| ▲ | sosodev 6 hours ago |
| Support requests have always been the weakest link in the security chain for big corps. I've had accounts of mine turned over with 2FA disabled by humans before. I guess we shouldn't be surprised that the LLMs are doing the same thing. The simple fact that 2FA can be removed by low level support staff drives me mad. It defeats the whole purpose of the process. |
|
| ▲ | pocksuppet 2 hours ago | parent | next [-] |
| A flow can either fail safe or fail secure. Fail secure: if you lose your email, your account is forever locked. Fail safe: if you lose your email, your account is not forever locked. But, someone else might be able to get your account by pretending you lost your email. There are no other choices. When the electronic door controller loses power, either the door stays locked, or the door stays unlocked. In case of a fire you want it unlocked so people can get out. But then a burglar can cut the power to get in. Doors that stay permanently locked in a power outage are only permitted in extreme cases where security is of the utmost importance. Obviously Instagram accounts aren't as important as doors in a fire. |
| |
| ▲ | Lonestar1440 7 minutes ago | parent | next [-] | | There are no other online choices. If my Bank login goes totally Kaput, though, I can take my ID down to the Branch to get it sorted. Same with my telecom provider. I try to only depend on services which have this property. I don't succeed. | |
| ▲ | HDBaseT 16 minutes ago | parent | prev | next [-] | | I don't think its that binary. Using the door and fire scenario, you can have manual opening method available, just make it only available on the inside. | |
| ▲ | eddd-ddde an hour ago | parent | prev [-] | | What about "go see an agent in person and use your fingerprint to prove it is you"? |
|
|
| ▲ | ValentineC 3 hours ago | parent | prev | next [-] |
| > The simple fact that 2FA can be removed by low level support staff drives me mad. It defeats the whole purpose of the process. Crazy Domains (one of the few registrars for my ccTLD) removed 2FA from my account (that was in the process of getting hijacked) despite me being on the phone with them specifically telling them not to do so [1][2]. What's worse was that my account got targeted by the same hijacker again when they seemingly changed their support system, and was hijacked for a few hours, leading to my Twitter account getting compromised (this happened around the same time fElon laid off a bunch of people and removed phone-based 2FA from accounts). Fuck Crazy Domains and Newfold Digital (formerly known as EIG). I eventually lost my OG username because fElon wanted it for his Grok nonsense anyway [3]. Fuck Elon too. [1] https://news.ycombinator.com/item?id=47913341 [2] https://news.ycombinator.com/item?id=47859496 [3] https://news.ycombinator.com/item?id=47856983 |
|
| ▲ | giancarlostoro 4 hours ago | parent | prev | next [-] |
| The fact that if your account has had the SAME EMAIL AND NUMBER FOR 14 YEARS OR MORE and support still thinks you got hacked is more embarrassing to me. |
| |
| ▲ | DSMan195276 2 hours ago | parent | next [-] | | That doesn't sound that unlikely to me personally, not everybody has the best tech habits and some life events can result in losing access to both very quickly. It doesn't have to happen often for it to still be a common event in support cases. | |
| ▲ | SoftTalker 3 hours ago | parent | prev [-] | | I used my work email for everything for 14 years, now I'm retired/fired/laid off and I can't access it anymore and I forgot to change the email linked in my Facebook account. | | |
|
|
| ▲ | moritzwarhier 5 hours ago | parent | prev | next [-] |
| 100% Urgency. Emotions. It's all there, and high-stakes environments with no proper protocol are most vulnerable. Source: used to work part-time in IT support at a hospital, by now 10+ years ago, so it was routinely requested to circumvent regulations and security protocols, even medical ones (cough Windows in ICU monitors and other medical "kiosk" PCs that should absolutely not run Windows) |
| |
| ▲ | Krasnol 5 hours ago | parent [-] | | I love those admin passwords which a tech will give you at some point because he doesn't want to do the work himself. If they even have passwords... Unfortunately Siemens woke up. | | |
| ▲ | moritzwarhier 4 hours ago | parent [-] | | You mean admin
or Administrator
?Horrific, people should be jailed for cyberattacks when they carelessly just give out this word. The experiences I meant were mostly - password reset requests (admittedly, we had a protocol even then to strictly require a "physical signature", normally meaning Fax or internal snail mail) - medical protocols: don't wanna go into too much detail here, but: 1) Windows requires a lot of maintenance, often even hard restores, to function normally, even when sold as the UI for physical ICU monitors 2) Medical personell often is severely overworked, especially people in important, but not formally highly-qualified roles. And things like Surgery rooms and ICUs often have very slim time slots. With the former, you should not enter into them without wearing appropriate clothing. It doesn't prevent people working there from requesting you to finally come over and make that UEFI-Windows-Crapware-Kiosk-PC which was sold as a medical device boot... of course especially not when there is an ongoing surgery nearby. And of course, your higher-ups will be there to help you sort out these issues without violating protocols... thankfully I didn't do careless things there and haven't witnessed IT-related disasters there. But still, I gave these examples for a reason :D there was a healthy culture but some of the situations encountered in medical IT support should really require specialized, short-term training. Keeping up rigorous hygiene protocols requires dedicated work by professionals, especially in a large hospital. And the same argument can be made for account protection and user support for large software providers. | | |
| ▲ | Krasnol 2 hours ago | parent [-] | | I support radiologies...I have seen things, patients wouldn't believe. MRI in helium off the shoulder of the CS student.
