> I want to start by pointing out I use two-factor authentication just about everywhere and Facebook is not an exception.
I wish he'd mention what kind of 2FA. The reason you _really_ should use U2F/WebAuthn is because it does origin binding which, unlike entering a TOTP, a code from your hardware token/authenticator app on your phone/SMS/etc is not phishable, i.e. you can't enter it by accident on accounts.google.com.totallylegit.ru and then have them enter it on real accounts.google.com. This is so because the U2F/WebAuthn security key signs a request, sent by your browser, which embeds the requesting page's domain, so a signature on attacker.com will not pass victim.com's verification checks, whereas a code from your authentication app is trivially copied.
Beating 2FA is almost always SMS hijacking, but sometimes it's social engineering where the attacker has figured out just the right script to tell support ("oh, I dropped my phone and it won't turn on...") to get it disabled.
edit: correction, beating 2FA without phishing-- like in the post where he lost his account while asleep.
That's most definitely not true, as someone who works in this space. Plain old phishing is much more common, where the hacker tricks a user into entering their code into a malicious website.
To echo OP, this is why it's important to support non-phishable types of 2FA.
WebAuthn (or its predecessor U2F but that's obsolete, so in green field deployments do WebAuthn) is the only practical non-phishable second factor for ordinary users on the web.
You can do this two ways, one of which will make more sense for your web site:
1. PCs/ laptops/ etc. can use little USB hardware devices, from outfits like Yubico, the word to Google or type into your preferred hardware source is "FIDO" although if you have spare cash and like cool toys FIDO2 is a more capable second generation of the technology.
In this situation the FIDO authenticator is your second factor. Your web browser takes responsibility for telling this authenticator which web site you're looking at, and it's just a dumb machine, so from its point of view obviously refunds-my-bank.example isn't mybank.example because those strings are different. The FIDO authenticator just does whatever the browser tells it.
This could be attacked by specialist malware, but it's tricky because the FIDO authenticator wants you to take physical action to trigger authentication, so the malware needs to not only tell the authenticator "Yeah, I'm totally er, Internet Explorer, and I need you to authenticate for mybank.example" but also persuade you to press the button or whatever to make it happen.
Or I guess bad guys can be like "please FedEx your FIDO dongle to us" if people really are that dumb, but then no need for phishing, just call people "Hey, I'm the IRS, send me $5000 in unmarked bills, in a FedEx box marked er cat food for some reason that totally makes sense, to a residential address in a different state, yeah".
2. High end smartphones, the sort with a fingerprint reader, can do the same exact trick using that fingerprint reader (I think some iPhones do facial recognition instead?) to do WebAuthn instead for their onboard browser.
In this case the smartphone is in charge of everything, it knows which web site this really is, it knows if that's really your fingerprint or not (the fingerprint never leaves your device) and it decides whether to send credentials.
For machines it's much easier to do a secure transaction, but machines don't fall for a lot of phishing scams.
> PCs/ laptops/ etc. can use little USB hardware devices, from outfits like Yubico
This is actually built into most computers now -- Windows Hello, and Apple has something similar. Websites can check the attestation response to specifically block those, however. (Seems like Github allows it, and I've written code that allows it.)
> I think some iPhones do facial recognition instead?
Yup, they use whatever you use to unlock your phone. So if it's a FaceID phone, you can use FaceID to log in. You can also hold up your NFC Yubikey to the back of the phone and use that, even if you registered the key over USB on a PC! It's really, really good.
> Websites can check the attestation response to specifically block those, however. (Seems like Github allows it, and I've written code that allows it.)
For the client side of things WebAuthn contains a standard option to block/allow "platform" authenticators, which I empirically know includes Windows Hello, and I'm not sure about Apple's or other equivalents. Of course you'd still want to verify the attestation on the server side.
> Of course you'd still want to verify the attestation on the server side.
You almost certainly do not want to do this for a public web site. If you insist on attestation right thinking people will hit "No" and block the site.
Think about it, what is attestation doing for you in this scenario? You're saying that you don't trust your users/ customers to pick the authentication methods that work for them, and instead you're going to insist on methods you prefer. Do you also choose each user's passwords? "No, sorry, that resembles an English word, we have selected the password 48'J3X$q)M3NBfr_2 for you instead" ?
In a corporate environment this could make sense. If you issue every employee a $100 FooCorp Security Key with their photo engraved on it, maybe you decide to require attestation that the keys used are FooCorp brand keys to prevent employees adding some off-brand Yubico product. I don't know whether that's a good idea, but it's no crazier than lots of corporate policies, however doing this for a public site makes no sense, please just skip attestation.
Yes! Any developer that forces the user to use a specific type of device needs to be smacked around a bit (or more accurately, the manager that told them to do it that way). Banks are notorious for this, since their stupid 2FA apps will do insane things like scan your app list for common root-only apps and non-vendor ROMs (even with no root). Some even have a vendor whitelist that obscure brands (like OnePlus used to be) aren't on and in both cases, their only response is "well just factory reset your phone" or "just buy a different device". I've switched banks twice because of this insanity.
And there's no reason to do this! It's not like they're liable if I get my money stolen. If they prove 2FA was used and the security issue was on my device, not their app/server, it's my fault! As you said, if you're a custodian of something sensitive (an account, documents, money..), not the owner of it, it makes sense that the owner shouldd be able to dictate how you should protect it (like if you're accessing confidential company documents using 2FA). But in any other case, the service provider should never be allowed to force you to use a certain type of authentication device.
Your recollection was correct but is now a few years out of date. As is typical Apple they intro'd it (in 2017 IIRC) as a 1st party dogfood item, started read only. Then in 2019 with iOS 13 allowing far more power including full range of two way authentication capability. Yubico blogged about it [0] after the announcement, and Apple's HIG on use of NFC [1] is also available. Also, Safari itself needed to have support added, but that too is now available.
So old workarounds like using the lightning port are no longer necessary, though AFAIK are still supported. It's nice to have it there as well since to really be most effective every platform a user has needs to support hardware 2FA. If something still needs SMS or OTP or whatever that becomes the weakest link.
In 1) I don't think my YubiKey knows anything about the sites I use it for? It just creates keys, so a phishing site could presumably still steal the key created by YubiKey and pass it on to the real site.
2) My fingerprints definitely don't know anything about web sites. So WebAuthn being unphishable has nothing to do with fingerprints. It is only incidental that some devices decide to unlock the functionality with fingerprints.
1) The browser tells the Yubikey: "sign this: 'logging in to site.com at 12:34PM'". The yubikey signs it and gives the signature to the browser. The browser gets the signature and passes it on to the site. attacker.com will get a signature over 'logging in to attacker.com at 12:34PM'. That signature will not allow the attacker to log in to facebook.com .
2) Correct. In fact you don't even need a hardware token. You can do the whole thing in software. It could even theoretically be built right into your browser (but you would have the problem of logging in to the account on a different device or different browser). The fingerprint protects against physically stolen devices, and slightly against malware on your computer.
> The browser tells the Yubikey: "sign this: 'logging in to site.com at 12:34PM'"
It's even a little bit cleverer than that. During enrollment (to say, Facebook.com) your Yubikey provides a random looking "identifier" to Facebook.com, and it promises that it can sign future logins if Facebook.com shows it the same identifier. The identifier is bound to the DNS name!
So a phishing site has a few choices, none of which help the bad guys even a tiny bit:
* It claims to be Facebook.com, but it isn't, so the web browser just doesn't even show the UI for Security Keys. There's a behind the scenes Javascript error basically, "What? You aren't Facebook.com fool".
* It admits its real DNS name, and makes up a random identifier. The browser gives the random identifier and the real DNS name to your Yubikey. But, it has never heard of this combination, so, it blanks the entire authentication figuring this must be for a different Security Key plugged in on another port or something.
* It gets that identifier code for your login from Facebook, and then admits its real name to your browser and provides the identifier taken from Facebook. This still doesn't match, and the Yubikey again assumes it must be for some other Security Key on your system.
Behind the scenes this is actually done with AEAD cryptography, maybe with AES keys baked inside your Yubikey. The "identifier" is actually something like a private key (likely elliptic curve parameters) that has been encrypted using an onboard secret AES key in an AEAD mode, with the DNS name (well, a hash derived from it) as a factor.
As a result, your Yubikey can't even decrypt the "identifier" correctly in order to log you in without the matching DNS name. This means goofs in the implementation fail safe - e.g. one brand of cheap Security Keys can fail to sign in once every 256 tries on average due to a logic bug. But they'd never sign in where they shouldn't because of mathematics, to do that they'd need to "accidentally" completely break the mathematical foundations of the cryptography!
I'm still waiting for password managers to add soft-WebAuthn support, so I can log in using my password manager (and no physical keys or passwords). That would make password managers ten times better.
Then again, it doesn't have to be the password manager that does this, but it'd be nice if it were integrated.
yes exactly! Bitwarden supports TOTP nicely already. And I think you can authenticate to it with FIDO2 apparently. It would be awesome if it could do software-based WebAuthN but I don’t think it does…
It doesn't, unfortunately. I've opened an issue on their forum but nothing yet. Not many websites support WebAuthn (let alone passwordless), so I guess password manager vendors aren't in a hurry to implement it.
