Markit
The reports of people's Facebook, Airbnb, Tokopedia, Paypal, etc. accounts being broken into seem to me to be increasing almost daily. As a computer wonk back in the day I admittedly gave them short shrift assuming wrongly, so it seems, that this was just common idiocy or lack of understanding from the people hacked.Until it happened 10 days ago to a good friend of mine. His Facebook, Paypal and 2 other online accounts were hacked/compromised/taken over in a single session.Because this man is a friend of mine he was willing to put up with my less than sympathetic (I know, right?) cross examination as to the exact details of what happened and I think I've finally understood what's going on and thought it might be a warning for others.Any time you log into one of these accounts from a different computer/phone/IP than your usual one FaceBook etal immediately send an authorization request to your Messenger account, for example, for you to agree that it is, in fact, you doing the logging on BUT from a different source computer or mobile phone.This would appear to be an unbreakable security factor which should keep anyone out of your account unless they also have your phone - and what are the chances of that?My friend received a message on his Messenger Service from a good friend asking him to help him as he had just bought a new phone and needed to check something out and would my friend copy the 4 authorization requests that his friend would send him and simple send them back. The message being from a trusted good friend my friend didn't give it another thought and was quite willing to help out without really giving the, retrospectively, strange request any consideration. And he was busy as we all are with our usual lives.So doing as his friend asked he then promptly received the 4 verification requests which, he also promptly resent to his friend.Within the next 5 minutes the hacker had changed the passwords on the 4 accounts and my friend was left not understand why his friend had done this to him.He hadn't. The friend had been hacked probably the same way and everyone in his friends list had also been "approached" to help...I suspect this is a computerized operation that could be using AI but is well within the programing capacity of most programmers and they know within milliseconds when those requests go out and pounce on you exactly then.Beware it's hell out there.
harryopal
I recently received a notice on Messenger from the sister of my late wife. She lives in Ohio. After asking how I was, the message then went on to say how she had recently received $250,000 from DHHS, the U.S. federal government agency responsible for protecting the public's health and providing important services, especially for people in need. The message said I would also be eligible. Given that I have never used any medical services while in the US and I am not a US citizen it was immediately clear that hackers were using the sister in law's Messenger contacts to try and trick her friends into responding. I later followed this up through another family member to confirm what I suspected. When I did not respond to the Messenger hacker another message asked why I was avoiding her. Perhaps we should just go back to communicating with smoke signals.
AuroraB
The "authorization request" method is a rather weak protection if click on a link is sufficient to allow some to break in. For all important accounts (like banks, shopping, google etc) I only trust 2FA apps. This require me to login using a one time security code produced by an 2FA app on one of my gadgets (or a hardware key from olden days). Obviously the security code is never to be shared -- no matter what! These 2FA apps cannot be moved to another gadget without authorization by owner or by issuer (like a bank). Some of these apps (like securID) even need pin code to retrieve login security code, so even if a phone is stolen or "borrowed", they need to break phone passcode, then 2FA pin code to get access to login security code. Do not use 2FA without pin code as people with access to phone obviously has access to login security codes!
Markit
The usual "stories" from Nigeria or from your sister or where ever are not the point of my post - I think most people are able to recognize an attempt to get your security information. My main point of interest with this story is the level of social engineering that went into it: the precise timing of the reply to come just after the websites had sent their verification requests, down to the choice of time of day when most people are busy doing their lives, the use of a friend asking what seems an innocuous question for "help" and frankly the low level of computer familiarity. And to top it all of this whole thing is self sustaining and plunders the friends list of anyone it gets for new victims. To really top it all off the lack of interest from FarceBook to help or even re-instate the hacked victim's old account.
meerkat
have heard of another source of these 'friend's requests' may originate from a cloned Facebook account profile
Markit
have heard of another source of these 'friend's requests' may originate from a cloned Facebook account profile[/QUOTE]Have several past friends that posted strange things or mailed some rubbish. Funny upon checking their profile there was no friends except some large breasted Nigerian ladies. Didn't block and am hopping for more mails...
harryopal
Have several past friends that posted strange things or mailed some rubbish. Funny upon checking their profile there was no friends except some large breasted Nigerian ladies. Didn't block and am hopping for more mails...[/QUOTE]Yes, well if you should have contact from some of your "large breasted Nigerian ladies", enjoy yourself but bear in mind that you are probably corresponding with a balding, overweight male who will soon tell you that "she" loves you and then, a little while later, "her" mother needs heart surgery and if only "she" could find a kind hearted person to help.
