| ▲ | sroussey 5 days ago |
| A few reminders bear repeating: — no support group from a big company is going to call you. Ever. — never give out codes sent to use via sms or push notifications to someone requesting them via phone or email. Never. The messages often even say that! — Don’t put all your private info behind one password, so don’t use Google Authenticator backed by your Google Account as your password manager. Always use a third party like 1Password or similar. — Don’t have the same email you use banking and investments be the email that the world knows. Create a new email for that. If you use Chrome, even use a separate profile with that email, and only have your password manager as an extension. No others. |
|
| ▲ | fxtentacle 4 days ago | parent | next [-] |
| Except that a few weeks ago, I got a phone call - from a number with no results on Kagi search - claiming to be the online banking support of my bank - asking me to read them a code sent to me via SMS and when I refused to do that, they blocked my login credentials for online banking and sent me a sternly worded (paper) letter that my account could not be upgraded automatically for their software system migration because I had refused to engage with their support agent. I then had to create a new login in their app, call the phone number on their letter and read that guy the SMS code and, to my surprise, that was the only !!! authentication needed to activate the new login credentials that I had just created. (BTW, this was one of the top 100 largest banks worldwide) It's almost like some companies are training you to fall for scams. EDIT: This specific instance was Deutsche, but Chase has the exact same horrible habit of calling and then asking for an OTP code. |
| |
| ▲ | apparent 4 days ago | parent | next [-] | | I've gotten calls from my bank before, where they tried to get me to authenticate after I answered the phone. I said "look, you called me, I'd be crazy to just answer the phone and give out personal info." They refused to provide any info that I could have used to validate that they were legit (like telling me something about my account number, when my account was created, etc.). They said I had to authenticate with them before they would tell me anything. Sometimes the rep is understanding, and acknowledges that he would have the same reaction, but other times it's like they don't realize they're asking their customers to do something Very Stupid™. | | |
| ▲ | red369 4 days ago | parent | next [-] | | Over a decade ago, I worked in a bank call centre, first as one of the people who would occasionally make those outbound calls and have those crazy conversations, and then later in their customer experience team. It was well known that those outbound calls to customers were a mess, but it was thought of as tricky to fix. The dilemma was that the risk department felt they needed to identify people, but not only were those people often hesitant to provide any info, we wanted them to be - for everyone else who called them, but not for us. It was also difficult that when people asked whether they could call back, we encouraged them to, but couldn't guarantee they'd then speak to the same person. They'd need to just talk to whoever they got. That was usually enough to put the person off and they would just take the risk (unfortunately). Edit: Just wanted to add that I personally didn't want the people to make an exception to their unknown caller scepticism. Perhaps this bugged me more than others, but I would strongly encourage them to call back, and then do my best to get the call-back transferred to me. For that and many other reasons which I like to think of as preferring quality over quantity, my stats were as bad as you'd imagine! When that bank did really try to tackle this issue, they quickly realised that there was more than one level of risk, and for the vast majority of the calls, we could get by with very little of that customer verification process - basically just that we had called them on a number they had provided, and they stated their name (which I think was more as a recorded verification that they were at least stating they were the correct person). For the much smaller number of outbound calls with more risk, we could then ask the person to call back. Once the risk peeps were on board, it was vastly improved fairly easily. I'm not in that space at all now, but it seems far easier than it was back then. A few banks I'm a customer of send notifications right into the online banking app, which the customer approves, confirming that they at least have access to that. I don't know what they do if you don't have the app installed. I do find it a little sad that it is yet another thing pushing you to need a smartphone (and to install yet another app). On the other hand, I think all of those banks require me to have the app to use as an authentication token to do any kind of online banking even on a desktop browser, so if you're going to do that, may as well take advantage of it everywhere. | |