The browser will only give access to the Yubikey token for a specific domain name - so if the attacker phishes for examle.org, rather then example.org, then there is just no tokens (signing keys) available the Yubikey could use and give to the browser.
In the early days WebUSB in Chrome had bugs that allowed to bypass that same origin check but that has been fixed 3 years ago.
I've been using the browser's password manager as protection against phishing, as the password manager won't fill in passwords on the wrong site. So I guess it works in a similar way with the Yubikey? OK.
At a very very high level yes - but the reason you want to use tokens is that you get a second factor and you have better entropy and created tokens are time based (password is valid forever).
It certainly would make sense to improve the UX as opposed to coming up with different implementations.
webauthn basically forces use of HTTP as the application level protocol, whereas a client side TLS certificate will work regardless of which application protocol is in use.
Client certificates, as the name might hint, certify your identity. But a big thrust of technologies like U2F and WebAuthn was not to do that, for privacy reasons.
My FIDO authenticator has no idea who I am, no opinion who I am, so you can't use it to do identity correlation. It's only useful for the very specific problem we wanted to solve "Are you still you?" "Yes".
In contrast a client certificate for u801e is enduring proof you're u801e and signatures the client cert makes during login will be durable proof that u801e logged in. PornHub can show Facebook and GitHub that the same user is using their site. So that's a privacy hole you can drive a truck through.
There are numerous practical problems with trying to leverage TLS client certificates for this work, but that's a big privacy problem.
> In contrast a client certificate for u801e is enduring proof you're u801e and signatures the client cert makes during login will be durable proof that u801e logged in. PornHub can show Facebook and GitHub that the same user is using their site. So that's a privacy hole you can drive a truck through.
Client certificates can certainly be separated based on different domains. So, there would be no way to really determine my identity across multiple websites if I sent each one a different CSR and they each gave me different client certificates. The browser should only send the client side TLS certificate that's relevant to the server it's trying to connect to via TLS.
The main purpose of the client side TLS certificate is to verify the identity of the client on the server side, just as a server side TLS certificate signed by a trusted CA allows the client to verify the identity of the server. In the case of the client side TLS certificate, it doesn't have to be signed by an outside entity. There could be an internal CA the server uses to sign those CSRs and when the client connects, the server need only to verify that the client cert presented has a valid internal CA signature.
There's no reason why it has to be horrific. I'd like to see someone make a decent attempt at making client TLS certs actually work well, including not using the same cert for multiple domains by default. Other problem is, I don't think many web server frameworks have support for them either.
The cheapest available FIDO2 option is PIN-based so your PIN (actually any password, it doesn't need to be like a bank PIN) is the something you know, and the FIDO2 authenticator is something you have, two factors. You don't need to pick a PIN to have conventional "second factor" working but if you want a usernameless authentication you can have that by choosing a PIN.
What's different compared to having a web site password? The web site knows the password, but they don't know your PIN. This means suddenly relatively weak human memorable passwords are good enough, because bad guys can't break in and steal 40 million of them in seconds or leverage them across multiple sites, the PIN is useless without the authenticator.
But other FIDO2 authenticators can do fingerprints, making it something you are (a person with that fingerprint) and something you have (the authenticator) so two factors again.
Usernameless (rather than passwordless) is the differentiator. You can literally have the sign-in flow be a "Sign In" button and the user does the thing (finger on reader, types in PIN, or maybe looks at camera) and they're authenticated. No step where you type in an email address or a username. This has a privacy cost because it means the authenticator knows in some sense who you are, but it is super convenient if that's what you're all about - while being much more secure than today's username + password dance.
The FIDO2 key is usually protected by a PIN that wipes the key after a few wrong attempts, so it combines the two itself.
Besides, there's nothing that dictates how secure the key should be. You could use your hardware cryptocurrency wallet for this, which is probably much more secure and convenient than the average Yubikey (you can duplicate it with the seed phrase).
Some people care more about convenience than security. And for everyone else, it doesn't have to be passwordless. You can use a regular password and a FIDO authenticator.
So, popping up three comments, this explains which types of 2FA are not phisable:
> I wish he'd mention what kind of 2FA. The reason you _really_ should use U2F/WebAuthn is because it does origin binding which, unlike entering a TOTP, a code from your hardware token/authenticator app on your phone/SMS/etc is not phishable, i.e. you can't enter it by accident on accounts.google.com.totallylegit.ru and then have them enter it on real accounts.google.com. This is so because the U2F/WebAuthn security key signs a request, sent by your browser, which embeds the requesting page's domain, so a signature on attacker.com will not pass victim.com's verification checks, whereas a code from your authentication app is trivially copied.
Yubikey is one - it requires the user touch a hardware device which signs something locally that I think is never sent? I don’t know enough of the implementation specifics, but it’s supposed to guard against this kind of thing.
Yubikey is actually pretty "phishable", at least in the OTP mode. It will happily put the token into a phishing website (or literally anywhere else) as soon as you touch it.
It's also good to know that Yubikey's OTP tokens don't expire based on time, but based on a hidden counter that gets incremented with every issued token.
So if you've accidentally touched your Yubikey and leaked the token publicly, you just have to log out and then log back in using your Yubikey - that action will invalidate all tokens issued before this point.
Yubikeys (or at least some models) can be configured with multiple different OTP implementations. Yubico's own OTP implementation behaves as you have described. It is not a guarantee that generating an OTP from a Yubikey means you have generated a Yubico OTP.
YubiKey uses U2F and FIDO2/WebAuthn. The YubiKey also does a lot of other things, depending on which YubiKey you have... but if you want 2FA on random websites, those are the most likely protocols (used for GitHub and the like).
The basic U2F + FIDO2/WebAuthn is the least expensive model, around US$25. These days it works seamlessly on Chrome, Firefox, and Safari.
What happens if the Yubikey goes bad? I use one for work, and the last 2 keys I had developed some hardware issues, and stopped responding, so I had to get a new one.
The recommendation is to have at least one backup key.
There's also a WebAuthn extension in the works to at least make it easier to maintain a backup key by not having to pull it out of the safe every time you register MFA with a new service:
I really wish I could find a password manager which supports WebAuthn, and can also be unlocked with WebAuthn, so that only one secret needs to be replaced in such a situation.
I wondered about this in regards to Crypto and NFT's in the digital wallet space. It seems like Metamask with a ledger wallet is stadard, but I have a theory that if you're not sophisticated and you get into Crypto/NFT's, it may be safer to just use Coinbase Wallet, as it is less popular target than matamask and you're able to leverage Coinbase's ongoing security updates. and if you're not sophisticated, you're just as likely to lose your stuff via user error with a hard wallet set up.
Just don't click on giveaways and never enter your secret code
Another poster has mentioned it, but I will add weight. This is super ultra mega wrong.
Phishing SMS and TOTP codes is way more common than SIM-swapping. Outrageously so. SIM-swapping does not scale. You need to call up a company each time you want to do it. Yes, it works. But you cannot sell a tool that just automates it. In comparison, there are many off-the-shelf phishing kits that fully automate SMS and TOTP 2FA theft.
Unless you use Yubikeys (webauthn) etc these phishing attacks just continue to work. I do consultancy in this space at times and about 95+% of folks who enter their password will also enter their MFA token.
Followed the link and the read me is bit spare on details. For the less technical this still would require the phishee to manually enter credentials which then can be relayed to the attacker. Correct? The article mentions this happened while the author was asleep — any thoughts on how that would work?
One thing that can happen is you get enduring credentials from the OTP sign-in, and they last despite other credentials simultaneously existing elsewhere.
I only use Facebook trapped inside Facebook Container in one Firefox on one computer. But my understanding is that it's possible to sign in to Facebook from say a phone and a laptop at the same time, so the bad guys could get you to give them working credentials one day and persist those until you're asleep before using them. If you went to Facebook's security settings "Where you're logged in" and it lists two logins, one in "Paris" while you are in New York, you might realise there's a problem and force them out. But most people likely never look at that, why would they?
I think the fact that password managers can spot incorrect urls better than users is useful. However I've become numbed to this warning flag by those services that seem to have endless different urls that are all legitimate. (Microsoft being a particular offender here).
I can imaging some variant of outlook.microsoft.developer.really.yes.com catching me unawares one day.
Microsoft does seem to know how to do this correctly when they have to, as they offer WebAuthn and there is deliberately no way to tell WebAuthn "I know this is outlook.com but I need live.com credentials". So they will bounce you through the right name to make it work. But you're correct that for phishing this habit of making up new DNS names is a problem, ie it convinces the lay person they have no idea and should just fill in their password wherever it's requested.
It’s probably worth faking having lost your 2FA and asking for it to be reset. If you find out they are this careless with 2FA-protected accounts, you should probably not rely on it too much.
I manage an authentication and identity provider and if someone gets locked out of 2FA and can’t prove their identity via a previously-uploaded gpg key, they get locked out for good. I never honor requests to reset the device sent by email, no matter how much they beg or offer to prove identity by sending copies of official IDs - I don’t care who they are now, I care about them being the same person that set up the account and 2FA, which can only be proven via a valid 2FA device or a GPG signature.
