work very well until they don't.
Oh it is. A basic background check alone done by an actual human to see if the business is actually real, let's say this costs Google 1h @ 40 dollars plus 20 dollars for credit bureau fees. Google can offload that cost to the advertiser - even for a small cookie store, that's hardly an expense.
And after that, vet the campaign material for each asset. When you have 200 dollars in ad spend (which isn't much), 10 dollars should go pretty far in having a human see if the "pizza store" didn't just place an ad for penile enlargement.
> Automated checks work very well until they don't.
The key thing is, the entire ad industry is amoral. No one cares about fraud or brand reputation any more, not when you see chumbox ads on "reputable" newspapers. So everyone seems to think "why should I leave a few dollars on the table?".
Ephemeral ads are not a good thing.
I have seen Microsoft support forum articles that list the "Facebook official phone number". The fact that it's not from Facebook doesn't make it less authoritative in a panicked person's mind.
Google, Meta, Microsoft, and Apple really must start publishing an "official phone number". It is perfectly OK that this phone number just plays a repeating message saying that the user should browse google.com/phone. That website can explain that there is no phone support offered, and provide a bunch of links for common scamming hooks that leads to anti-phishing material.
Great idea unless the attacker has SS7 access.
But in a world with Pegasus, and telecoms in smaller vacation countries selling off SS7, etc, etc - if someone good really wants to target you normal security protocols aren't going to cut it.
The phone network is just not a secure channel for any sort of communication
Supposedly, people have been fired after being falsely accused of harassment. The scam works as follows:
Send a message to bob@gappsdomain.com and notavictim at the same domain. Arrange for the headers to be “from” bob. Now, notavictim reports Bob to HR. If the google admin is competent, they look at the headers, and note that Bob didn’t send the email. (Not sure if they catch the offender or not.)
If they’re incompetent, they see the message in Bob’s from box, and recommend he be fired.
This is a feature that enables dubious workflows, where Bob configures spam bots to bother his coworkers, but wants those messages to be auto filed in his sent box.
I didn’t think it worked when spoofing unrelated domains like Google though. That’s just dumb. Maybe the attacker had the author’s IMAP gateway password and moved the message into the inbox?
But because Google delivers spam from senders who spend a lot on Google ads; and e-mail traffic gets laundered into web ads traffic; they just can't do it. And because Superhuman charges more than $0, it can't do it either. Nobody can fix e-mail. If you can't see how phishing and Google Ads are related... you know, this is why it is hard to "just" pass a law. It's not because the law wouldn't fix the problem. It would, if you permit the status quo where Google is the e-mail monopoly. It's this whole A16Z "just pass a law" nonsense, where someone thought he was saying something really insightful because he didn't like Jon Stewart, getting in the way of my inbox zero, and simply never receiving non-personal e-mails at all.
A little less convenient for a LOT more security.
EDIT: also thank you, but and 0.0% is fine.
They're happy collecting their commissions and avoiding you. The only good thing is that (for the most part) the payment method is just a password/faceid/touchid away.
Callers from legitimate businesses treat me like i’m questioning the moon landing when I tell them I’ll need to call them at an official number.
Now try and convince your family to do the same (especially parents who are prime targets).
This process doesn't care about them calling from a spoofed number. We've had big problems with spoofed number scams and the CRA (Canadian version of the IRS) recently.
AI speech still has some noticeable quirks (I cloned my voice earlier this year to produce some tutorials). Once those are ironed out, I may increase my paranoia a bit. It's going to be hard for an AI faking a relative to get my bank password, if that even happens. There are far more lucrative targets with that level of investment.
I think just being on guard and not trusting potential anonymous sources is "good enough" for now.
Not to justify their behaviour, but: most businesses are not set up to allow for callbacks or they're set up to actively discourage them. For example: they may be contracting out to call centers or employee performance may depend upon making a sale. My situation is unique since all calls our handled internally and my performance is not based upon making a sale.