| ▲ | ww520 4 days ago | parent | prev | next [-] | | It happened with Schwab. I've enabled option trading in one of my accounts and got a call from Schwab, asking to authenticate me. I told them I couldn't trust it's a legit call; give me a number and case number and I'd call back. | | |
| ▲ | kevin_thibedeau 4 days ago | parent [-] | | It gets fun being on a 3-way call with bank M, talking to a Schwab rep for verification and trying to explain why Schwab uses a Chase account number. |
| |
| ▲ | jagged-chisel 4 days ago | parent | prev [-] | | > … I had to authenticate with them before they would tell me anything. Sensible. But this whole “we called you now prove to us who you are” mess is stupid. “Hey, this is Carol from Le Bank. Please just give us a call back at our main number found in the app or on our website. Then you can reach me directly at extension 123.” |
| |
| ▲ | gcr 4 days ago | parent | prev | next [-] | | Which bank was this? Please name them so I can avoid doing business | | |
| ▲ | fxtentacle 4 days ago | parent | next [-] | | https://www.deutsche-bank.de/ub/kontakt-und-service/service/... "New online banking and new app From 25 August 2025, you will benefit from the upgrade for online banking and Deutsche Bank app. [..] From 25 August, you will be able to simply reset your PIN yourself. [..] after logging in, you can also see accounts for which you are an authorised signatory." But out of fairness, let me just mention that Chase behaves the same way. I think all of them just don't really care about small- and medium-sized businesses. | |
| ▲ | anonymousiam 4 days ago | parent | prev [-] | | I've had this same issue with BECU (Boeing Employee's Federal Credit Union). They're a really good financial institution, but like many, they suffer from nearsightedness. They know that they're "the good guys", so they feel that it's unnecessary for them to properly authenticate themselves to you. So it's asymmetrical security and asymmetrical trust. The worst part of this (for BECU) is that they've been warning their customers about phishing attacks from entities claiming to be BECU. |
| |
| ▲ | dec0dedab0de 4 days ago | parent | prev | next [-] | | My old insurance company (Cigna) used to call me and demand information to verify it was me. I eventually figured out it was a thing to try to convince me into getting cheaper cancer treatment so they could save money. | | | |
| ▲ | rightbyte 4 days ago | parent | prev | next [-] | | Ye. I called my bank to unblock my Mastercard after they blocked it due to Blizzard charging 10USD or something for Star Craft. I just told them my name and they unblocked it. On another occasion the bank called me regarding my house insurance and asked me to identify myself with their dongle. Like, there is a wonder I have any money at all in my account. But then again, giving away plastic cards with a magic number on that you gave to strangers for them to withdraw an amount of their choosing from your account was the norm for decades ... Maybe the wisdom is "Security through no security"? | |
| ▲ | Arrowmaster a day ago | parent | prev | next [-] | | I had this happen with fucking Google. I called them about my Fitbit warranty and the rep needed to verify my account and wanted me to give him the code from SMS that explicitly said in the SMS not to give it to anyone! No my account did not get hacked afterwards. Yes it was a legit service rep because afterwards he was able to pull up info on my previous warranty claim. | |
| ▲ | brewdad 4 days ago | parent | prev | next [-] | | I had to call Chase about an issue with my credit card. I called them and knew I was talking to a legit agent. At least as sure as one can ever be. Still, at one point she asked me to read back the code she texted me. I started to do so then stopped. I explained that the text she sent me specifically states "We will never ask you for this number (over the phone". I refused to read it back since it violated their own stated policy. She had to do some additional work to resolve my issue but it did get fixed. | |
| ▲ | john_the_writer 4 days ago | parent | prev | next [-] | | My local medical clinic sent me an sms with a link, asking me to change my medical info. I called them to point out how they were training their patients to fall for sms scamms. | |