> It’s probably worth faking having lost your 2FA and asking for it to be reset.
I'm not sure I trust that I'd be as good an attacker as a professional, and there's not a great way to replicate "hang up, call again" approaches likely to work with a big org.
It could be worth it to spend the 1.50$ on stripe to do identity verification with id documents for accounts of a certain size, so that they can present those documents again to regain access to their account.
Re-enabling the account after a certain period of time without activity would also be a good measure (on top of the id verification).
The whole point of using Stripe for it would be not to have the documents in question. Kind of like you don't hear about companies using stripe losing their customers' card numbers.
Google is better than all other alternatives in that regard. They have a feature called Advanced Protection where you add your 2FA U2F keys and if you lose them your account is gone. No social engineering possible.
IMO, this is way too extreme for almost everybody. There needs to be some sort of happy medium so that a person who's lost everything they own (e.g., house fire) can get their account back somehow still. Two ideas I had:
1. When you set up your account, provide your legal name, date of birth, and a photo. If you need to reset 2FA, go somewhere in person with a government-issued photo ID (which we already have procedures to replace) that all of the details of match.
2. When you set up your account, provide 5 trusted contacts. If you need to reset 2FA, get 3 of them to agree.
Advanced Protection does have the account recovery. https://landing.google.com/advancedprotection/faq/ It is just very slow as it's a human process. There's very little reason you shouldn't use Advanced Protection, if your account is important enough.
Which Google API do you mean? I use advanced protection and have developed various things with various Google APIs, I just use a service account with minimal privileges for each thing I'm developing, which is probably best practice anyway. Not sure about rclone but probably it would work fine with a service account too?
It sounds like you're trying to use APIs with your personal account rather than using a service account though? Again, I use Advanced Protection and I've never encountered the problem you're describing.
>If you need to reset 2FA, go somewhere in person with a government-issued photo ID (which we already have procedures to replace) that all of the details of match.
Very few people are going to want to pay for this labor if the perception of risk of using a free account is as low as it is now.
What about giving people a choice like this to pay for the labor? Either pay $1 per month for your account, and then this service is free for you whenever you need it, or have a free account, but then this service costs you $1000 if you ever need it.
That would be nice, but I imagine there's a perception problem with that.
Simply offering the option would bring the risk to the forefront of people's minds, and once you start exchanging money, lots of other thoughts and liabilities begin to enter.
If it is kept free, then the conversation ends there.
My concern with that is that if something happened to the off-site token (e.g., ESD damage, or even just random failure over time), I may not realize until I needed it.
If you would like to take advantage of such an option, you are also opting in to taking on an operational burden. That burden is exactly maintaining a set of backup keys and testing them on a regular basis.
Everyone already pays the same operational burden with their house keys, which are far more difficult to manage for the average person (as they leave the house constantly). It's worked fine for hundreds of years.
If you lose your house keys, you get a lock smith to break into your house for you - your house doesn't become unusable forever more.
If you ever need to have this done, you'll realise how much house keys and door locks for many cases really only stop the opportunistic "pull the handle and see if it opens" attack. If your door has above average security they'll need to drill the lock, but the time I had to call one they could just push a tool through the letter box and break/move the bolt by applying leverage from the "indoor" side.
That way you end up with the same issues as we have now with SIM swapping: Post Office employees are not more reliable and not necessarily more careful with their credentials than people who can give you a new SIM card.
The post office does (did?) ID verification for first-time passport applications. I think that’s about as good as you can reasonably expect since it gets you a bona fide, universally-accepted proof of ID that would work anywhere else.
I would bet that the post office employees are a bit less susceptible to the “hurry up and hit your metrics” pressure than someone at the Verizon call center.
“If you lose your key and are still signed in on one of your devices, visit account.google.com to add or replace a key. Otherwise, submit a request to recover your account. Google may take a few days to verify that it’s you and restore your access.”
I trust that it would be (potentially much) harder than normal, but it still seems to be possible.
A little bit. It's mostly a time delay, since the alternatives to verify your identity seem to be a different emailaddress or a phone number and then you're back to square one imo. The phone number is still susceptible to social engineering and the alternative mail likely is too. Ideally I want something where keys gone = account gone. Now a dedicated scammer could still succeed and it sure doesn't provide any real safety for political groups which Google kind of claims it does by using testimonies from politically vulnerable people to "advertise" the Advanced Protection Program. This is a tricky situation though since your adversaries could get your keys and your password and then they control your account without any chance of getting it back, so it's definitely a double edged sword.
> It's mostly a time delay, since the alternatives to verify your identity seem to be a different emailaddress or a phone number and then you're back to square one imo. The phone number is still susceptible to social engineering and the alternative mail likely is too. Ideally I want something where keys gone = account gone.
I can think of options less extreme than keys gone = account gone that are still very secure.
e.g. To enable "Extra Advanced Protection" you have to visit Google HQ in your region, where your DNA is sampled. If you ever need to recover your account, you have to visit Google HQ again for another DNA sample, after which you're provided with account access, in person.
Definitely also a good, but still very extreme option. This might actually be more secure, depending on the threats you have to take into account. It would be possible to retrieve the account after a (physical) hack.
Oddly enough, Google's Advanced Protection is the gold standard in my opinion, yet Firebase Auth, an Auth-as-a-Service product from Google, only supports SMS as a second factor, which is baffling to me.
How is it possible that some kind of imaginative script can be enough to get SMS sim swapped?
Why aren't the operators requiring a strong identification via a passport or something like that? Maybe I'm really dumb but that just boggles my mind, whether or not there exist other types of alternatives to 2FA.
There's not much you can confirm over the phone, except the account PIN and sometimes security hint. But an attacker can pretend to have forgotten it and press that the matter is urgent. If the attacker knows enough about the person, they might be able to convince an agent to make the swap so the agent can:
1) Get on with their day to maybe hit a support request quota
2) Make sure this person doesn't give them a bad customer satisfaction score
They could require this. Most of the big operators have physical stores where they could do an ID check. There should be an advanced protection mode where SIM swaps and other sensitive operations require physical authentication.
How does an sms hijacking attack typically work? I know sms isn't secure, but how does one go from having a password to bypassing the sms confirmation? Is it as easy as having the number and carrier?
It happened to me. Cellular carriers, in my case T-Mobile, didn't require any confirmation to port a number to a new phone/sim.
Eventually some required the last 4 of your social security number to port a number, which we all know at this point are pretty much public anyway.
T-Mobile now lets you set an arbitrary pin, which my parents promptly set to their DOB :facepalm:
I haven't looked more into it, but as far as I know, sim swap/port attacks were hilariously simple to execute which is why I only use SMS verification when it's the only option.
Maybe what is needed is regulation that makes the service provider liable (with no option to disclaim it) for all damages suffered by the victim if the provider gives away their phone number to an attacker.
I accidentally ‘hijacked’ a number by typoing one number in my online request. I only found out after my wife pointed out my number was different after porting. It took a couple hours with the telco’s support agents, and practically no verification steps, to actually get my correct number back. Very sad state of affairs here.
IIRC, in the US, sometimes just give the old sim some random phone number (to keep you paying the bill) and don't cancel the line. In the EU, I'm pretty sure they cancel the old line.
No; phishing / vishing is contacting the customer to get login details. Contacting support and getting them to circumvent security is social engineering.
It's zero cost and zero effort to port someone's number out, or get a new SIM card issued for the existing account.
I've worked with a bunch of streamers and YouTubers, and the threat model is such that people have shown up with professionally made printed fake IDs to attempt hijacking in an actual retail carrier store.
It's an attack on humans, not on technology. You trick their phone carrier's employees into thinking that you're them and that you lost your phone. Then you end up with a SIM card assigned to their phone number, so you receive all of their calls and texts instead of them.
> I wish he'd mention what kind of 2FA...U2F/WebAuthn...origin binding...SMS
It shouldn't matter, because it's irrelevant to the point of the article, which is that Facebook (at least as reported) leaves a hacking victim with little or no recourse to get their account, and sometimes livelihood back.
An imperfect real-world analogy of your question is like asking about what precise brand of bear mace an assault victim was or was not carrying, and whether a better one would have helped. Perhaps it would have, but that's not the point. If having hardware tokens is so important, Facebook should be making them mandatory at its scale.
For work things I often have to enter a code from one or another app that expires every few seconds. I've always wondered how exactly that works. Where might I go to find out about that? Is it as straight forward as googling "how two factor authentication works" or is there some other terminology?
- You and I share a secret at my first login. Let's say our shared secret is "wibble".
- For any subsequent successful login with my username and password, for the second factor I send you the last six digits of the SHA1-hash of ("wibble" XOR current timestamp)
- You calculate the second factor yourself as well by doing the same operation (you have stored "wibble" for my username, and know the current timestamp), and verify those last six digits. If they are wrong, I am an attacker!
In practice, it's not the exact timestamp, down to the millisecond--there's a window of 30 seconds or so for each code. On top of that, some services will also accept one of the last (or next) few valid codes too. So it needs to be roughly synchronized, but not impractically so.