I watched DICOMs corrupt in the dark near the PACS gateway.
All those moments will be lost in time...like unsaved reports in rain.
Time to reboot |
|
|
|
|
| ▲ | spullara 6 hours ago | parent | prev | next [-] |
| recovery is always the weakest link in any authentication system |
| |
| ▲ | acdha 5 hours ago | parent | next [-] | | This is not wrong but what’s really missing is cost: Meta did this so they can avoid paying people to do it. Lots of companies follow that decay spiral: your bank could shut phishers down cold by requiring wire transfers to be authorized in person but they don’t want to pay staff or risk you being upset by a transaction taking an extra hour so they don’t. Imagine an alternate universe where big tech companies worked with various trustworthy third-parties where something like this would generate a challenge you could take to your local notary, post office, library, police station, etc. where someone would check ID before approving it. How many phishing attacks would be prevented annually by a physical presence check? | | |
| ▲ | dylan604 5 hours ago | parent | next [-] | | > your bank could shut phishers down cold by requiring wire transfers to be authorized in person but they don’t want to pay staff or risk you being upset by a transaction taking an extra hour so they don’t. Isn't this essentially what just recently happened to the Pope? Then there were people here doing the rest of your comment for him saying how egregious it was for them to ask for an in person authorization. It sounded like all he was trying to do was update his address, but changing your address from one in Chicago to one in a European country absolutely sounds like something a phisher would be trying to do. | | |
| ▲ | throwaway85825 4 hours ago | parent [-] | | Its perfectly acceptable for a security model to make things difficult for extreme edge cases like the pope. After all if the situation warrants it such rare events can always be escalated. |
| |
| ▲ | spullara 5 hours ago | parent | prev | next [-] | | for a while facebook had the ability to recover your account by having them ask several of your friends if the recovery was legitimate but it was turned off. my guess is that not enough people added trusted contacts to bother running it. https://www.theverge.com/2013/5/2/4292744/facebook-trusted-c... | | |
| ▲ | parable 4 hours ago | parent [-] | | I actually quite like this solution. Beats asking users to add a "recovery selfie" (something Meta actually does now) - I'd rather choose 3 of my friends and have them approve some notification in-app. Seems like better UX and preserves privacy a slight bit more, but we all know Meta's not in the privacy business. | | |
| ▲ | spullara an hour ago | parent [-] | | honestly I can't think of a better solution that would require a far more coordinated attack to pull off. it should work on any system where trusted folks are likely to have accounts. |
|
| |
| ▲ | 3 hours ago | parent | prev | next [-] | | [deleted] | |
| ▲ | ronsor 5 hours ago | parent | prev | next [-] | | The amount of hassle involved with regular physical checks is why it's not implemented, regardless of attack prevention. The cost of hiring a person is part of it but not really the core reason. People were sold on the Internet with "you can do things online conveniently" and reintroducing the need to physically go somewhere negates that angle entirely. | | |
| ▲ | acdha 3 hours ago | parent | next [-] | | To be clear, I was thinking cost as more than just payroll - e.g. my bank can do this because they have paid for a branch near my house, Facebook does not - but another way to look at it is that many of the costs due to errors have been shifted to the user. I do think friction causes a reflexive resistance to the idea but I think that might be an overreaction. This is a rare thing people should be doing no more than a few times in their life. | |
| ▲ | anonymars 5 hours ago | parent | prev [-] | | > People were sold on the Internet with "you can do things online conveniently" and reintroducing the need to physically go somewhere negates that angle entirely But how often does one need to do recovery procedures like this? How much less convenient is it for everyone else to be at risk of their account being taken over? |
| |
| ▲ | econ 5 hours ago | parent | prev [-] | | Then you get trusted parties selling account access. Even if you remove them for a single false positive they will do it. A bit like a % packages "vanishing". The least terrible seem digital id. | | |
| ▲ | acdha 3 hours ago | parent [-] | | > Then you get trusted parties selling account access How many bank tellers or USPS employees do that, though? It’s possible but quite rare because people know they’ll be running a big risk of being caught and no individual transaction is worth that much. |
|
| |
| ▲ | SoftTalker 5 hours ago | parent | prev | next [-] | | It's a tough problem, because people forget passwords, change phones, lose access to 2FA devices, but still need to use their accounts. | | |
| ▲ | StilesCrisis 4 hours ago | parent | next [-] | | It's worse than "forgetting." Having seen older folks just set up new accounts for a move, they make zero attempt to even try to keep them! Oh, the phone company needs a login/pass? Just type in anything, don't write it down. If something goes wrong, they're going to call in anyway, not use the website. | |
