Article <vq7q5c$21s5q$1@dont-email.me>

Deutsch English Français Italiano
<vq7q5c$21s5q$1@dont-email.me>

View for Bookmarking (what is this?)
Look up another Usenet article
Path: ...!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!eternal-september.org!.POSTED!not-for-mail
From: Chris <ithinkiam@gmail.com>
Newsgroups: uk.telecom.mobile,comp.mobile.android
Subject: =?UTF-8?Q?Re:=20"'Scammers=20stole=20=C2=A340k=20after?=
 =?UTF-8?Q?=20EDF=20gave=20out=20my=20number"?=
Date: Tue, 4 Mar 2025 21:09:00 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 120
Message-ID: <vq7q5c$21s5q$1@dont-email.me>
References: <vq478a$1a6p9$1@dont-email.me>
 <m2m70fF4cnfU1@mid.individual.net>
 <vq4ue1$1ejeg$1@dont-email.me>
 <vq57fp$1g6j2$1@dont-email.me>
 <vq5aic$1gnna$1@dont-email.me>
 <vq6cnr$1pn8s$1@dont-email.me>
 <vq6u0r$1skm6$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Date: Tue, 04 Mar 2025 22:09:04 +0100 (CET)
Injection-Info: dont-email.me; posting-host="4c179a4a5ac414bb8706b21733ebb32c";
	logging-data="2158778"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX18thlAImqtUbHGdA6gqVI8k2znUH6k2oRk="
User-Agent: NewsTap/5.5 (iPhone/iPod Touch)
Cancel-Lock: sha1:mRJEIXpJH5TwARrqBLAtgAXqKko=
	sha1:PialVZnIgqvSBP7niGtdSR3p/DQ=
Bytes: 5774

Newyana2 <newyana@invalid.nospam> wrote:
> On 3/4/2025 3:13 AM, Chris wrote:
>> Newyana2 <newyana@invalid.nospam> wrote:
>>> On 3/3/2025 4:38 PM, Chris wrote:
>>> 
>>>>> Ironically, unless someone can hack into my computer they have
>>>>> virtually zero chance of taking over my accounts. First, I don't have
>>>>> online accounts, generally. Second, since I don't use 2FA an attacker
>>>>> would have to somehow get my email passwords.
>>>> 
>>>> How does that work? 2FA requires a code *and* the password. You're removing
>>>> a layer of security.
>>>> 
>>> 
>>> If they're able to take over your phone # they can just go
>>> around to accounts and click "I lost my password". A reset
>>> code wll then be sent to the cellphone.
>> 
>> That's not how it works. At best you get sent a reset link to your email.
>> This means the attacker needs to know your email account details as well as
>> the username/login for the service.
>> 
>   That's not typically necessary with 2FA. 

Yes it is. 

> Remember, you've
> clicked the link that says you forgot your password. Typically
> that would trigger security questions. 

Correct. 

> With 2FA it could involve
> a code sent to a cellphone... 

Only after you've correctly answered additional security. Usually it's an
email not a 2FA code via SMS as it's known to be insecure. 

> which the scammer now controls.
> That's the whole point. That's how people are being compromised
> by only doing a SIM swap. In many cases the scammer need only
> know a few personal details, which they might have found in a
> data dump online.
> 
>> You're dependent on a single factor. If your password is exposed or, more
>> likely, the company's security has been compromised via other means then an
>> attacker has free reign.
>> 
>> Yes, the chances are low, but the potential damage is much higher then if
>> had 2FA.
>> 
>    So you say. Yet this man was compromised. Someone was
> able to do a SIM swap and get the rest from that. 

Where does the story say that 2FA was the weak point?  in fact where is 2FA
mentioned at all?

> They may
> have even got some of that information by simply waiting for
> texts and emails after the swap. 

The primary issue is how was it possible to swap the sim in the first
place. 

> The problem is that the
> cellphone has become the centerpiece of personal security,
> and that trust is not justified.

That's true. 

>    In my case all they need is my email password, but how are
> they going to get it? Pretty much the only chance would be
> a total data hack of my email host. Or they'll need to know
> the answers to my security questions. Again, that will almost
> certainly require hacking my email host. And since I don't bank
> online or write credit card numbers in email, there's not much
> that the scammer could benefit. They could order books in my
> name from the library. But even then they'll need my library
> card or my drivers license to pick up those books. And since
> I use POP3 email, auto-deleting mail on the server, the scammer
> can't look through my old email. So they can't even be a wiseguy
> and change my dentist appt. :)

Basically, with everything so interdependent if someone wants to target you
specifically they will find a way. 

>>> 
>>> 2FA is not a security improvement. It's a gimmick to enable
>>> far more exptensive tracking of people by linking phone ID and
>>> location to other data.
>> 
>> Your paranoia is clouding your judgement.
>> 
> 
>   Famous last words of the ostrich. The whole point of this
> thread is about a man who got SIM swapped and lost 40K
> pounds! 

None of which has anything to do with 2FA which you brought up. 

There's definitely a lot more to this story. For example, there's a daily
limit of £10k for bank transfers. 

Plus, I also use the Nationwide bank and their security is pretty strict
especially around new types of transactions. 

> Your neighbor has just been eaten by a lion. Keeping
> his head in a hole didn't protect him. What a shocker!

Reading the whole article it seems they also compromised his email account
and then tried to use his Nationwide credit card, which was blocked
automatically, and stole the £40k from his Premium Bonds. Real nightmare
scenario. 

If someone has your emails and your mobile phone number you are royally
screwed. Yes, even you. 

Fortunately, the victim has had his 40k refunded.