Some systems have some extra magic that allow the server to adjust for each device's clock skew; this was particularly important for hardware tokens that didn't have network connections. To imagine how that might work, suppose the server normally accepts responses that are valid at times t-2, t-1, t (the current time, per the server), t+1, and t+2. If a user consistently replies with the t-1 token, we know that her device is running slightly behind and we can instead authenticate against t-3, t-2, t-1, t, t+1.
Imagine a hash function that generates a number from the number of minutes since epoch hashed additionally with some seed. You have it on the server, you have it on your, say, phone. When you enroll you share a seed for the generator. Since your time is synchronized, the server knows what value(s) to expect, and the phone knows which value to generate.
How is that possible? Codes from authenticator apps I've seen are 6-digit decimal codes. I don't know much about how it works. But I can't see how this is immune from mitm. I pretend to $SERVICE and ask you for your authenticator code. If you fall for it, you'd give me the code, which I can use to impersonate you for the next 30 seconds.
Codes from those apps are typically TOTP: a deterministic output given a shared secret (e.g. from QR-code during the setup procedure) and current time interval, e.g. HMAC(shared-secret, time-interval) mod 10^6. This does not embed the domain. However, U2F is a completely different protocol that does: you'd typically insert a YubiKey in a USB port and tap a button on it when the browser sends "plz sign a request from login.bank.com" (+ other associated data) https://developers.yubico.com/U2F/Protocol_details/Overview....
(Note that most YubiKeys also support non-U2F modes, most commonly HOTP (HMAC(shared-secret, counter); counter +=1))
U2F/WebAuthn doesn't use six digit codes. You plug in USB key, press button on top of key, and browser does exchange with key and passes result to site.
The exchange between browser and key includes the domain of the site. It only works on the same site where registered the key.
AFAIK some websites allow you to use the previous TOTP code for convenience for some more seconds. That makes the total time to impersonate you to be 30 (or whatever was configured while issuing the TOTP secret) plus the grace period websites allow.
You misread that statement and the excerpt you copied completely changes its meaning if you remove the surrounding. Read it as:
"U2F/WebAuthn is secure because it does origin binding which is not phishable, unlike entering a TOTP or a code from your hardware token or authenticator app or SMS"
Putting the original parenthetical in between the start and end of the main clause definitely makes it easy to misread. I just moved the parenthetical to the end of the sentence.
I really wonder why typically the default policy is to convert a totp token to a longer lived token (keep browser authorized) defying the whole idea of totp. Used like this it seems like just two passwords or am I missing anything? Phishing seems really easy.
How? TOTP does not embed the domain, as it is generated on a separate device which does not communicate with your browser, and does not know the target domain. TOTP is literally HMAC(shared-secret, time-interval) mapped to a short range (e.g. mod 10^6).
Then that's not TOTP https://datatracker.ietf.org/doc/html/rfc6238 but something different. Do you know how it is called and which products support it? I'd love to read up about it!
It certainly recognizes the domain, but thats more of a convenience feature than a security feature. Nothing is stopping you from putting your example.com code into legit-example.com manually. Sure the extension won't do it automatically, but if the user is convinced to put the password into the fake website, user could also put in the TOTP code
How was the account hijacked? Via cookie theft. The author installed malware, maybe some dodgy windows binaries or malicious browser extensions. No amount or type of 2FA on sign-in will protect you against the session cookie being stolen. (Now, additional 2FA on sensitive actions might).
Why was the account was banned with such finality, with no chance of appeal? Probably for something outright illegal, like the hijacker uploading CSAM to the account. It's totally plausible that in an obvious enough case, the policy is e.g. to refer the case to law enforcement and keep the account disabled.
Why did the attacker want to get the account permanently disabled? Maybe an account disable doesn't stop ad campaigns on FB. So the attacker sets up an ad campaign, and then gets the account banned so that the owner can't reverse it.
I think that's quite likely. I have a (somewhat throwaway) FB account, not much of a profile and mainly used for a local cause. Co-admining a page I'd clicked on a clickbaity headline posted to the page and several days later my account was disabled.
The account recovery process was completely broken/circular but somehow the account revived itself after a week.
The fact that my 'friend suggestions' were untainted by a friends list seemed to confirm the hack as all my suggestions were from people in an entirely new continent.
There's no way clicking on a headline would lead to your account being hijacked... Unless there's a browser 0-day which are extremely valuable and no one would waste that on your FB account. Or if clicking the link downloaded malware and you ran the malware.
Did you ever use the password of the FB account anywhere else? You getting phished is also much more likely than a browser 0-day. Did you have a security key on the FB account?
You're right. But when there's an exploited vulnerability Facebook logs everyone out and then posts a blog post about it, as show by the 2018 hack you linked to.
That hasn't happened here.
I don't really consider 3 years ago to be very recent.
I think that 3rd link is arguably not a vulnerability. If you intentionally want people to be able to look up future friends by email address, then that's basically the desired behavior. Now arguably allowing people to look up future friends by email is a privacy problem. Some users probably want that feature though. Yes a lack of rate limiting is a problem, but rate limiting won't stop attackers from doing it, it just slows them down.
Leaking PII in the name of "features" is a security disaster.
Ask yourself why Facebook doesn't just make available a spreadsheet of all names associated with which emails on the platform. It's because it's private information.
Why doesn't Facebook's security team do anything? Either they're incompetent, or they're being muzzled by product.
Additionally, Facebook's privacy policy explicitly says that they don't share your private information that you have chosen to set private. That's an egregious lie.
There's been a bit of miscommunication here, and I think it's partially my fault. It looks like there was a vulnerability in the rate limiter, and Facebook has admitted that and says they're trying to fix it (I don't know whether they have fixed it):
>In a statement, Facebook said: "It appears that we erroneously closed out this bug bounty report before routing to the appropriate team. We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings."
I'm not sure whether you're just concerned with this apparent rate limit bypass vuln or with the entire concept of lookup by email.
>Ask yourself why Facebook doesn't just make available a spreadsheet of all names associated with which emails on the platform. It's because it's private information.
That would be Facebook telling you the email of every account. The behavior we're discussing is not doing that. Facebook allows you to find a person's profile given a person's email (assuming the person didn't disable that lookup it in privacy settings, and also considering rate limits which might be bypassable by a vulnerability). Facebook doesn't allow you do to the reverse unless the person sets email visibility to public.
>Why doesn't Facebook's security team do anything? Either they're incompetent, or they're being muzzled by product.
What do you think they should do?
Just because someone disagrees with you doesn't make them incompetent.
>Additionally, Facebook's privacy policy explicitly says that they don't share your private information that you have chosen to set private. That's an egregious lie.
What private information is being shared? Your profile URL? Your first and last name?
Facebook has an option to disable this lookup. Are you saying people are disabling the lookup and Facebook is disobeying that?
>Who can look you up using the email address you provided?
It was a secure account as far as the password goes, no 2FA. Like I said it was a bit of a throwaway account. Password 15 chars long, random chars.
No phishing.
I concluded that there's perhaps a cross-origin issue on Facebook's side that allowed cookie hijacking. The clickbaity link was almost tailor made for our group "[something ominous happened] in [your part of town]". Looks like it was auto-shared by someone whose account had been compromised as they were local. Reasonably confident it was a session hijack, my password remained the same while account locked.
The only other plausible thing wrt my account's case was that it was almost empty (i.e. no photo, no friends, not much to go by) and was somehow flagged but was given a misleading reason why it was.
>The only other plausible thing wrt my account's case was that it was almost empty (i.e. no photo, no friends, not much to go by) and was somehow flagged but was given a misleading reason why it was.
That sounds much more likely to me.
When facebook has a website vulnerability that is exploited, they log everyone out, post a blog post, and makes big news:
>"[something ominous happened] in [your part of town]"
Those ads are all over. They determine [your part of town] through geoip or FB tells the advertiser your city. It's like the "singles in [your city]" ads.
The thing is it wasn't an ad, it was a post a regular user posted into a group.
And that being the plausible answer doens't explain why me as a Northern European post-ban-resurrection ended up getting all my friends suggestions from Africans. It was never the case before that and all my activity simply involved campaigning against losing a local park and looking at local news.
Was the user a spam bot? Maybe the bot saw a city mentioned in the group and generated a spam comment using that city.
It's possible some people (or bots) from Africa viewed your page and no one else did in the recent past, and thus Facebook thought there was some connection between you and Africa.
clearly shows where their priorities lie. they will shut down your social (media) life without recourse, but heaven forbid that has a negative impact on the ad spends
The attacker should have replicated the browser fingerprint and IP on top of stealing the cookie - or just flat out used his computer remotely while he was sleeping.
I haven't used FB in a while but I remember login from other places were detected.
Technically that's possible but there would be too many false-positives. People would be signed out every time they took their laptop home from a coffeeshop or connected over a mobile hotspot.
Yes. Facebook has implemented features to try to keep their users signed in, even if the user indicates that they want to sign out. Therefore, Facebook wouldn't want to sign people out if they go to a coffee shop.
They could use your local MAC or maybe detect the local radius of your IP (eg if you suddenly appear from a different continent then send a confirmation email). Sure, people using Tor might get burnt but those use cases are likely less common than those who are getting their session cookies hacked.