That's said, the current situation pretty much dictates that a secure option should be offered to clients.
Where do you bank? I'm looking for recommendations.
Playing Jason Bourne with your credit card number is not worth the effort if you ask me.
I would even say this is a net positive for the economy: the cost of fraud is outweighed by the lower barrier to payment. I'm sure you'd have made fewer sales had people been more worried about security. Net positive then, right?
If your bank doesn’t want to honor the request yes you’ll have to contact the payment network (visa/mastercard) and I’m sure there’s someone in this thread who has experienced that for an unauthorized transaction chargeback but it’s exceedingly rare.
Merchant error chargebacks , on the other hand… very different situation.
It’s possible that my current bank is particularly bad at this, as they are bad at everything else. I have had the runaround with merchant error and stolen card number chargebacks with other banks though.
Oh so you’re a telemarketer.
And to further crush that cynicism: most people are overjoyed when I call them.
Not everyone who makes outbound calls is a telemarketer.
The healthcare company I work for has a whole department of very nice people who make outbound calls to offer free health and nutrition classes to poor people.
Yes, they're free. As an employee I am also required to take one of the classes each year, so I know what they entail. Yes, they cost our company money. No, they're not sponsored by some corporation or ad company, and no we don't sell people's information on (HIPAA and all that).
The real world isn't a tech bubble cage fight.
Alternatively, ask for their license number, check the license, then call the number it lists. (Kills two birds with one stone for licensed professionals.)
"This is he(or she)", or "who are you trying to contact" handle most situations.
Just don't let scammers get you saying something in the affirmative.
Edit: Many of them are scammers, they don't play by the rules.
Probably going to cost a lot to get to that point, probably more than they will scam you for. They're after the quick hit that gets them something right away while also believing that you won't take it that far.
It's like knowing how to pick a lock vs just throwing a rock through the window that's next to the door to gain access. They both get you there.
Scenario 2: You say yes and they lie what you acknowledged. You sue or you don't.
The math on your end doesn't change, no matter what you said.
I assume if I have a problem with any of my accounts, I'll eventually find out and self serve to go and fix it, as much as possible.
This reminds me of one time where I got a call from a number I don't know, got yelled at something about spamming calls. Yelling includes threats about getting reported to police or whatever, which was confusing since I never had any history with this number.
I suspect my number was spoofed. I'm not sure if there's any defense against that.
Now my default is to ignore any unknown numbers.
I had to tell my bank this once a few years ago, when they called me up and then expected me to give them personal information to confirm my identity.
One click on the "backup codes" on main screen and boom, no confirmation or anything. Your keys are in the cloud. I couldn't find a place to undo it. Article says it's enabled by default now. This is shameful.
At least when trying to drum up business from formerly-large accounts that have greatly reduced their spending.
Every action you did is what you hear multiple times every week about people falling in pishing, and you continued.
Finally, it was just some crypto shit so not a big deal.
Apple's Mail.app also doesn't allow this and it's driving me nuts.
The security bottleneck is the one institution that holds all of the responsibility. It cannot be fixed by giving more hoops to authenticate themselves to the one institution
But 99.99% of the time, phone calls from unrecognized numbers are spam/scams.
I never answer the phone.
The most infuriating part of the story by far.
Or (given the password database link at the end), is the sequence:
1) various logins are pwned (Google leak or just other logins, but using gmail as the email - if just other things, then password reuse?)
2) attacker has access to password
3) attacker phishes 2FA code for Google
4) attacker gains access to Google account
5) attacker gains access to Google authenticator 2FA codes
6) attacker gains access to stored passwords? (Maybe)
7) attacker gains the 2nd factor (and possible the first one, via the chrome password manager?) to a bunch of different accounts. Alternatively, more password reuse?
I guess the key question for me, was there password reuse and what was the extent, or did this not require that?
Disclaimer: work at Google, not related to security, opinions my own.
Inbox access is a fairly big compromise, even without the 2FA codes.