| ▲ | dpark 5 hours ago | parent | prev | next [-] | | I had to go through the account recovery on my Facebook account once and the proof they demanded was that I match a bunch of pictures of friends to their names. I think it took 3 tries over multiple days to actually get it unlocked because it turns out I such really remember a lot of the people I met 20 years ago and friended on Facebook. I don’t recall why I had to go through this song and dance. Very plausibly the account was still associated with an old school address that I could no longer access. So yeah, account recovery is hard. How do you prove someone owns an account when they’ve lost the things they are supposed to use to prove ownership? | |
| ▲ | toomuchtodo 5 hours ago | parent | prev [-] | | I manage customer identity and access management ("CIAM") for a financial services firm. Passkeys are primary, recovery can be performed by providing a government credential remotely (which costs us ~$2-3 per recovery). I do not think it is hard, based on what we have built and spent to enable these capabilities. NIST Special Publication NIST SP 800-63 Digital Identity Guidelines is a helpful resource on this topic. https://pages.nist.gov/800-63-4/ I think Meta just does not care if they're enabling AI attack surface and vulnerabilities into these customer journeys. It's...certainly a choice, versus deterministic journeys with hard guardrails. They could make different choices. | | |
| ▲ | toast0 5 hours ago | parent | next [-] | | > recovery can be performed by providing a government credential remotely That only works because you presumably do KYC when you open accounts, so you have an identity to match to. Most internet accounts don't do real KYC, so a government credential doesn't really work for recovery --- they didn't know who you were, so proving who you are doesn't help anything. That doesn't mean that letting anyone sweet talk support or an AI into taking over an account is acceptable, of course. | | |
| ▲ | toomuchtodo 5 hours ago | parent [-] | | It's a fair point, and can be solved for as part of the "Verified" offerings Meta offers. This binds IRL identity to the digital identity at verification for future identity assurance step up (including if and when recovery is required). Failing that, TOTP, SMS, and even mailing an OTP to a mailing address remain low friction auth factors (with, of course, various levels of security). My point is that while this is not easy, there are obvious very bad ways to implement this that should not be done (chatbot or other generative AI interface vulnerable to the usual suspects of AI inherent attack surface). Don't build the bad way, the right away is known and straightforward. |
| |
| ▲ | macintux 5 hours ago | parent | prev [-] | | I’d wager your range of tech literacy/capabilities for your firm is much narrower than big tech. | | |
| ▲ | econ 4 hours ago | parent | next [-] | | Someone gained access to a Instagram account (belonging to a business by the same name) connected to a fb account (by the same name) that they still had access to. The only thing fb could do was terminate the Instagram for impersonation. It's an impressive level of incompetence. | |
| ▲ | toomuchtodo 5 hours ago | parent | prev [-] | | Range != value, depending on use case. Doing more poorly does not make something better. Our customer identity capabilities are very close to login.gov (we don't have to support hundreds of agency customers and common access cards), and if its good enough for ~342M Americans, its good enough for our customer base. Broadly speaking, work for the sake of work is not valuable work. Show me outcomes for resources and time invested, and compare accordingly. Value is, again broadly speaking (there is always nuance), what you deliver. If you bring me an AI solution for a high risk high value customer journey, data flow, or code path, that is an anti pattern. If you, as a colleague or a stakeholder, put forth that we must use AI in situations that require a high degree of determinism (due to potential high cost failure modes), you will need to prove this extraordinary claim with evidence. Choose Boring Technology - https://news.ycombinator.com/item?id=9291215 - March 2015 (212 comments) ["Am I using this project as an excuse to learn some new technology, or am I trying to solve a problem?"] I get paid to manage risk efficiently, including being measured on time and budget spent against the success criteria, ymmv; my comp and budget is not dependent on how much AI I shove into security systems. "What am I optimizing for?" Amazon scraps AI leaderboard to stop workers chasing usage scores - https://news.ycombinator.com/item?id=48315583 - May 2026 (19 comments) | | |
| ▲ | fn-mote 3 hours ago | parent [-] | | > [login.gov] if its good enough for ~342M Americans I am very curious about the actual number of users of login.gov. I am a US citizen and my experience was … negative to the point of actively avoiding it. | | |