A carrier-grade NAT could make you change IP address. TOR will do it. You would cause yourself more problems if you would start to bind a session to an IP address.
I had someone contact me on Facebook marketplace, we agreed upon a time/price and then they asked for my phone number (which I sadly gave them). Then they said "I'm going to text you a code, so I can verify you are legit". The text I got was from Google Voice's 2FA.....
This is very common scam. AFAIK it’s a way to create a new Google Voice account (linked to your phone number) with the goal of using that account for other scams so that they can’t be tracked.
I fell for it, but since I already had a Google Voice account linked to that phone number, it didn’t work for the scammer. But he didn’t realize what it didn’t work.
I quickly realized that something wasn’t right (and Googled the mechanics of the scam) and then was able to waste his time for another 30min.
The reason I fell for it was because they use a text message from Google in some African language, so I didn’t immediately realize what was going on. Still dumb to not pay more attention…
But it taught me to not list my phone number in the open on Craigslist.
I get these texts periodically. I feed them fake codes and waste as much of their time as possible.
When they figure it out, I receive threats ranging from reporting me to the authorities all the way up to killing me and raping my family.
I then point out exactly how their scam works, and that they are either criminals directly or working for them as patsies. At this point, they usually stop responding.
If they don’t, then I take the chance to vent some of my own vitriol at them. It’s usually therapeutic, but it’s always fun.
I have accumulated a lot of hobbies over the years, and I count this among them.
I used to get some tech support scams but I think either that scam is dwindling or I've got blacklisted somehow.
Those "3rd line specialists" can get really angry when they realize the unsecure but rich old man they are talking to is far beyond them in tech and have been having fun and recording them ;-)
How would someone use that code to hack into my GV account? Wouldn't they also need to know my password or have access to my e-mail account to login or to reset your password?
Because OP specifically mentioned Google Voice, my guess is that it was a phone number "ownership" code, rather than a 2FA code per se.
The attacker was probably trying to create a new Google Voice account forwarding to OP's phone number. They could then use the new GV account as its own "legitimate" phone number in order to engage in other scams.
(Alternatively, OP's password might have already been compromised, and this was the last stage of a targeted attack by someone trying to get into their account.)
I don’t use GV, but presumably if they can make Google send you an auth SMS then they have already input your password. I’m guessing it was leaked in some big password leak, and not phished at an earlier time.
this happened to me the other day for an item i was selling. at the first mention of a “code”, i told them first come first served and i have other people interested. that ended the conversation.
This is what I'm worried about, to be honest. Not necessarily getting hacked but just getting flagged, banned and burned with no recourse.
This is why I commented on an article here some weeks ago that if they ever offered any paid user experience they'd be in trouble because they'd actually have to help their users with their issues.
These tech companies should offer actual support the moment you spend money with them with some actual recourse to solve problems, especially if it's caused by them. It's insane to me that they can just go and run away with your money or burn your account at a moment's notice, even when it's just some automated filter going crazy. At the bare minimum something like Amazon has should be the standard the moment you operate a paid digital software repository or sell a digital service or ads. Losing your investment should not happen to you unless you're a really blatant abuser and if you're the one getting abused your bank or credit card provider should never be your only line of defense.
I'm baffled that they have not been in any real conflict over this with any consumer protection agency for any of our governments.
I guess this is the model when the user is the product and not the customer. Flipping this, if this were a paying advertiser (customer) that got locked out, there probably is a valid path to contact someone.
Looks like it is time to remove all my Single Sign On from Google, Facebook, GitHub etc. And have individual user/pass for all of them. I have the same fear as you and way more so after reading this article, just way too much risk now.
>This is why I commented on an article here some weeks ago that if they ever offered any paid user experience they'd be in trouble because they'd actually have to help their users with their issues.
Facebook has offered a paid user experience to Oculus users for several years now, and so far no one has forced them to actually help users with these issues. Not the market, not regulators, and certainly not users. They will keep getting away with it simply because they can. What are you going to do about it?
Fascinating blog post. However I don’t know why it took him so long to reach out to Facebook support, everyone knows that to get your account unlocked you just need to write a viral blog post about your experience and use your existing popularity to ensure someone at Facebook reads it, realises you’re not one of their typical peasant end users and unlocks your account for you.
Can confirm, wife had a similar issue and tried to buy an oculus to get in touch with a human - said person could not help at all. Ended up having to use her network to get in touch with a Facebook employee who got it handled immediately.
In other news, I built and deployed a "2FA Mule" last weekend.
It's a stock android phone with no google account and no apps installed except for "SMS Forwarder"[1].
It is configured to forward all SMS to an email address via encrypted SMTP. This means that I can receive these 2FA codes anywhere I have Internet access - such as an airplane or newly arrived in a foreign country where my SIM card does not work.
The "2FA Mule" itself is plugged in at my office in a corner.
I'm not employing this for anything sensitive but it's interesting to consider that I can use SMS based 2FA while divorcing it from my day to day SIM identity ...
Google Voice works for many services which is protectable with 2FA (hardware tokens) and accessible most anywhere in the world--you're at the mercy of Google, though
It's hit or miss and that is why I am basing this on an honest-to-god mobile number on a SIM card. I don't want to deal with the finnicky number validation that is done ...
It's very easy to forget to send the sms, which will then make you loose your number. The carrier will take the number back and assign it to another person.
Yes. I have a dedicated account with a verizon MVNO and this account has no other SIMs or accounts associated with it.
However, depending on how I choose to use it I can point 2FA for numerous different services to this one SIM. I just don't want to point multiple accounts at the same service to this SIM since that's a clear, common identifier and correlates those two accounts better than probably anything else could ...
- If you use different services with the same SIM, using a phone number to identify you across platforms is my primary concern.
- Yet, confirmer SIMs can't really be throwaways. I'm 'stuck' with a prepaid the same way people are stuck in to gmail — they have 400 accounts with the e-mail address.
I've had it before, where I got locked out of accounts, with no way to delete the account, or even do a data takeout. The only way forward has been the same SIM.
The only way forwards would be to 'start a SIM farm': buy those SIM slot AliExpress boards, and sell(/use) a forwarder service.
(here is business plan, on how risky, and expensive to the customer it'd be)
The 'challange' is keeping track of multiple people, to avoid same-site conflicts. Users would hopefully be encouraged to tell where they are using the phone, as to not get an used one themselves.
For Estonia, the minimum of keeping alive a prepaid is topping up 3€ every 6 months, per SIM (whereas new is 1€).
Of course, IoT numbers are available, but they aren't likely a valid option, as they definitely aren't meant for burners, and even a single misuse/complaint would likely shut everything down. More on this later.
Assuming there would be (monthly) paying customers, prepaids could do. It'd be a bit pricey, I'd start at ~10€/mo/user, assuming small users (few sites) would use the same sites, and larger ones needing many, many numbers. Billing per new site isn't likely very cheap either.
That aside, hardware is the most concerning, AliExpress pricing is 12-22€/slot depending on how bulk you go. Hundreds or even few thousands of euros in upfront needed.
(Side note, on a >100 users scale, old phones etc aren't feasible; otherwise go
with android dual SIMmers (using feature phone nokias for the price of nothing and stuff would be cool, but custom fw, and soldering each one isn't worth the time), and WiFi (on the scale WiFi stops working, you'll have bigger problems to deal with, and it'd be extra hardware cost as ell)
(Side note 2: 'sim banks' exist, what allow to connect many SIMs to one modem, it'd bring the hardware cost to ~2€/sim, unsure if they can be online at once (though 'click here and wait 5-10s before clicking send SMS' could work for the user); even if they can be online, you still run in to the interference and 'why is there 1000 phones in this house' problem)
I'd say after a few hundred, it probably makes sense to start building them yourself.
For a good user experience, you have to keep them always online as well. Building a SIM-switcher would be likely as expensive, as well.
The real concern is interference and infrastructure — having hundreds or thousands of devices in the same spot will not work well in physics, nor the service provider coming knocking.
Now, even small scale, it'd make sense to be your own service provider. This way you could get SIMs, and can connect directly to the network. You could emulate devices a this point, not needing any SIM cards either.
Problem is, all of your network activity is for SMS confirmations. That is going to get many strange looks.
The bonus of being in a small country is, that the other way, you can be friends with the person, who happens to be a head or person actually doing things, at a telecommunications provider.
Though, on a large enough scale, you're going to have actual overhead to their network. That's when you'll need to start paying for the service. Pricing for businesses isn't cheap.
**
Well, that was a wall of text. Insanities.
So — assuming you aren't a large-enough service provider already, normal long-term vEriFiCatIoN is deadly, assuming you need captchas on many accounts.
I really think for the Oculus side of this, they should be on the hook for refunding a significant portion of the cost of the user's Oculus library when they ban the account.
This would put the cost of a ban to Facebook for real users in the order of hundreds of dollars which is more than enough to have a support person do a realistic evaluation of the situation. It also reflects the non-recoverable portion of the cost to most users - you can sell the headset, but you can't transfer the value of the library to anybody. That is a straight up and very significant financial loss.