| ▲ | zeven7 4 days ago | parent | prev | next [-] | | At my (very large) bank, they have asked me to read them a code from text that literally said "Do not share this code with anyone over the phone" in the text message next to the code. I'm 100% sure it was my bank asking for the code. I called them from a number I found on their site over HTTPS and verified from another source, they knew my account information. I gave it to them while telling them they need to fix this. This was a few years ago. Nothing bad ever happened. Just bad security practices. | |
| ▲ | Pesthuf 3 days ago | parent | prev | next [-] | | Did the OTP message they sent you state that this code was specifically to authenticate on the phone? If it did and even included details like the person‘s name, that would make me feel safe. If it’s a generic OTP that could be used to log into my account or reset its password, though… | |
| ▲ | jlarocco 4 days ago | parent | prev | next [-] | | I know Wells Fargo gets a bad wrap (and rightly so) for some of their behavior, but IME they've always had their stuff together with online access and banking. | | | |
| ▲ | 4 days ago | parent | prev | next [-] | | [deleted] | |
| ▲ | joshuamorton 4 days ago | parent | prev | next [-] | | Yes, I've also had wells fargo require me to read codes that were emailed back to them, and while this was mitigated by me calling them, it sketched me out every time I had to do it. | |
| ▲ | carlosjobim 4 days ago | parent | prev | next [-] | | They treat you as you deserved to be treated: As a serf. You let them stomp all over you and still come crawling back to plead with them to let you bank with them. Even though there's hundreds of banks you can switch to. If anything even remotely similar happened to me, I'll instantly close all accounts and move my business to another bank. | | |
| ▲ | ryandrake 4 days ago | parent [-] | | Same. Find a different bank not full of morons. It's not like there's a shortage of banks out there. |
| |
| ▲ | 4 days ago | parent | prev | next [-] | | [deleted] | |
| ▲ | UltraSane 4 days ago | parent | prev | next [-] | | They should really send the code in a letter. | |
| ▲ | thrtythreeforty 4 days ago | parent | prev | next [-] | | I mean just get a new bank at that point. They're telegraphing that they're gonna cause you more inconvenience in the future. | |
| ▲ | mandeepj 4 days ago | parent | prev | next [-] | | At least, you took the right steps. However, they were stupid to begin with. | |
| ▲ | andy99 4 days ago | parent | prev | next [-] | | The bank's policies and those like it are the root cause of these scams. There are countless things like this where real "legit" behavior is completely indistinguishable or sometimes even worse than scams. There will always be people that are "wallet inspector" stupid that you can't really shield from scams. But common sense practices and consistent messaging would solve a lot of the problem. There needs to be better accountability for companies that have these insecure practices. The same way they'd be held accountable for a data breach. Oh, wait... | | | |
| ▲ | mvdtnz 4 days ago | parent | prev | next [-] | | Change banks. | |
| ▲ | tartoran 4 days ago | parent | prev | next [-] | | Can you name the bank? | |
| ▲ | 4 days ago | parent | prev [-] | | [deleted] |
|
|
| ▲ | ApolloFortyNine 5 days ago | parent | prev | next [-] |
| Google support actually did ask me for that code when I had them disable energy savings on my nest thermostat. (it's insane that this had to be done through support, it's the setting where the power company can essentially control your thermostat in exchange for savings) To their credit/discredit, when I said no I'm not giving that out it says not to they just moved on. Not sure why they even asked then. |
| |
| ▲ | fvgvkujdfbllo 5 days ago | parent [-] | | Yes, it is so easy to enable this setting, they even keep sending us notifications to enable it. But once enabled, it is impossible to disable it. It is a setting that let your power company to change your temperature settings when grid is under load. We wouldn’t mind it but they turned our heat way down during one freezing night while we were sleeping. Everyone woke up with cold next day. | | |
| ▲ | dragonwriter 4 days ago | parent [-] | | The asymmetry in activating/deactivating may be because power companies discount rates (don't know if it is automatic or you have to contact the provider) for people with that setting active, and removing it dusqualifies you from the discount, so there is at least potentially an asymmetrical financial impact of toggling it one way vs the other. |
