|
Powerful Two-Hander posted:pin as verification hhehehe
|
# ? Oct 9, 2019 20:29 |
|
|
# ? Jun 8, 2024 08:50 |
mystes posted:https://twitter.com/digitallawyer/status/1181348689756864513 I've had to deal with Chase's fraud protection department and they were completely OK with me calling back on the number on the back of the card. Did some sort of magic in their system to automatically reroute me back to them with no wait when I called in. I was impressed at how painless it was. what I'm wondering about that scammer is where they are getting their initial information from since it sounds like they know bank and name information for the target.
|
|
# ? Oct 9, 2019 20:51 |
|
i had a client get hit with something similar recently, where they read off a list of recent transactions on the account. Normally I'd assume dumpster diving account statements or something, but a) they shred everything and b) these were very recent transactions that shouldn't have shown up anywhere but the online portal
|
# ? Oct 9, 2019 21:03 |
|
Shifty Pony posted:
No need to wonder
|
# ? Oct 9, 2019 21:04 |
|
maybe an infiltration into a less-hardened system where the attacker can see some basic info like name/transaction in a log file, but they can't get into the systems to get the final bits to where they can actually spoof transactions?
|
# ? Oct 9, 2019 21:07 |
|
Companies such as advertisers buy people's transaction data from credit card companies, although I don't know if delayed somewhat or includes exact amounts? If it's detailed enough it could be a lot easier to obtain from the companies that buy it rather than directly from the banks. Edit: It seems like it's supposed to be anonymized somewhat but I think it's also been previously reported that companies like Facebook have access to individual-level transaction data? You probably wouldn't even need 100% of recent transactions to make this work. In fact, any way of obtaining information on one or two recent transactions to mix in with made up fraudulent transactions would be enough to make this convincing. (I'm not saying that this actually happened here, but it's potentially worrying if this data is floating around for this reason.) mystes fucked around with this message at 21:27 on Oct 9, 2019 |
# ? Oct 9, 2019 21:21 |
|
https://leahneukirchen.org/blog/archive/2019/10/ken-thompson-s-unix-password.html lmao
|
# ? Oct 9, 2019 22:34 |
|
Varkk posted:Apparently we are looking at getting Thycotic Privilege Manager. Does anyone here know anything about it? is it good, bad or a complete trash fire? if its anything like their password reset software it will have a database with out any kind of schema/permissions structure, there will be no encryption for the data at rest, and their install procedure will tell you to give it domain admin without any kind of documentation on what permissions it actually needs if you want to scope it down to minimize your exposure from it. It's not impossible to shim in some mitigations and lock down permissions but don't expect them to do you any favors
|
# ? Oct 10, 2019 00:17 |
|
on that note, I've been looking at Adaxes...
|
# ? Oct 10, 2019 00:28 |
|
https://blog.mozilla.org/security/2019/10/09/iterm2-critical-issue-moss-audit/
|
# ? Oct 10, 2019 00:29 |
|
Oh there we go. hookers.nl got hacked, it's a forum popular with visitors to prostitutes, and they share "tips and experiences". The hacker published a db dump. Data includes e-mail addresses, usernames, ip addresses and hashed passwords of 250000 accounts. News site nos.nl looked at the data and says many of the e-mail addresses include peoples' real names. Users are being warned they might now become a target of blackmail. E: The rest of the news article mention that apparently lots of prostitutes have accounts there too so their real identity might be revealed now, and also that, yep, it was vBulletin. Carbon dioxide fucked around with this message at 06:53 on Oct 10, 2019 |
# ? Oct 10, 2019 06:49 |
|
yes but we can’t patch because [insert idiotic reason here] sucks that these people are typically considered not the best protected, hope autoriteit persoonsgegevens and police can do anything and that they change literally everything.. ancilla probably has a valid opinion about this
|
# ? Oct 10, 2019 07:04 |
|
That's a secfuck alright
|
# ? Oct 10, 2019 07:39 |
|
*fucksec
|
# ? Oct 10, 2019 10:36 |
|
I guess you could say the visitors of that website got hosed twice.
|
# ? Oct 10, 2019 17:49 |
|
Powerful Two-Hander posted:oh got it I sort of confused your post and another about pin as verification I absolutely got asked to say my PIN over the phone by my (major) american bank. I had called them to ask why I got an alert that my account had a new mobile phone number. They asked for PIN to quickly verify my identity. It was definitely them that I was talking to, since I called their main number, and they insisted that it was a common verification practice for over-the-phone stuff. Finally they explained that customers got a spurious mobile alert recently when installing the new app version, one that upgraded you over to a new database they had just transitioned to.
|
# ? Oct 10, 2019 20:57 |
|
My bank has a password specifically for over-the-phone authentication that is totally separate from my online-banking password or my ATM PIN.
|
# ? Oct 10, 2019 21:08 |
|
yeah the first thing I thought when I read that was "why don't you give the bank a password so then you can challenge if someone claiming to be them initiates contact"
|
# ? Oct 10, 2019 21:11 |
|
bank of america asks you to login to their app or online banking to confirm identity, chase used to ask for your atm pin, not sure what it does now.