While other aspects of the ban policy are obviously still very problematic, the fact that an arbitrary ban that is caused by actions outside the user's control can result in hundreds of dollars of losses sits at a whole different level and should be legally problematic for Facebook.
> refunding a significant portion of the cost of the user's Oculus library when they ban the account
This incentivizes abusive behavior by users who want refunds, and cheapens the cost of abusive behavior. This mechanism was discussed in relation to OnlyFans somewhat recently -- creators that wanted to ban abusive "fans" had to refund them. (Unfortunately, I don't have a link handy.)
The problem here is that Facebook couldn't tell OP had been impersonated by an abuser -- as you say, "actions outside the user's control."
Ok, so the scenario is I buy a headset, create a fake account, load up on games, then abuse the account to get all of it refunded so as to effectively have free use of the games for the period of time.
But I still had to buy a headset, put in a real credit card, pass Facebooks initial "real identity" checks etc. With real human review and some basic policies to prevent repeat abuse this doesn't seem like something that would really open a wide level of abuse. Perhaps sporadic situations where the headset breaks the user decides its the easiest way to get all their purchases refunded.
It doesn't have to be planned abuse. Another possibility is "I don't use this much anymore and there's no second hand market for my game purchases so I think I'll just get my library refunded." You were going to lose value anyway on not using it, now you get something back.
Then they need to stop claiming to "sell" you something when clearly they are renting it
Of course no one in their right mind would pay the retail prices for a "rental" so screws the business model, but honestly, they need to pick one, either they are selling products or renting them
This mixed model where they try to have the best of both has got to stop, if you ban my account you need to refund me, done want to refund on ban well do not sell me things, rent them to me under a service
Any system that wants to identify a pattern will have false positives and negatives.
In this case we can’t accurately identify cases where a user has legitimate cause for refund without false positives letting through a few abusive users.
The decision to be made is whether we skew the system to be in favor of the corporation or the consumer.
In this age where we no longer own the software we run I find it strange when people advocate for less protection of the digital goods they use.
yes ... that's what I hope and expect would be the outcome if this was enforced on Facebook. They will try to claim that the social features are essential to the platform and therefore cannot be disabled but it would not hold up based on current Oculus ecosystem.
this is not enough, you will still end up with a piece of hardware that you paid for and can not fully use.
it’s their decision to introduce this account, when there is really no need for it, let it be their problem to fully refund everything when this affects you. the solution is simple: quit forcing people to use the account nobody asked for.
They should decouple Facebook and Oculus from each other. They could share the login but should be separate services. I am sure he violated FB terms but did he violate Oculus terms?
They don't have fine grained banning because the abuse system was made for a user base that pays them no money, so it's a blunt instrument optimized towards cost savings. Steam I've heard is more fine grained, and might just do online gaming bans or communication bans.
i belive (s)he’s talking about facebook, who’s system has been built for its free users. oculus is just something that they have added later on, without taking time and money to adapt it for the (small number of) paying users.
Why are we buying this account-linked physical shit. Just pretend the headsets are not a viable product to purchase if they can be remotely bricked by a company you have no leverage over. Get a competitor product or go without.
Yeah smartphones are unfortunate since with COVID now you have to have one to check in in my country, but the second test is reputation. I’ve not heard of apple or android bricking a phone like this but FB/Google account bans and limitations are common.
I guess we can’t be purist anymore but being pragmatic is still possible and you can divert funds away from FB this way to a company that cares about the headsets they sell and the user experience
You can use a smartphone without linking to a faang account. Though it still has a device ID which it uses to talk to some infra if you keep the stock firmware.
OK but that's a very different story, one is stolen and at the request of the owner, the other is for some ethereal vague hard to pin down rule that was broken with no way to resolve it. My use of my property that I own should not be contingent on some behavioral rule on some website that could change at any time. Don't give money to companies that can remotely brick your property without your explicit request.
because we’re, or at least I am, inherently lazy. i would rather pay a markup on a playstation digital download that would allow me to not move from the couch. i’m a pretty active person outside the couch. the bad news is that they know this :)
This is another good part of steam - even if your account is banned from the entire community for site-wide spam, you don’t lose access to your game library.
Looks like this user received this message[0] after being banned from the community and only because he mentioned russian law did Steam suspend his account.
> Going to support and blalblab again my rights and the russian law, they slapped me with a perma community ban and 1 month ban to contact the support.
Generally speaking, you don't lose access to your Steam library unless you defraud them, e.g. by charging back purchases. I don't buy that the Russian guy got banned for spamming. The only evidence that that was the ban reason is his own words. Considering that this story seems to have only been picked up by sites like "oneangrygamer", "riseupgamer", and the Daily Stormer, I'd lay money he's not being honest.
> It also reflects the non-recoverable portion of the cost to most users
And then people wonder why I'm never buying anything digital. That's the reason. Buying digital makes your continued access to the thing dependent on your account being not banned and the servers being up. In other words, even if you "own" it, you're still at the mercy of the seller. But if you bought something on a physical medium (or torrented), no one could take it away from you.
Just think of it as like paying to see a movie. I bought a $10 app once, used it for what it was for, and now several phones later, I don't know or care what's happened to it. I got my value out of it and don't need to hoard every possession I "buy".
Remember people who used to have a huge collection of video tapes or CDs? They hardly used them for anything except decoration of their living room. Hoarding old crap that you never use isn't the best use of money.
Physical things can readily be taken away in divorces and debt recovery or less common things like police seizure if you're suspected of a crime. The world's richest man had half his wealth taken like that. Property rights aren't as secure as you think.
Wow, I really disagree with this. Or, with the implication / point?
Sure, if one buys a newspaper, chances are that one won’t hold on to it for long. But it is important that one can. If one wants to cut out a story from it and hold onto it, perhaps in a scrapbook, one can do so.
It is also important for archival and preservation purposes.
> The world's richest man had half his wealth taken like that.
If you're talking about Bezos, all of their wealth was made after they got married. The news can say it's "his wealth" but it always belonged to both of them. It's not "taking half his wealth," it's splitting their co-owned assets.
Well, yes, exactly. It's legal. An online service denying access to a movie you bought is just them acting on their right to do so because you never had a non-revocable license to use it. It was always their property. In both cases, people don't appreciate that what they feel is theirs isn't really theirs until it gets taken away. That's the whole problem.
>The world's richest man had half his wealth taken like that
I assume you are talking Bezo's divorce, you might want to actually look into that if you believe that. he did not have half his wealth taken, far far far from it.
>Physical things can readily be taken away in divorces and debt recovery
That is not being "taken away" in the sense you are talking about in context, for debt recovery it is being "taken away" because you did not actually own it, the lender did, you do not own it until you have paid it off. I own my car, that means I have no debt on my car...
Divorce is not "taking away" it is splitting assets owned by multiple parties. Sure the process can been seen as unfair, however legally the assets is owned by both people, the courts then choose who the new owner of the asset is.
That is a far cry from what we are talking about in this context.
>Just think of it as like paying to see a movie.
But it is not, That would be like a Netflix Subscription, where I pay to access content, not pay to own the content. Ownership and Renting is different.
If they want to rent content there are methods to do that, however most people will not pay the prices they charge for a rental that is why they need to guise it as a "purchase" not a rental
>Remember people who used to have a huge collection of video tapes or CDs?
I used mine, then I ripped them (legally) to enjoy them on other technology... Sad you just used them for decoration. Probably should have spent money on something else you found enjoyable
You know, many people find collecting things to be a pleasant and relaxing hobby. Perhaps, for some people, having a large collection of tapes or CDs, displaying the collection is part of the point.
People gather enjoyment from different types of things. Not everyone aspires towards minimalism.
It is perfectly possible for games to be sold digitally online with no drm, such that you could easily (without requiring uncommon technical know-how) copy it to a flash drive and run it on a computer with no internet connection.
Of course, games sold this way are extremely easy to pirate, because it is, essentially, pre-cracked. But one can distribute a product like this, and on occasion people do.
Or have ban groups. Ban someone from having a Facebook profile, buying ads, sending Messages, or having an Instagram profile based on their behavior on those respective sections of the site. Maybe disable a person's multiplayer capabilities if they have a reputation for harassment.
But let them keep their hardware running, and access their game library.
Seems good for business, tbh. You might not want neo-nazis posting whatever they want on their profiles, but who cares if they're buying video games?
Yes, Facebook really doesn't have a convincing argument why they will not just disable the social interaction features when the ban is made on that basis. They will say that they want to build social features into all their software as integral and therefore it is not possible but it doesn't pass muster to me .... it simply isn't that hard to make it conditionally available within apps and if it is that hard then it is Facebook's fault for engineering it that way.
What is the point of setting up a hardware or Google Authenticator-type 2FA solution when most companies will fallback to SMS? Is there a way to prevent the SMS fallback (last I checked it was 'No' for most sites except maybe Google if I remember, and then you still had to go in and manually delete it)?
Does a master list exist of companies that don't use SMS, or allow the user to exclude it? Otherwise it seems like most 2FA is just opening up a much easier attack vector (social engineering a phone number port) vs guessing a long, random, unique password. A password manager with browser plugin (or iCloud Keychain) mostly solves the phishing issue if you stop a second to think on the rare occasions when you need to manually copy/paste because of a weird subdomain or partner domain.