I have no idea how they had my password, I never share passwords or use the same password. But I hadn’t changed my Google password in a while.
And did you have passwords using chrome password manager as well (which were also compromised by the Google account access, and this is how they got access to e.g. Coinbase?), or did they get passwords through some other means and just needed 2FA?
By enabling cloud-sync, Google has created a massive security vulnerability for the entire industry. A developer can't be certain that auth codes are a true 2nd factor, if the account email is @gmail.com for a given user because that user might be using Google's Authenticator app.
Specifically, the most problematic is SSO + Google authenticator. Just @gmail + authenticator is not enough, you need to also store passwords in the Google account too and sync them.
Although, this is functionally the same as using a completely unrelated password manager and storing authenticator codes there (a fairly common feature) - a password manager compromise leads to a total compromise of everything.
I don’t see how this happens if you use strong passwords without reuse.
I sleep fine at night, this is a Hallmark of these "omg I got owned and it could happen to you!" posts that never quite add up.
The only question mark is the email from google. It sounds like it was a scam email, so it would be interesting to know whether/how it was spoofed.
2. (More general) When a person initiates a communication with you it is for his benefit, not yours. If it was for your benefit then you'd initiated the communication to benefit from it. This is not only about scam but also about selling stuff or answering to polls or whatever. Be always sceptical when somebody you don't know contacts you.
These scams will only get better, they will impersonate your loved ones, your best friends, your children, and plead with you to save them by handing over money or information, but it will all be a ruse. The only things that can prevent this outcome are: positive ironclad proof of identity / personhood / company representation, or ongoing rejection of belief in inbound communications.
``` By sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor. ```
I myself can keep denying them but I have a toddler and if he accidentally accepts one of them, I’m screwed.
And since it’s impossible to reach anyone at Google, WTF do I do?
> the attacker shuffled my staked ETH and other tokens through multiple transactions, then drained the account.
Live by the decentralized, irreversible, climate-destroying, scam-and-slavery-enabling currency, die by the decentralized, irreversible, climate-destroying, scam-and-slavery-enabling currency.
> Google enabled Authenticator cloud sync by default.
Adding that to the list of reasons I use FreeOTP instead (https://f-droid.org/en/packages/org.fedorahosted.freeotp)
I think the reality is that people think "Oh couldn't be me and am I going to be the weird security guy" so it isn't whether you know software and security etc. that determines it. It's whether you're willing to be embarrassed frequently in these conversations.
I've had the banks call me, Coinbase scammers call me, all sorts. I'm at the point where I block my own area code (which is from a different state where I have a few people whitelisted fortunately) and that's eliminated a lot of it.
I don't mean I can't be scammed. Just that perhaps some mitigation comes from willing to be socially awkward and insisting to someone that you want to do it by the book.
so thanks for the advice!
My guess is that the attacker had the google password, and also the login for Coinbase was somehow stored in Google, so the attacker getting into google also exposed Coinbase. I just looked at Coinbase, and it does have a "Sign In With Google" feature.
If you want to live the stripped-down TOTP lifestyle, you have to love this 20 line Python solution. Does not depend on weird libs, and the last edit is 4 years ago. Write the seed on a Post-It and you're all set. Not so convenient, but sound sleeping! https://github.com/susam/mintotp
Edit: Obviously not “you work at Google and your boss calls you” or whatever
I'm not trying to undermine the idea behind this article, but I was raised to never answer the phone and that was in the 90s
Call the persons extension back from an out-of-band line, but after checking the contact phone number on the old web page or government business registry.
This is effective against most forms of line tampering, as targeting an unknown random line number is much more difficult to predict.
Most nuisance calls we get are the classic foreign operator message repurposed language translations trying to get people to "press 1 if you like ice cream" which bills 3rd party long distance calls. There was a local dubious calling card scammer arrested twice for this con. Just hang up, and report/block the number =3
I'm not familiar with the formal account takeover process at Google, but my best guess is that the attacker simply requested an account takeover via the official Google process, which triggered this email to be sent by Google legitimately. By reading back the code in that email, the attacker was able to claim the Google account as theirs, thus access the Gmail inbox to reset the Coinbase password and access the authenticator backups from the Google Drive.