Markit
Yes, well if you should have contact from some of your "large breasted Nigerian ladies", enjoy yourself but bear in mind that you are probably corresponding with a balding, overweight male who will soon tell you that "she" loves you and then, a little while later, "her" mother needs heart surgery and if only "she" could find a kind hearted person to help.[/QUOTE]You know her too!!!
PERtoDPS
this sounds like sim swapping type attacks to me, plenty of info how they work on youtube
Markit
this sounds like sim swapping type attacks to me, plenty of info how they work on youtube[/QUOTE]Had they cloned his phone number then the "friend" wouldn't have needed his assistance with resending the verification messages as they would have come directly to the cloned phone - nice try though.
meerkat
many of the 'hacking' scams reported are social engineering based [URL]https://business.bofa.com/en-us/content/online-social-engineering-scams.html[/URL]
meerkat
the level of 'hacking' tech. competence is high & only getting better(worse); consider that Nation states that have teams dedicated to hacking (e.g. Nth Korea has been documented but that's like the kettle calling the pot black). If you're interested in what actual hacking is going on today here's an interesting monitor [URL]https://konbriefing.com/en-topics/cyber-attacks.html[/URL]
Markit
The main problem, in my view, is that your Nigerian sweat hack shop with maybe 30 dedicated phone bangers can probably call a 1000 punters a day. Now with AI on the scene that number goes up dramatically, not to say exponentially. AI apps can mimic a known voice perfectly, say your brother or sister, gathered from WhatsApp messages or any other voice app online, and call you anytime of day or night and that 2 or 3 million times a day or even hour to different people around the planet! Possible scenario: AI "sees" your mothers Instagram posting from holiday in Morocco. Calls you at 3am pretending to be your mother calling from Morocco terrified she's been kidnapped and says they'll only let her go if you send them $5000. You have 2 hours. Whatcha gonna do? Bye, bye mum! Police aren't an option. You can try calling your mum but numbers can be blocked or stolen easily in some 3rd world countries.Imagine the chaos? Me, I never answer my phone unless it's a known number.
meerkat
Social engineering aside,atm the high tech. hacking is focused on high level targets [URL]https://techcrunch.com/2023/06/15/moveit-clop-mass-hacks-banks-universities/?activate-overlay=true&tpcc=TCreviewnewsletter[/URL]
meerkat
[HEADING=1]Meta Says New AI Voice Model Too Dangerous to Release[/HEADING]Unlike previous voice generator platforms, Voicebox has the unique ability to perform speech generation tasks that it was not explicitly trained on. When a user inputs text and provides a short audio clip as context, Voicebox can clone the sample into new speech that closely resembles the voice featured in the source clip.
Rellek
A few days ago my US bank sent me a text (I receive a few a month warning against possible fraud charges). This one was for $200 USD for MGM gambling charges going against my credit card. The only recent charge was for an Airbnb in Darwin, Australia which uses the "Plaid" system for accessing your accounts for payment. Has anyone heard of this? The bank cancelled my card automatically after I denied the charge and issued a new card which will be sent overseas.
britoo
A few days ago my US bank sent me a text (I receive a few a month warning against possible fraud charges). This one was for $200 USD for MGM gambling charges going against my credit card. The only recent charge was for an Airbnb in Darwin, Australia which uses the "Plaid" system for accessing your accounts for payment. Has anyone heard of this? The bank cancelled my card automatically after I denied the charge and issued a new card which will be sent overseas.[/QUOTE]Never heard of Plaid but it is worth bearing in mind it might be months or years after the copy/skim event that your card is actually used for fraud unless its an opportunistic crime by an individual. Particularly so if its a syndicate as many in Bali are.Made one use of my backup card (so not used in years prior) some time ago and it took about a year and a half before the first fraudulent online transaction landed and I had it blocked by the time the second rolled in a month later.Sounds like this was a customer not present transaction and I am surprised your bank doesn't support OTP (one time password) for this amount in this case.
Rellek
Sounds like this was a customer not present transaction and I am surprised your bank doesn't support OTP (one time password) for this amount in this case.[/QUOTE]For on line purchases I always have to enter a one time password. For credit and debit card purchases I do not. It might be worthwhile me looking into that though. Thank you.
