this post was submitted on 17 Sep 2025
37 points (100.0% liked)

Technology

40299 readers
270 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 3 years ago
MODERATORS
remington@beehaw.org
alyaza@beehaw.org
TheRtRevKaiser@beehaw.org
gyrfalcon@beehaw.org
rs5th@beehaw.org
coldredlight@beehaw.org
SemioticStandard@beehaw.org
37
I Was Scammed Out of $130,000 — And Google Helped It Happen (bewildered.substack.com)
submitted 16 hours ago by along_the_road@beehaw.org to c/technology@beehaw.org
11 comments fedilink hide all child comments
top 11 comments
sorted by: hot top controversial new old
[–] bryndos@fedia.io 1 points 1 hour ago

I'd like to know how such a moron "earned" enough to have 130,000 usd laying around accessible to their google account. https://clip.cafe/twin-peaks-1990/theres-over-10-000-here/

Actually, no that's a lie. I really don't want to know that.

[–] zqwzzle@lemmy.ca 12 points 10 hours ago

The irony of a tech worker storing crypto in a centralized exchange instead of an offline wallet.

[–] tal@olio.cafe 22 points 15 hours ago (2 children)

The first comment in response is probably the most important bit:

In addition: trust no inbound communications. If something is in fact urgent, it can be confirmed by reaching out, rather than accepting an inbound call, to a number publicly listed and well known as representative of the company.

[–] GenderNeutralBro@lemmy.sdf.org 9 points 10 hours ago

I was about to say this.

If they can't give me a callback number that is publicly listed on their web site, then they're most likely a scammer.

With Google, however, this is a scarier proposition than with most companies. If someone from my phone company, or my bank, or my insurance company called me, I could very easily call the actual company and talk to a human to confirm. I have no idea how I could ever talk to a human at Google. I'm not sure they even have a public phone line.

[–] MostlyBlindGamer@rblind.com 12 points 14 hours ago

My bank is continuously surprised that I understand this. It’s probably a bad sign.

[–] tal@olio.cafe 15 points 14 hours ago* (last edited 14 hours ago)

At least some of this is due to the fact that we have really appallingly-bad authentication methods in a lot of places.

  • The guy was called via phone. Phones display Caller ID information. This cannot be trusted; there are ways to spoof it, like via VoIP systems. I suspect that the typical person out there

understandably

does not expect this to be the case.

  • The fallback, at least for people who you personally know, has been to see whether you recognize someone's voice. But we've got substantially-improving voice cloning these days, and now that's getting used. And now we've got video cloning to worry about too.

  • The guy got a spoofed email. Email was not designed to be trusted. I'm not sure how many people random people out there are aware of that. He probably was

he was complaining that Google didn't avoid spoofing of internal email addresses, which might be a good idea, but certainly is not something that I would simply expect and rest everything else on. You can use X.509-based authentication (but that's not normally deployed outside organizations) or PGP (which is not used much). I don't believe that any of the institutions that communicate with me do so.

  • Using something like Google's SSO stuff to authenticate to everything might be one way to help avoid having people use the same password all over, but has its own problems, as this illustrates.

  • Ditto for browser-based keychains. Kind of a target when someone does break into a computer.

  • Credentials stored on personal computers

GPG keys, SSH keys, email account passwords used by email clients, etc

are also kind of obvious targets.

  • Phone numbers are often used as a fallback way to validate someone's identity. But there are attacks against that.

  • Email accounts are often used as an "ultimate back door" to everything, for password resets. But often, these aren't all that well-secured.

The fact that there isn't a single "do this and everything is fine" simple best practice that can be handed out to Average Joe today is kind of disappointing.

There isn't even any kind of broad agreement on how to do 2FA. Service 1 maybe uses email. Service 2 only uses SMSes. Service 3 can use SMSes or voice. Service 4 requires their Android app to be run on a phone. Service 5 uses RFC 6238 time-based one-time-passwords. Service 6

e.g. Steam

has their own roll-their-own one-time-password system. Service 7 supports YubiKeys.

We should be better than this.

[–] Powderhorn@beehaw.org 25 points 16 hours ago (1 children)

Honestly, the email record eventually shared screams scam. It's not quite fluent English, has urgency and requests the information not be shared with anyone else. That's a pretty damning trifecta and should have been a red flag for someone who literally works in an authentication role.

[–] tal@olio.cafe 6 points 14 hours ago* (last edited 14 hours ago) (1 children)

should have been a red flag for someone who literally works in an authentication role.

Maybe. But the point he was making is that the typical person out there is probably at least as vulnerable to falling prey to a scam like that, and that that's an issue, and that sounds plausible to me. I mean, we can't have everyone in society (a) be a security expert or (b) get scammed.

[–] Powderhorn@beehaw.org 8 points 14 hours ago

I fell for an email scam about 15 years ago. I was job searching and got a message about a contract editing position looking for a native English speaker, which, given that I had my resume up for just such a role, didn't make me bat an eye. So I responded expressing interest. Long story short, it was one of those "we FedEx you excessive checks and then you keep your portion and Western Union the rest to this other person" affairs.

Of course the first check bounced, my bank account was flagged for fraud, with a balance of -$999,999, and it took weeks to be made whole (thankfully I was) while I navigated the byzantine process of "look, I got fucked; it's as simple as that."

It took going through that experience to be able to look for clear tells (important, as once you've fallen for one scam, you're flagged as an easy mark, so more come down the pike), and I agree that most people shouldn't be expected to be able to spot that unless they've gone through it.

My point is, if you actively work in security, the bar is far higher. This writer basically gave someone his PIN because his phone didn't provide full headers, and instead of verifying on desktop, just assumed it was legit, which is an amateur-level error for an authentication professional.

[–] mysticpickle@lemmy.ca 13 points 16 hours ago (1 children)

Man with $130,000 worth of crypto falls for a scam. Whodathunk 🤭

[–] BakerBagel@midwest.social 4 points 10 hours ago

He didn't even have that much. He was using the "value" at time of writing and not at time of loss. The writer would have likely held onto the crypto currency until after the next crash and would be just as screwed