Path: ...!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!eternal-september.org!.POSTED!not-for-mail From: Newyana2 Newsgroups: comp.mobile.android,uk.telecom.mobile Subject: =?UTF-8?Q?Re=3a_=22=27Scammers_stole_=c2=a340k_after_EDF_gave_out_m?= =?UTF-8?Q?y_number=22?= Date: Thu, 6 Mar 2025 11:09:54 -0500 Organization: A noiseless patient Spider Lines: 58 Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Injection-Date: Thu, 06 Mar 2025 17:08:59 +0100 (CET) Injection-Info: dont-email.me; posting-host="12852faa944740027d695f2ff74f6ac9"; logging-data="3207387"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18XNtAviZ7fylrwaT9Q/AYQqHnxjzheh8o=" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.3.1 Cancel-Lock: sha1:4j22v7HHHN97QBGWKv8Em3tQr00= Content-Language: en-US In-Reply-To: Bytes: 4189 On 3/6/2025 8:54 AM, Java Jive wrote: > On 2025-03-06 01:56, Brian Gregory wrote: >> >> On 03/03/2025 12:27, Java Jive wrote: >>> >>> So, EDF allowed them to go from his email address to obtaining his >>> mobile phone number for a SIM-swap scam, but I wonder how they >>> managed to go from either to all his savings accounts, unless they'd >>> also compromised his PC or phone as well; if the latter, why did they >>> need to go via EDF? >> >> Once you've got the email and done the SIM swap scam or hacked SS7 to >> read someone’s incoming SMS, that's enough, or almost enough, to get >> in to all sorts of things via the I've forgotten my password link on >> their websites. > > But how would they know which banks, savings accounts, etc, to target > without additional information?  Just knowing his email address on its > own would not be enough for this, there must be hundreds of people who > know my email address, because they send me emails via it, but that fact > alone doesn't make me vulnerable to hacking. > > At very least, they would have had to be able to read his emails Think of the average person. First there was the SIM swap, so now the scammer is getting all texts. They're also getting 2FA codes. With the email address they go to that and say they forgot their password. Then there are two possiiblities. They may need to know security questions, or they may have a password reset link sent to their cellphone. If it's the latter then they have email access. That's part of the lesson here. 2FA is not safer. It's riskier. It's bringing an insecure, portable device into the mix and trusting that device fully. And most people use webmail, or at least IMAPwith email left online so that they can read it from multiple devices. So all email is there. It's not farfetched to think that they might find enough data there to log into banking. No one has to bank online. No one has to leave email on someone's server. Texts can be deleted. But how many people follow such simple security guidelines? You can see from the posts here that a lot of people will argue "'til the cows come home" rather than admit that e-lifestyle is risky. Another possible factor is online data hacks, which have become very common. There was a case awhile back of a company in Florida that was just a data wholesaler, buying and selling personal info. They got hacked. So getting security question info that way is possible. The mystery here is why anyone thinks that dealing with things like banking online, or putting important info in email left indefinitely on servers, or leaving texts on one's phone, might be safe. It's convenient. Period. Anyone who assumes they're safe conducting their life online is simply an ostrich who doesn't want to know the facts. In their defense, the facts are well hidden. But it's still ostrich mentality, driven by laziness.