I would be very curious to see the original message headers of the email though.
The spoofed email was deleted by the attacker, but I have a copy because I forwarded the email to phishing@google.com (something ChatGPT told me to do). The attacker then deleted the original but when I got my account back an hour later, Google bounced back the email. So that is the copy I have and the headers are not super helpful.
You're going to get hacked again
https://www.thesslstore.com/blog/wp-content/uploads/2023/05/...
Edit: I searched my email and it doesn't look like they are doing this at all with their accounts.
Edit II: Looks like it's on hold: https://blog.kickbox.com/gmail-bimi-exploit-what-you-need-to...
You must be insane to use gmail for anything like banking, crypto, domains.
I lost access to my gmail account. I know the PW but I can't access the 2 factor authentication anymore.
Yes, you need to buy hardware, yes you need 1 or more backup yubikeys in a bank safe somewhere in case your primary one breaks, but it is actually safe.
Strong passwords in your head are bad because they're even more phish-able. Like, with FIDO2, my yubikey will not login to "fake-coinbase.com", the attacker cannot proxy the data they get from the yubikey. For 2FA TOTP codes and for passwords, a phishing page can just proxy through the stuff to the real coinbase and login (as happened in this attack).
Sure, have a second one at home that can be Fedexed to you.
Look at the first sentence of the first paragraph and the first sentence in the second paragraph. Two grammar errors which are a dead giveaway it's fraudulent.
> Thank you for your assistance and understanding during your recent support call, regarding a ficticious request aimed at accessing your Google account.
Comma doesn't belong there and "fictitious" is misspelled.
> To follow all guidelines of the internal review properly. Please keep a secure note with the temporary password which your support representative has provided to you.
Out of place period. Should be a comma.
Legit, canned emails like this (especially from legal@google.com) would be proofread much better than this. It's fake.
Ah yes, and all millennials are immune to the attack in one fell swoop.
It was only after I checked Twitter that I saw Garry Tan's callout of the exact same scam. After experiencing it myself, I wouldn't fault anyone who fell for it. The only other tip-off was that the voice was pretty monotone and unemotional, but that only appears obvious in hindsight, not in the moment where you're slightly panicking that someone might be trying to claim access to your account.
Regardless of whether you received an email from Coinbase notifying that you were affected, the attack they suffered is much larger than they let on to the SEC.
https://www.coinbase.com/blog/protecting-our-customers-stand...
This should be the real highlight of the issue here. I always check headers on my Samsung whenever I feel suspicious.
As for the email, this blog post ( https://sammitrovic.com/infosec/gmail-account-takeover-super... ) from about a year ago notes that somehow scammers were/are using Salesforce to spoof emails from Google that appear legitimate. Seems like something similar happened here, but there's no way to be sure without the headers which the scammer seemingly cleaned up.
The FTC reported that scam losses totaled 12.5 billion last year. These scams are elaborate and convincing even for folks who make a living in tech. ( https://www.ftc.gov/news-events/news/press-releases/2025/03/... )
At any rate, sorry this happened OP. Stay safe, folks.
why were your coins not in a cold wallet? that is how you stop this permanently
why did you acknowledge any kind of inbound communication? ignore it. always. or call outbound to a confirmed number to make sure.
btw you were scammed out of $80k, as you admit in your article, the headline is misleading for seemingly no reason except the larger number
it is still a second factor, because it is something you have instead of something you know; it's just that you converted it to something you know when you read it and transmitted it to someone else
all that being said, yeah, legal@google.com (as a homograph attack) should probably be blocked.