| ▲ | toomuchtodo 3 hours ago | parent [-] | | > I am very curious about the actual number of users of login.gov. "Login.gov has surpassed 100 million registered user accounts. The platform facilitates over 300 million sign-ins annually and sees more than 10 million monthly active users, acting as a secure single sign-on solution across nearly 50 federal, state, and local agencies." https://www.login.gov/partners/faq/ (It is the primary identity provider for Social Security Administration, IRS will eventually adopt it [1]) [1] IRS to adopt Login.gov as user authentication tool - https://news.ycombinator.com/item?id=30430851 - February 2022 (182 comments) |
|
|
|
|
| |
| ▲ | mr_mitm 5 hours ago | parent | prev | next [-] | | It's a hard problem. How do you prove you own an account if you lost all proof of ownership? Especially so if an account was never tied to your real name, in which case you could at least rely on government ids. | | |
| ▲ | throwaway85825 4 hours ago | parent [-] | | Simple, you don't. This is all going to seem quaint in a few years when old accounts started getting deleted for inactivity. |
| |
| ▲ | jgalt212 5 hours ago | parent | prev | next [-] | | fair enough, but what's the actual point of 2FA if it's so easy to override? | | |
| ▲ | 5 hours ago | parent | next [-] | | [deleted] | |
| ▲ | spullara 5 hours ago | parent | prev | next [-] | | the alternative is people losing their accounts and people aren't willing to allow that. i do think that apple does this a little better where they try everything to contact you in every way they know and it takes a week to get access. at a minimum to change your email it should require a week of waiting to see if the user can access the original mail to the hand off. | |
| ▲ | recursive 4 hours ago | parent | prev [-] | | In some cases, checkbox-compliance with customer requirements. |
| |
| ▲ | UltraSane 5 hours ago | parent | prev [-] | | It depends. Some like AWS take it deadly seriously and it takes a long time to recover root access to an account. |
|
|
| ▲ | 2 hours ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | cryptoegorophy 3 hours ago | parent | prev | next [-] |
| low level support, means that they can be "bribed" to do things like this. |
|
| ▲ | karel-3d an hour ago | parent | prev | next [-] |
| well. I lost my 2FA dongle once (left it on a different continent). Which I used to secure my domain name on which I received mail. suddenly I was happy that low level support staff could remove it. (I needed to scan my passport and photo. This was way before modern image generation.) |
|
| ▲ | basisword 5 hours ago | parent | prev | next [-] |
| >> The simple fact that 2FA can be removed by low level support staff drives me mad. It defeats the whole purpose of the process. The fact it can be removed by anyone is the problem. If you lose access to your 2FA (and recovery codes) then you should lose access to your account. Having it removable by anyone (other than a logged in account holder) defeats the entire point. |
| |
| ▲ | ValentineC 3 hours ago | parent | next [-] | | > The fact it can be removed by anyone is the problem. If you lose access to your 2FA (and recovery codes) then you should lose access to your account. Having it removable by anyone (other than a logged in account holder) defeats the entire point. At least make it a major pain in the ass to recover like AWS, which requires some kind of notarised identity verification [1]. [1] https://news.ycombinator.com/item?id=13122723 | |
| ▲ | pocksuppet 2 hours ago | parent | prev | next [-] | | What if I don't want to lose my account if I lose my 2FA? Then I don't enable 2FA, presumably. But some security guy at your company is forcing me to enable 2FA or you'll just lock my account until I do. | |
| ▲ | MarleTangible 4 hours ago | parent | prev | next [-] | | In theory there is no difference between theory and practice, but in practice there is. Well, it gets complicated quickly when a wide range of users involved. | |
| ▲ | robinpie 4 hours ago | parent | prev [-] | | I always thought the entire concept of even password resets was absurd. Email is a huge SPOF for basically everyone. If you lose your password or 2FA, you should lose your account, too bad so sad. | | |
| ▲ | SoftTalker 3 hours ago | parent [-] | | Completely unrealistic. Stuff happens. Email accounts get closed for no reason. People lose their phones, or have them stolen. Lots of reasons why someone might need an exceptional account recovery process. Not saying it should be easy or routine, it should not be. But it must be possible. | | |
| ▲ | basisword 2 hours ago | parent [-] | | That's what recovery codes are for. Unfortunately it seems a lot of 2FA is now implemented without recovery codes. |
|
|
|
|
| ▲ | jeffbee 4 hours ago | parent | prev [-] |
| Yeah. I spent years working partly for the account abuse team at Google and that is why I always shake my head (silently, because the HN groupthink disagrees) at the endless parade of stories on this site about people who lost access to their accounts and can't contact support. Under no circumstances do you want any possibility that front-line support can hand your account over to anyone. The lack of account support is a safety feature, not a flaw. If your accounts are valuable to you, act like an adult and write down the recovery codes on paper. |