I've been 'about to' set up 2FA for over a decade now, but it always seems like a bad idea.
Edit: Also, who's to say customer service agents won't/don't fallback to sending an SMS reset code even if the account supposedly requires a dongle or app for 2FA.
It seems like the places that rely on SMS generally don't have hardware 2FA. Or, most websites that allow configuring multiple 2FA methods support disabling SMS
The ones that let you configure a single MFA method or single with backup are usually where I run into issues, personally
For instance, on Github, I have 2x U2F tokens and paper recovery codes but there's not even a phone number configured on the account
I can't tell you how many obviously-fake profiles and scammers I report, and see other people commenting about reporting, only for them to still be around days, weeks, sometimes even months later.
All of these were obvious scammers directing traffic to a single profile - some forex guru or whatever. Shilling get-rich-quick schemes doesn't meet Facebook's definition of "spam", apparently.
Ironically you have to be careful doing this, as their systems can ban you for too many reports, if they aren't all flagged as 'legitimate' scammers. The last time I filed a report I had this new warning show up at the bottom prior to submission
Facebook seems to be "too big to fail", at a point where their game theory is "the scammer is generating profits for us, so letting some of our users get scammed is something we can let happen".
It's pretty scary. I think they're really willing to let facebook die off and just keep instagram and whatsapp, I think that's their strategy.
Even facebook dating is buggy and not worthy of a giant like facebook. Maybe it's the how GAFA will start to decline.
I don't think Facebook 2FA is terribly secure. They definitely err on the side of usability. I was using TOTP on Instagram and I forgot to backup my Google Authenticator before wiping my iPhone. But I was then able to just go the the settings on a logged-in device and disable 2FA without 2FA. And it wasn't like I had logged into that device recently, either. I only had to 2FA Instagram once, years ago.
I wonder if having 2FA made it worse ... I can see the review process taking the enablement of 2FA as proof he really did the abuse and discounting the possibility that his account was hacked.
I was going to make the following point to the parent comment then read this reply and realized the situation is even worse:
1. (According to parent comment) 2FA can be disabled without 2FA
2. Having 2FA makes you look studious/thorough/decisive
Presumably the tech support is indeed told to pay attention to 2FA.
Presumably the entire management/instruction chain there isn't aware of the fact it can be turned off without 2FA confirmation, which effectively neuters it.
Facebook has such a MASSIVE user base. And people are getting accounts stolen a LOT, from either social engineering or password reuse.
But there's also a ton of people knowingly breaking rules, getting banned, and then trying to cry that their account was hacked.
Trying to differentiate between someone's account being taken over and abused versus someone just simply being abusive and lying about it to support costs a lot of time, and time is money. And with the scale of Facebook, that adds up to a LOT of money. You have to train a large staff to understand social engineering and be able to tell the difference between someone who actually can't figure out how to log in, versus a jealous ex who is trying to social engineer their way into someone else's account.
It's a lot cheaper to just let the bans stick, even if it loses a few customers.
"Customer support" is someone in third world paid 1 dollar per hour, who barely speaks English and does not care about anything - nobody reviews quality of their work, and even if quality is reviewed, they are fired, but nobody reviews "old cases".
Probably some person randomly clicking "accept" and "deny".
Other question is, why there is no escalation; even paid one. Although probably everyone would escalate.
An enterprise software company I was closely familiar with in the 1990s budgeted about $50/call for user support. Mind that was 20+ years ago, and it was enterprise, rather than end-user support. But odds are strong that one service call per user eats up all, or multiples of, the actual worth of that user to Facebook. Cutting the account loose may well be the rational choice for the company.
ARPU varies by region. Within the US it's closer to $110/yr, in Europe, $35/yr, Asia & Pacific, $10/yr. Expect that support offerings are going to be measured against that, though possibly with a consideration as well to future growth and economic development.
At $25/call and servicing 1% of users/year, that's $750 million in support alone. If the cost or rates are doubled ... the maths are pretty easy.
Google makes a point in their ads for the chromebook that you need a Google account to login, which my brain immediately translates into "could be randomly bricked at any time".
It's possible that's not true, but there's such an endless stream of these stories, that that's the attitude you have to take.
I think a Chromebook is a touch different, as there's nothing actually tied to the hardware itself (which, I suppose, is sort of the point).
If your Google account is borked, nothing is unrecoverable from the computer and any other account can log into it.
That being said, you will be screwed in various other ways, mainly that all of the information you'd lose because it was normally stored on the you've now lost because you got the ban hammer
i love how they say it cant be reversed in the warning. that is an absolute falsehood. its worded in a way that leads you to believe its final and not possible to undo, which is entirely false.
source: recently had to help someone get a developer account out of this position, account was reinstated. just gotta know the right people i guess?
this is the biggest example of all, to me, why big tech needs regulating... if you are going to take away access to things i paid for(or worse yet, my families livelihood depends on), you dang well better be willing to explain very explicitly why and provide me with a real person to appeal to. not some automated system(im looking at you too Google and Apple!)
> I’ve gone from a position of caution about Oculus + Facebook to a position of “Run, don’t look back.”
As if this wasn't an obvious problem.
Relying on any of Facebook, Twitter, Instagram, TikTok, etc. for anything is a risk. Doubly so if it involves your business or a product that won't work without permission from $PLATFORM.
I don’t understand how the hacker bypassed 2FA? Did OP accidentally entered his keys somewhere? Or did the hacker convince FB support to disable 2FA? How can we all avoid OP’s fate. Lot of comments go in-depth on yubi keys and whatnot. But if FB support disabled 2FA what good is a U2F, fido2 and whatnot?
Facebook's walled garden around oculus is really disappointing. Updates frequently broke mods, and the last time I tried to get it working again my Quest got bricked. Need to try factory resetting or something to see if I can get it working again, but it's left such a bad taste in my mouth I'm considering just selling it instead and buying a better VR system.
The only people I've heard have positive experiences with the Quest either:
- haven't had it for very long, or
- use Virtual Desktop or sideloading to break out of the walled garden. And are willing to frequently repair the issues that arise after frequent breaking updates.
I predict that gap in the fence will closed off and non-Oculus Store games will no longer work within the next two years and Quests will be junk. Please consider other options if you're thinking about buying oculus.
IDEA: Build a service that identifies all the Single Sign On accounts tied to your Facebook/Google/GitHub/Twitter accounts for you and gives you a nice list and instructions on how to separate out the accounts with links if possible.
Thinking about it for a bit, I'm sadly hesitant that it might need to be built as a browser extension or mobile app, rather than a website, because none of these services provide programmatically-accessible (even read-only) feeds of what you're looking for, so you'd need to scrape everything. This brings up two issues: 1) the headache of IP ratelimiting (and/or flat-out IP bans from trigger-happy systems optimized for fighting fraud/bots hosted on cloud infrastructure). IIUC there are proxy services that you can outsource the workaround problem to, but this is awkward to get behind in the face of 2), which is that users would need to input their actual usernames and passwords so that the service could request the account page with the details on it in order to scrape the data.
Given that these are broadly web services poked at via HTTPS, you could potentially get everything you needed from a browser extension (as long as the service doesn't require you to set any HTTP headers that extensions aren't allowed to touch).
The second possibility is using an app. Writing a thin layer that lets you craft custom HTTPS/whatever requests from a WebView would probably be the most straightforward approach.
The main issue with both the extension and app approaches is that they code-dump both the idea and methodology of "here is how to do X" into the hands of the IQ-99 skiddie group (especially with an extension). So now you have more people running around scraping pages and whatnot and trying to figure out how to weaponize everything. Probably won't go anywhere (in terms of producing actual attacks), but the noise may potentially make your life harder.
The least-complex solution seems to just be a giant boring list of links, for example:
Just a question: could the author create a new Facebook account and never use it except to login with his Oculus? He would lose his game purchases, though. Once you use a Facebook account with Oculus, is the device not wipeable to factory status?
This guy’s story is why I try to split book and other media purchases between Amazon, Google, and Apple - so, if I lose any account I only lose about 1/3 of my purchases.
I ditched my Rift as soon as the announcement was made that users would be forced to migrate to Facebook accounts. FB is practically radioactive, I'm not creating an account for them, let alone giving them a direct pipe to built in cameras and microphones in my VR headset.
I honestly have never seen my login to Facebook expire. Even without enabling the remember me checkbox after logging in on iOS safari the login is valid forever unless I clear the cookies. I have never seen that level of brazen disregard for security with any other modern site.
did he ever say if he found out HOW his account specifically was compromised? There is a lot of discussion here about how SMS is a weak link. But I dont get it. The example of one respondent providedd is koiphish. This is just a MITM attack. Doesnt https protect against this? If a MITM DID worrk, does that mean someone forged/stole facebook's certificate?
So in this story Facebook was responsible for $50 of charges, a business disruption and a huge and ongoing hassle. And Facebook refuses so much as to pick up the phone to discuss it. In the old days the equivalent would have been one of those roach motel businesses rated 'F' on the Better Business Bureau, buckets arrayed on the floor to catch rain leaking through the roof. And yet in this day it's one of the most profitable businesses in the world. Weird.