|
|
|
| ▲ | MrDarcy 4 days ago | parent | prev | next [-] |
| > — no support group from a big company is going to call you. Ever > - never give out codes sent to use via sms or push notifications to someone requesting them via phone or email. Never. The messages often even say that. Chase bank still, as of last week, asks for these codes over inbound calls. Drives me mad. They do so when calling me about fraud alerts, not the other way around. |
| |
| ▲ | bdangubic 4 days ago | parent | next [-] | | NEVER answer - like NEVER :) absolutely NEVER answer... calls or text... it is really simple. I also have Chase and I have blocked just about every single number they called me from (probably like 12 over the last decade) | |
| ▲ | schneems 4 days ago | parent | prev | next [-] | | You can hang up and call the number on the back of your card | | | |
| ▲ | kevin_thibedeau 4 days ago | parent | prev [-] | | If you initiated the call (to the correct number) then SMS verification has a low likelihood of being a scam. |
|
|
| ▲ | krashidov 4 days ago | parent | prev | next [-] |
| My phone is set to Do Not Disturb by default. Only 5 numbers can reach me direct to ring and that is immediate family only. I never answer calls from unsaved numbers. If they really need to reach me they can leave a voicemail. When you answer a call your brain kinda loses its ability to step back and think. Almost like the same trick that those people who ask for directions and steal your watch do. Security is not the main reason I do this but it has been nice knowing I can't be reached directly by scammers and hackers. |
| |
| ▲ | anal_reactor 4 days ago | parent | next [-] | | I stopped answering unknown numbers because everything that's important comes via email anyway. But a friend of mine has a job that requires them to answer calls from weird numbers, so it's tough. | |
| ▲ | everybodyknows 4 days ago | parent | prev | next [-] | | Doesn't any legit caller always leave a message? That way, you can think through the security issue before responding. | |
| ▲ | wiredpancake 4 days ago | parent | prev [-] | | [dead] |
|
|
| ▲ | gpt5 5 days ago | parent | prev | next [-] |
| > never give out codes sent to use via sms or push notifications to someone requesting them via phone Unfortunately, some call centers DO use that for verification in some cases (i.e. you call them, and they send you a code to your email/phone that you read back). |
| |
| ▲ | sroussey 5 days ago | parent [-] | | I’ve personally never had that happen. It should go on a name and shame list. | | |
| ▲ | jasode 5 days ago | parent | next [-] | | >I’ve personally never had that happen. It should go on a name and shame list The key situation for giving out an SMS code that the gp is pointing out is the customer initiates the call to the support center. For example, suppose somebody wants to add a credit-card to their smartphone digital wallet. They have to call the bank issuing their credit-card to do that. Once the customer support person answers the call, a common security verification (e.g. Chase Bank does this) is for them to send you a 6 digit code to your phone. You then repeat this code back to the support person on the call. They want proof of your identity and also proof that you physically have the smartphone with you. Repeating the SMS code to the customer support person is safe because the customer called the official 1-800 number on the back of their card. That's a totally different sequence of steps from receiving a random call from somebody claiming they are from Chase Bank. Yes, in those cases, you never give out SMS codes to that untrusted person on the phone. | | |
| ▲ | NikolaNovak 5 days ago | parent | next [-] | | I agree with everything you said. Note, however, that those are two "totally different sequences of steps" to you and I, and "completely analogous / equivalent sequences of steps" to my father in law :-/ | |
| ▲ | vehementi 4 days ago | parent | prev | next [-] | | Justifiable in a vacuum, but the end result is grandma knows "sometimes it's OK to give the code to the person on the phone" | | |
| ▲ | cced 4 days ago | parent | next [-] | | They should have users receive the code and then submit said code into the application for verification, with clear instructions that this code is produced as a result of a support call, and to confirm you are on an existing call when submitting the code. Doing so would not force users to divulge codes over the phone, and enable support staff to verify identity all without training users that reading codes over the phone is acceptable. Thoughts on that? | | |