I also don't leave any information I'm worried about someone stealing in my Google account. I find it hard to understand how anyone in tech could fail to see how risky that is.
but you're assuming that "bank security" (or the like) will never call you to alert you to a scam, or that you will recognize their number. maybe they don't, you may know that, but I sure don't.
It's true, unknown calls are 99% spam. That's on you if you'd want to believe otherwise; by your own admission, you don't know.
Yes, important companies you do business with you will come to store those in your contacts. You'll have specific account reps even. Services, apps, don't call you, for this very reason, they have in-app confirmation flows.
But if I get such a call or text, I don't answer it. Instead I do what you describe--call the official number that I already know independently. (Or I log in to their website to check for alerts.)
I'm assuming no such thing. I have indeed gotten calls and texts from my bank and my credit card companies alerting me to fraudulent transactions, that were legit calls and not scams.
But I didn't answer those calls or texts directly, or try to figure out whether the number that was calling me or texting me was the right one. What I did was to call a number that I already know, independently, leads to my bank, or to my credit card company's fraud department. Or I independently logged into the bank's or credit card company's website to see if there were any alerts. And if there were, I acted on them.
I described this in my earlier post: "If they claim to be from some company I have a relationship with, I check independently to see if something's up."
And nobody use voice mail in EU, it seems to be an US thing.
Sure it is. Just because you get a call about an issue that turns out to be legit, doesn't mean you need to resolve that issue by answering the call.
I describe upthread what I've done when I've received calls or texts from my bank or credit card companies about issues.
Never share a verification code. Scammers use urgency and fear (“you must resolve this in the next hour”) to get you to act.
Based on the second warning, I've decided not to trust the first.
How is this basic fail still possible?
But yeah tel tell with Google is if someone from Google calls you then you know it is a scam by the fact that Google called you. Google doesnt give a fuck about you. Even if you spend millions on ads.
But the main way to know is that companies never call you these days. No company should have and few do have a workflow where an employee will call you "cold" with a problem. Instead, companies email, snail mail or text about a problem and you call them back.
But if someone somehow sounds legit, you ask for the official number and whatever info is need to identify your supposed problem. Then go to the website and verify. Call the number at the website (that you find from your own search, not the caller's info) and then have them verify you.
——-
Your sign-in code was successfully reset. If this wasn't you, contact us immediately on +43 1 3950657516
Reference: FPQ92
——
And this one
——-
You signed in from a new device in Beijing (China) through a Ledger Live API. If this is NOT you, call us on +43 1 3950657516
Reference: FPQ92
—-
Looks completely legit and I was really spooked at first. I can see how people fall for this stuff.
But that's hard because many people work on markers of legitimacy, not algorithms.
I wonder, though, did "Norman" just guess you had tens of thousands in crypto lying around, or was this step two of a phishing attack?
Any call from Google is a scam.
A lot of them ultimately (if carefully inspected) come from @gmail.com addresses. And many of them look pretty convincing.
Did gmail change something for the worse, or have phishers found a new way to circumvent Google's spam filters?
Is this a victory of Google's UI designer's quest for a "clean look", over basic security essentials?
Let this be a lesson to everyone who hasn’t been scammed yet.
Hello everyone I'm here to share my experience so others can avoid what I went through. A few months ago, I lost my entire life savings to an online group who posed as cryptocurrency investors. They were convincing and professional, and I only realized it was a scam after I have invested a lot of funds and when I tried to withdraw my money they disappeared.
I felt devastated, but I reported the crime to my bank and local authorities right away. After researching reputable resources, I eventually found a licensed financial-fraud recovery service that works with law enforcement. They helped me trace the transactions and recover a portion of my stolen funds. it gave me hope and some justice. If you've ever find yourself in a similar situation, kindly contact them in their email below: easytouchcryptocurrencyrecover@gmail.com
latchkey•4mo ago
https://x.com/0xzak/status/1967592307714379934
ncr100•4mo ago
A Horrific threat.
clgeoio•4mo ago
wmf•4mo ago
junto•4mo ago
ycombinatrix•4mo ago