There are many motels, but Facebook has a monopoly on facebook accounts. If you could make a facebook account somewhere else, you could "take your business elsewhere".
Last I checked, FB actively banned using their APIs to build a competing product. I wish the government would make it mandatory to offer federation if you had, say, more than a million customers. But alas, governments rarely do what's convenient for customers.
You make explicit that all data that people enter, they enter for purposes of sharing. At the same time, you ban creating profiles with data that has not been explicitly shared. IMO:
- Make a telefone-book style listing, or searching for "all metalheads < 25 near Chicago" where people entered that into their profiles -> OK
- Tracking users on your site -> OK
- Tracking users on third party sites, and then aggregating this data, so you can see "people who searched for baby carrages" or "people who bought diapers with their credit card" -> not OK
- Having some kind of database where people could concievably look up what user tqi purchased, searched, what their political affiliation is (when not made public) -> not OK (unless you have extreme auditibility, four-eye principle, and so on)
"You make explicit that all data that people enter, they enter for purposes of sharing."
I think the data captured by CA was also entered for the purposes of sharing, (often) limited to friends and friends of friends. I think the crux of this all is that as a society we haven't really established how those rights are transferred. If I share my email address with a friend, can they share it with their contact management app? I'm not sure how you create a consistent policy in a federated model.
The German Facebook clone back in the day was called StudiVZ which means "Student's directory". This was before social media and was more of a social network. Everything you put in there you do because you want it to be public, like your number in a telefone directory. It was almost a pure platform for self-presentation, like MySpace or LinkedIn.
I'm well aware of "more is different" aka the dialectic transform of quantity in quality. Lots of data that in individually innocent can be problematic if somebody amasses it. But especially for this reason I think it is not good to have these kind of semi-public spaces where the data is public and the only protection is it is cumbersome to collect. Public data should be clearly public, and private data should be clearly private, and the UX should be really clear so people know what is happening.
(By the way, I'm not even sure CA was a "scandal" or that it was bad for FB. I think the only effect was that FB used it to justify locking down their API more.)
I had an economist friend of mine suggest this a few years ago in a conversation (I don't think it was a novel idea of his, it's just the first time I heard it). At the time I thought it was ridiculous and disagreed. But I've really started to come around to liking the idea over time.
That's pretty silly. Should I be able to use Amazon APIs to host reviews for my competing ecommerce site? Or be able to proxy user search requests to google and then intersperse my own advertisements in the results for my web search service?
I'm not the person you're responding to, but I would say unequivocally and unironically, yes! The end result is more competition, lower prices, and more options for the end consumer. Sure the raw idea of this mechanism is a little naive and could be refined, but the outcomes you paint sound totally reasonable to me... think of this as a creative way to apply a new kind of tax to the criminally undertaxed big tech behemoths like Amazon and Google.
If you come up with a cool service on top of Amazon's API, should Amazon be allowed to use your APIs to scrape your service data and use it in their offering?
If you get above <threshold> users, sure why not? It doesn't have to be free, maybe some sort of auditing service could determine a "fair" price. But it would be open without the possibility of shutting it down in the future unless maybe Amazon themselves ditches that API internally.
You are allowed to do that(as far as I understand scraping legality), but google/amazon/facebook are also well within their rights to blacklist your IPs, or implement other methods to prevent scraping of their IP(intellectual property in this case).
Amazon is infrastructure at this point. Everybody should have access to it. Jeff Bezos won capitalism, give him a medal and let him explore space.
Why do we treat government services and certain large private services separately? Why are government publications public domain, private publications not? Why does free speach apply to the government, but not to corporations? Why can't we treat amazon like a utility?
I believe the difference is because in the past people fought for these concessions from the state. They decided for example it would be sensible that the government should not restrict free speach. And before, they decided not to take feudalism as a given but to democratically elect their government. I know I'm being a bit dramatic, but there's no reason people couldn't get together and demand these kind of concessions from powerful corporations, too. Access to Amazon's product API is really the least example of what would change.
Companies like Facebook are as big as Nation States.
Any positives that come out of this for the author are just a Facebook PR move. If they did care about users, their support system wouldn't be so anti-user.
It's trite at this point that someone will respond that the users aren't the customers, they're the product, but it's trite because it's often correct, and deserves to be said, so I guess I'll be the one to say it this time.
The sad thing is that this person actually is a customer because they bought a product and pay for things on it, but Facebook still doesn't realize that, or more likely these customers are such a small amount of their revenue they just don't care (and don't think it matters for growth of this area or don't care about that growth).
That's the reason the "you're not the customer" line is just a distraction.
It totally misses the point that Facebook doesn't have customers any more than any other first world power has. Facebook has treaties with governments and follow laws when it's less costly than breaking them.
FTC actions are like one country taking another to the WTO -- not something to ignore, but not really threatening either.
> That's the reason the "you're not the customer" line is just a distraction.
I don't think it is. If Facebook wasn't coming from a place such as that, then we wouldn't necessarily see them act like this. It's not just about size.
> Facebook has treaties with governments and follow laws when it's less costly than breaking them.
So do most large companies, but they don't all act the same to their customers. Apple may be guilty of other ways of mistreating their customers, but to my knowledge they're mostly innocent of this specific brand of it, and anything you want to attribute to Facebook's size that you can't attribute to any of the other tech big 5[1] should be examined for whether that's really the relevant underlying cause.
The guy is a customer in the traditional FB way (pays for ads) and the new oculus way (buys oculus games & hardware).
FB is super annoying when you want to separate the business from any form of a personal account. Eventually you need to have some sort of personal FB account linked to a business to manage some key ad buy things AFAIK, at the small business scale at the very least.
> And Facebook refuses so much as to pick up the phone to discuss it.
It's part of the business model - each FB user generates so little revenue for the company that you can't afford to offer anything resembling "real" support channels. The company is massively profitable by sheer scale - by making a small amount of money per year off of a vast number of users.
This applies to Google as well - or really any ad-based engagement-centric business. Your individual users aren't worth enough to have human-intensive labor assigned to them, hence heavily automated support channels and little to no ability to ever have something processed by a human.
One of many reasons I pay Google to host my email rather than use a free Gmail - when you are generating a non-negligible revenue stream suddenly companies' willingness to answer emails and pick up phones increases.
When it comes to FB there's often the pithy "when you're not paying for a service you're not the customer, you're the product" - which is a simplistic take. In this case though at the very least this is true: "when you're not paying for a service your support needs are dead weight".
> One of many reasons I pay Google to host my email rather than use a free Gmail - when you are generating a non-negligible revenue stream suddenly companies' willingness to answer emails and pick up phones increases.
If you think that does any difference, I hope you good luck. Google is unreachable for support, even if you are a paying user.
I managed to get in touch with a Google engineer once for help with some Adwords API stuff (our company is a large adwords agency).
...They accidentally CC'd in a public mailing list into our discussion and leaked enough information that someone would be able to use the automated support system to change the company AdWords password. There was basically no way of contacting anyone further, the engineer couldn't contact anyone that could help us. We ended up making a new adwords account.
I did run into that engineer in-person at a Google event and grabbed a coffee with them. I think they're still at Google. No hard feelings but yeah getting any real support at Google is impossible and obviously not prioritized by the organization.
The guy is an ad buyer although, so they are still missing support for their traditional revenue streams for small customers. Even comcast gives you customer support if you only buy things for $20/month from them ;)
~$30/user (on 3.5B users), not exactly small if you ask me. If you do a DCF on a $30/y coupon, even assuming it doesn't grow, you'll find that Facebook's (family of products) individual users are quite valuable.
I got Google One just for the telephone customer service option. They weren't very helpful for my needs in particular, but I think most people would appreciate the phone option for the $2+ a month it cost.
Exactly. From the article, "Personally, I think it’s very telling that Facebook acts so swiftly to block out the original user who can stop an ad scam, and so slowly to stop a scam ad that they can still bill for."
Sure but then the question is "Should we leave an account with history of compromise in place that will lead to chargebacks or should we just permanently disable it"
This is largely my thought too. This exact story we've seen repeated how many times now? What is the outcome? It seems the users are left in the lurch, having lost access to their accounts and any associated resources without any recourse, and that's that. The end. What will it take to have them create some mechanism for recovery?
>What will it take to have them create some mechanism for recovery?
People valuing it sufficiently to choose an alternative (and most likely paying for an alternative) over the benefits of free access to an established network.
Leaving aside the fact that they are profitable because of the zero cost service, like Ryanair, we should consider how many businesses only have the standard they do because of consumer action through the media.
Facebook likes to cut down on costs by using an AI excuse to say "hey we help customers" but they don't really. If they hired enough humans to handle all the complaints/reports they get then their profit would plummet off the edge of a cliff. If this is the future of AI customer service give me those underpaid offshore services any day. At least the being laughing at me on the other end is still a human.
Facebook sucks.what else is new.have not had a personal account in a decade after they terminated it. No regrets.i do however own the stock and remain very optimistic about the business but not for me. Sucks to invest to so much time in a platform that can take it all away from you without warning.