| ▲ | 4 days ago | parent | next [-] | | [deleted] | |
| ▲ | Ajedi32 4 days ago | parent | prev [-] | | Still not foolproof. Attacker can MITM the connection by initiating their own call to the real support line and relaying instructions between the user and support. |
| |
| ▲ | Ajedi32 4 days ago | parent | prev [-] | | How else are you supposed to do identify verification over the phone? I think if the war against phishing online has taught us anything, it's that humans can't be trusted to not reveal secrets to scammers. Only machine-to-machine public key authentication (like TLS or WebAuthn or U2F) is truly phish-proof. |
| |
| ▲ | dpifke 4 days ago | parent | prev [-] | | The signin 2SV SMS verbiage used by Chase is: "Chase: DON'T share. Use code 12345678 to confirm you're signing in. We'll NEVER call to ask for this code. Call us if you didn't request it." I assume in the case where the customer initiates the call and support is verifying their identity via SMS, they use different text (i.e. not "to confirm you're signing in"). Otherwise, that'd be pretty ridiculous. | | |
| ▲ | eep_social 4 days ago | parent [-] | | found today’s optimist, congrats you win one warm fuzzy feeling. the verbiage is the same. | | |
| ▲ | ameliaquining 4 days ago | parent [-] | | I think I at one point ran into this with Chase and the verbiage was not the same. Are you speaking from experience? | | |
| ▲ | eep_social 15 hours ago | parent [-] | | I am; I seem to recall it was Chase (and I do have a Chase account) but it could have been another bank or financial institution. |
|
|
|
| |
| ▲ | UncleMeat 5 days ago | parent | prev | next [-] | | Chase did this to me. A million alarm bells but even after hanging up and restarting the conversation from a phone number publicly listed on their website as a support contact they still did it. Wild. | |
| ▲ | scrollaway 5 days ago | parent | prev | next [-] | | Stripe Support does it for certain specific cases (email & phone). However, whenever they do it, it's a bilateral code generation: The support agent also gets a code they have to read out to the end user, which is featured prominently to them, saying the agent will have to read it out to get authentified. | |
| ▲ | rscrawfo 5 days ago | parent | prev | next [-] | | Fidelity does as well, although the message switches to state only read the code if you've called them directly. | |
| ▲ | delfinom 4 days ago | parent | prev | next [-] | | A lot of credit unions using a certain call center / credit card provider use this exact authentication mechanism over the phone. | |
| ▲ | adrr 5 days ago | parent | prev | next [-] | | My bank does it. Chase will send OTP via the bank app to verify you're identity for phone support. | |
| ▲ | clysm 5 days ago | parent | prev | next [-] | | Chase bank… | |
| ▲ | troc 5 days ago | parent | prev [-] | | - godaddy
| | |
| ▲ | octo888 5 days ago | parent [-] | | Who still uses GoDaddy LOL | | |
| ▲ | koakuma-chan 4 days ago | parent [-] | | Small business owners | | |
| ▲ | jay_kyburz 4 days ago | parent [-] | | Also me. Every 10 years my domains expire, and I can just pay a few hundred bucks again and forget about it, or I can do a bunch of work to move them somewhere and adjust A records and fuck around with stuff I don't remember and potentially have downtime. | | |
| ▲ | UltraSane 4 days ago | parent [-] | | Use AWS Route53 it is so much better. | | |
| ▲ | koakuma-chan 4 days ago | parent [-] | | Better than CF? | | |
| ▲ | UltraSane 4 days ago | parent [-] | | If you mean cloudflare I have never used it. | | |
| ▲ | koakuma-chan 4 days ago | parent [-] | | Check it out, it's much easier to use and they don't charge any markup. | | |
| ▲ | UltraSane 4 days ago | parent [-] | | One thing I like about Route53 is how granular the permission can be. This lets you automate things more easily and securely. | | |
| ▲ | koakuma-chan 4 days ago | parent [-] | | Yeah AFAIK people use Route53 when, e.g., there is a need to automate making subdomains for customers and stuff like that. | | |
| ▲ | UltraSane 4 days ago | parent [-] | | IAM permissions are almost always a pain to get right but they can be so useful when you can create an API key with permissions to do only exactly what it needs to do. |
|
|
|
|
|
|
|
|
|
|
|
|
|
| ▲ | Loughla 5 days ago | parent | prev | next [-] |
| Google business support called me to close the loop on an issue I had with a business listing. It was from a very busy and loud call center, and was made by someone with a heavy accent. It's like they want us to get scammed? |
