this post was submitted on 17 Sep 2025
37 points (100.0% liked)

Technology

40299 readers
270 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 3 years ago
MODERATORS
remington@beehaw.org
alyaza@beehaw.org
TheRtRevKaiser@beehaw.org
gyrfalcon@beehaw.org
rs5th@beehaw.org
coldredlight@beehaw.org
SemioticStandard@beehaw.org
37
I Was Scammed Out of $130,000 — And Google Helped It Happen (bewildered.substack.com)
submitted 16 hours ago by along_the_road@beehaw.org to c/technology@beehaw.org
11 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] tal@olio.cafe 15 points 14 hours ago* (last edited 14 hours ago)

At least some of this is due to the fact that we have really appallingly-bad authentication methods in a lot of places.

  • The guy was called via phone. Phones display Caller ID information. This cannot be trusted; there are ways to spoof it, like via VoIP systems. I suspect that the typical person out there

understandably

does not expect this to be the case.

  • The fallback, at least for people who you personally know, has been to see whether you recognize someone's voice. But we've got substantially-improving voice cloning these days, and now that's getting used. And now we've got video cloning to worry about too.

  • The guy got a spoofed email. Email was not designed to be trusted. I'm not sure how many people random people out there are aware of that. He probably was

he was complaining that Google didn't avoid spoofing of internal email addresses, which might be a good idea, but certainly is not something that I would simply expect and rest everything else on. You can use X.509-based authentication (but that's not normally deployed outside organizations) or PGP (which is not used much). I don't believe that any of the institutions that communicate with me do so.

  • Using something like Google's SSO stuff to authenticate to everything might be one way to help avoid having people use the same password all over, but has its own problems, as this illustrates.

  • Ditto for browser-based keychains. Kind of a target when someone does break into a computer.

  • Credentials stored on personal computers

GPG keys, SSH keys, email account passwords used by email clients, etc

are also kind of obvious targets.

  • Phone numbers are often used as a fallback way to validate someone's identity. But there are attacks against that.

  • Email accounts are often used as an "ultimate back door" to everything, for password resets. But often, these aren't all that well-secured.

The fact that there isn't a single "do this and everything is fine" simple best practice that can be handed out to Average Joe today is kind of disappointing.

There isn't even any kind of broad agreement on how to do 2FA. Service 1 maybe uses email. Service 2 only uses SMSes. Service 3 can use SMSes or voice. Service 4 requires their Android app to be run on a phone. Service 5 uses RFC 6238 time-based one-time-passwords. Service 6

e.g. Steam

has their own roll-their-own one-time-password system. Service 7 supports YubiKeys.

We should be better than this.