Celexi fucked around with this message at 21:35 on Oct 10, 2019 |
# ? Oct 10, 2019 21:29 |
|
chases fraud number is one of the commonly spoofed numbers so if you google the number calling you asking about fraud transactions it will show up as a scammer. powerful way for my checking account to be locked
|
# ? Oct 10, 2019 21:34 |
|
mystes posted:https://twitter.com/digitallawyer/status/1181348689756864513 Step 3 would have triggered my concern. They're sending me a PIN to read back to confirm that I'm talking on the telephone that they made a call to and am currently talking to them on?
|
# ? Oct 10, 2019 21:45 |
|
whats tavis up to these days? https://twitter.com/taviso/status/1182418436120428544
|
# ? Oct 11, 2019 00:02 |
|
im pretty sure the debugger is left on on purpose so you can debug hosed up clients in the field.
|
# ? Oct 11, 2019 02:55 |
|
because ms is going to remote debug a random vscode install
|
# ? Oct 11, 2019 04:05 |
|
Maybe to take a peek at what their competitors are coding
|
# ? Oct 11, 2019 04:13 |
|
Shaggar posted:im pretty sure the debugger is left on on purpose so you can debug hosed up clients in the field. Come on dude.
|
# ? Oct 11, 2019 13:32 |
|
got some helpful security advice from usaa that's mostly not terrible information but this bit is good:quote:Stay alert for phishing attempts: Email fraud spikes during the holidays. You can be sure this message is from USAA by looking for our Security Zone in the top-right corner displaying your name and the last four digits of your USAA number. you can be sure this is a genuine email by looking for our SECURITY ZONE™ which shows your name and a number you definitely don't have memorized, two things hackers can't ever possibly get or fake!
|
# ? Oct 11, 2019 14:28 |
|
The Fool posted:because ms is going to remote debug a random vscode install brb paying $texas for live remote debug support contract on my free text editor
|
# ? Oct 11, 2019 21:16 |
|
Shame Boy posted:got some helpful security advice from usaa that's mostly not terrible information but this bit is good: Yeah but odds are the phisher won't bother because that would require work and quality control which criminals are not known for. Phishing doesn't have to be good, it just has to work on a small, dumb population.
|
# ? Oct 11, 2019 21:49 |
|
ewiley posted:Yeah but odds are the phisher won't bother because that would require work and quality control which criminals are not known for. Phishing doesn't have to be good, it just has to work on a small, dumb population. *flashing caption that says "This is what future phishing victims actually believe"*
|
# ? Oct 12, 2019 00:42 |
|
poo poo this email looks dodgy but weedlord bonerhitler 6969 is in the corner
|
# ? Oct 12, 2019 00:59 |
|
once i reported a lovely fake looking email to my bank, they told me it was both real and not to worry that they were sending me emails with a style they hadnt used in more than a decade
|
# ? Oct 12, 2019 01:01 |
|
I still laugh when I get mails with "hey, [real name], click here to see your latest Paypal transactions" I'm like 75% sure it is legit (got my real name and written in my native language) but I've never clicked the links in the mail, that all go to the dodgy looking "epl.paypal-communication.com" which people online are hotly debating whether is legit or a scam, but it DOES have a valid Paypal TLS certificate. If those are legit, Paypal is basically doing its best to appear dodgy as gently caress.
|
# ? Oct 12, 2019 01:14 |
|
Agile Vector posted:once i reported a lovely fake looking email to my bank, they told me it was both real and not to worry that they were sending me emails with a style they hadnt used in more than a decade my bank (bofa (deez nuts)) keeps restyling their website every few years and they give absolutely no notice that they’re about to do this, you just go there and it’s different. i always make a worthless call to suggest they might want to send a courtesy email or banner on the site a few days in advance but nah, gently caress that.
|
# ? Oct 12, 2019 01:25 |
|
The Fool posted:because ms is going to remote debug a random vscode install is this the vsco-de girl invasion i've been hearing about?
|
# ? Oct 12, 2019 01:32 |
|
is Bitwarden (password manager) good?
|
# ? Oct 12, 2019 01:34 |
|
Midjack posted:my bank (bofa (deez nuts)) keeps restyling their website every few years and they give absolutely no notice that they’re about to do this, you just go there and it’s different. i always make a worthless call to suggest they might want to send a courtesy email or banner on the site a few days in advance but nah, gently caress that.
|
# ? Oct 12, 2019 01:42 |
|
mystes posted:(I seriously doubt anyone could explain how that was supposed to improve security). The idea is that it forces phishing sites to have to pass your username on to the real bank server in order to retrieve the picture to display to the user. But realistically the phishing site can just skip that step entirely and nobody notices or cares
|
# ? Oct 12, 2019 01:59 |
|
cafepress ownedquote:Dear Valued Customer,
|
# ? Oct 12, 2019 02:56 |
|
|
# ? Jun 8, 2024 08:50 |
|
Jonny 290 posted:cafepress owned I'll bet you can get this printed on a t-shirt there.
|
# ? Oct 12, 2019 03:22 |