|
| ▲ | IshKebab 4 days ago | parent | prev | next [-] |
| Yeah except I used to get legitimate calls from my bank's fraud department starting with "can you confirm your date of birth and address". Yeah, insane. I think it was HSBC. This was a couple of decades ago so maybe they've fixed that. I don't bank with them any more. |
| |
| ▲ | ajsnigrutin 4 days ago | parent [-] | | Yep. But over here our bank has also been sending out leaflets on how to avoid scams, and the top two are "if you need to call, call the number written on the back of the card" and "if you're not sure, come to the bank in person". Same thing I tought my parents, and my mom actually got a call about some "personal info they needed to verify", said she'll come to a bank in person, they said "ok", she went in person, and they actually needed to verify some data (some EU regulation, she hasn't visited a bank in years). |
|
|
| ▲ | odie5533 4 days ago | parent | prev | next [-] |
| During a Tracfone support call I made recently, they sent a 2FA text to me. I said to the rep, "The text says 'Don't share this code with anyone.' Can I share it with you?" They laughed and said yes. It was completely legit as I had called Tracfone for some service changes. So some of these systems are very poorly designed. |
|
| ▲ | ctennis1 4 days ago | parent | prev | next [-] |
| I'm in the midst of a transfer of enterprise account ownership with with Apple, and I can assure you, the only way to complete it is to wait for a phone call from Apple Support from 1-512-884-5022. You can call this number back and verify it is indeed Apple Support and get notified it does not accept inbound calls, only outbound. |
|
| ▲ | traceroute66 5 days ago | parent | prev | next [-] |
| > Always use a third party like 1Password or similar. Or even better, don't rely on a third-party hosted service. I've been a Codebook[1] user since the old-days when they used to call it Strip. They are old-school, local-system storage. With sync/backup done how you like it (all three encrypted before it leaves your computer): - Dropbox
- Google Drive
- Local folder (which you can then sync with using your own mechanism)
- Recently (only this year) they introduced a totally optional hosted subscription cloud-sync option for those who want it
[1] https://www.zetetic.net/codebook/ |
| |
| ▲ | lokar 4 days ago | parent | next [-] | | The backup of a TOTP is just the seed, right? Print it out and keep it with your other sensitive papers | |
| ▲ | no_wizard 4 days ago | parent | prev [-] | | There’s something to be said for the setup and largely forget it nature of 1Password There’s good reasons to use it over self managed solutions, just like there are other good reasons to use a self managed system like this. Neither should be strictly dictated as better without first ascertaining what the user is looking for |
|
|
| ▲ | 827a 5 days ago | parent | prev | next [-] |
| Honestly if someone from Google Support calls me, my immediate response would be: "Google... Support? Now there's two words I've never heard in the same sentence before." |
|
| ▲ | cmurf 4 days ago | parent | prev | next [-] |
| AMEX fraud support group called me. A real live agent. Capital One texts codes during live calls and requests the customer read the code to them. A health care provider sends emails with links to 3rd party domain to provide encrypted email, because a) regular email isn’t supposedly not HIPAA compliant and b) apparently the health care provider’s web and app infrastructure which provides secure messaging is not secure enough for certain messages. It’s indistinguishable from a phishing attack. Hospital direct invoicing by email, also includes 3rd party links, which takes the user to a site asking for personal information including SSN. It’s certainly phishing. Right? Nope, it’s legit, and no option to get a mailed bill once volunteering an email address. I think half of mobile device users don’t know or can’t handle a best practices workflow. The reality is the tech industry sucks, it’s bad at its job, gives shitty advice to everyone then goes and violates all of it
leading to loss of trust. |
| |
| ▲ | reaperducer 4 days ago | parent [-] | | regular email isn’t supposedly not HIPAA compliant It isn't. I work in healthcare, and if anyone in the company sends an email with PHI or PII in it, we're supposed to alert the Security department, or lose our jobs. |
|
|
| ▲ | zamadatix 4 days ago | parent | prev | next [-] |
| The danger with stating this in terms of absolutes like: > no support group from a big company is going to call you. Ever. Is, eventually, you probably will get a call from a support group at a big company, as many have noted in response, and then all of the other absolutes in the list also become "well, people say never, but I think this is one of those exceptions" instead of "it's never worth taking the risk of assuming it's the company who really called you". A company, even big one people joke about having a complete lack of actual human support agents, may really call you one day. The other 364 days of the year it's probably a scam. The safe bet is to take the issue they called about and contact the official support channel yourself (being careful to get a real one and not an ad/fake site if you need to Google it). It may not always seem the most convenient, but it only takes one mistake to end up in a much more inconvenient place one day. |
|
| ▲ | mandeepj 5 days ago | parent | prev | next [-] |
| Include SPAM call blocker in that list! Notably, both iOS and Android have that feature. Never pick the first call from an unknown number! If it's urgent and they are genuine, they'd leave either a voicemail or a text. |
|
| ▲ | sowbug 4 days ago | parent | prev | next [-] |
| Has anyone invented something like the TLS three-way handshake, or a U2F challenge, that can use spoken words as a transport layer? People could then be "safely" tricked into reading back "correct-horse-battery-staple" or whatever, because they actually wouldn't have the ability to generate a usable sequence unless the attacker first provided something that only the real site owner could provide. I'm imagining something with the non-phishability of U2F but the usability of an SMS 6-digit code. Maybe that's U2F. |
|
| ▲ | speeder 4 days ago | parent | prev | next [-] |
| I used to manage the Google Ads account of a business I had in the past. Google Support would call me all the time, and then first thing they would do is ask me to open the interface and repeat some code or another. |
|
| ▲ | LeafItAlone 3 days ago | parent | prev | next [-] |
| >never give out codes sent to use via sms or push notifications to someone requesting them via phone or email. Never. The messages often even say that! Some services even say that when they are indeed codes you are _supposed_ to read back to them. Which clearly helps further train people to ignore that language. |
|
| ▲ | klik99 4 days ago | parent | prev | next [-] |
| I am a big fan of keepass which I sync with dropbox, good apps exist for iphone/android/mac/windows/linux. But I don't know if that's more secure than a password provider like 1password. At least not fitting into the typical profile, and being able to control the data, open source code, and offline access feels like the optimal way for me. |
|
| ▲ | ajross 5 days ago | parent | prev | next [-] |
| > — never give out codes sent to use via sms or push notifications to someone requesting them via phone or email. Never. The messages often even say that! I tried making this point downthread but it bears repeating higher up. Per OP, this was account with Authenticator enabled. If you have a working authenticator setup, they aren't going to "ask for a code", since by definition you're already authenticated. And while I'm no expert, I really don't think there is such a thing. Recovery for a lost account never goes back to device-in-hand once you have enabled full 2FA. Something is being skipped in the description of the phish here. I don't think OP is being completely honest. |
| |
| ▲ | davidscoville 4 days ago | parent [-] | | The code I read to them was a Google account recovery code. That’s how they accessed my Google account. I, mistakenly, believed they needed to confirm I was still alive and the rightful owner of the account. Then the attacker used Google SSO to perform the initial log in to my coinbase account. Then they opened Google Authenticator, signed in as me, to get the coinbase auth code so they could complete coinbase’s 2fac. | | |
| ▲ | ajross 4 days ago | parent [-] | | But... that's an email that would be sent to a non-gmail address, the one on file that you originally registered your account with. And while I don't have copies of the transactions in front of me, these things are not unclear as to their purpose or intent. They tell you straight up that they're resetting the authentication for the account and to be sure you are doing it intentionally. They're also accompanied by warnings that would be simultaneously sent to your active gmail address and to the Authenticator app. I really think you're reaching here trying to ascribe blame. You... just got phished. |
|
|
|
| ▲ | thinker1972 5 days ago | parent | prev [-] |
| [dead] |
