23 comments

[ 32.0 ms ] story [ 672 ms ] thread
No recourse eh? Magical internet beans are without mercy. Failed design unless you’re an anarchist.

In a civilized society it would have been difficult to turn millions into cash, at least providing a buffer and perhaps way to get the stolen wealth back.

Bitcoin marked a potentially a dark turn; far superior technologies that respect our needs will emerge, however.

It’s mind boggling that something like getting sim jacked through a major carrier no less can ruin someone’s life so thoroughly, which speaks to the sad state of affairs for civilian digital security.

In some cases you can block withdrawals from accounts. I’ve done so after my information was compromised via the Equifax hack. I managed to lock things down as hard as I can and in at least one case (either Vanguard or Fidelity I forget) it will require a notarized document before any money can be removed from the account.

This story reminds me that I need to make another pass over accounts to see if I can lock things down further.

The disappointing thing is that although I was able to get a physical OTP device for my Wells Fargo account they still insist on using a telephone number backup for 2FA. There doesn’t appear to be a way to disable it.

I've written about the Wells Fargo issue before, here: https://news.ycombinator.com/item?id=15562850

You can remove your phone number from your account to disable the security-defeating manner of how WF allows telephone 2FA to override the physical OTP 2FA.

I am still baffled that Wells Fargos effectively eliminates any security benefit of the RSA-style OTP 2FA token devices by allowing telephone/SMS authentication as an alternative at login-time. It's like they don't understand security or they don't care.

If compromising a cell phone number alone is enough to steal funds, then it wasn't 2-factor authentication, it was 1-factor authentication. Unfortunately, many institutions are bad at computer security and designing authentication systems.
Why are banks liquidating such huge assets without proper ID or delay?

I guess people can't remember secrets, so you have to use something as a root of trust for password resets and so on.

Would be good if the banks realised that the available roots are all dubious and so they should require authentication on several for suspicious transactions.

Phone numbers aren't secure. Post isn't secure. Email isn't secure (and can often be rooted with the phone number---thanks shitty 2fa). Credit cards can be stolen.

But it's hard to get the phone number and the postal address and the physical debit card and the email all at once.

"Why are banks liquidating such huge assets without proper ID or delay?"

I don't think real banks/brokers allow you to liquidate and transfer stuff that easily. They're going to limit you to something like $100K in ACH transfers, and transferring your entire account needs a notary or signature guarantee or something like that, I think.

Cards can be stolen, but card + PIN is usually good enough (even better when combined with other factors like email or phone number).

They should give out smart card readers or EMV-CAP readers (stand-alone devices which generate an OTP after inserting a credit card and entering its PIN).

> But it's hard to get the phone number and the postal address and the physical debit card and the email all at once.

Not much harder than getting the physical card plus, maybe, one of the other three. All the rest can frequently be traced from any one of the three, and sometimes the card, via the name on the card,is enough to find the rest.

I meant control of the postal address, which is quite hard. A little harder than access to the physical debit card.

Same for email and phone. Gaining control of the account.

As someone mentioned elsewhere, the article left out a huge part. It was in cryptocurrency. A normal bank would never let that much money move out like that.
If you google this guy this story came out late last year...not sure why this is "news" now.

This specific story fails to mention a very important part - that the $1m was in a crypto exchange account.

They arrested the guy that stole the funds. Presumably he got it back now.

As an aside, the victim claims the $1m is 90% of his net worth and it's for his kid's education. To put it all in crypto is an...interesting decision.

Taking out loans and putting over 100% of my net worth into crypto was undoubtedly the best decision I have ever made. Keeping it there too long and losing nearly all of the profit was also the worst decision I've ever made. Funny how that works.
The quality of a decision is not determined by the resulting outcome. It is determined by how well the decision changed the likelihood of outcomes to fit what the decision maker desired.

My personal opinion would be that both decisions were of roughly equal quality.

(comment deleted)
This actually touches on a semi important issue: underpaid employees. From casinos, to fast food, to apparently carriers, people paid minimum wage just don't care enough about real issues, and rightly so IMHO. No, I don't want people's accounts to be stolen, but it is pure schadenfreude to watch this play out.
> semi important

I'd rate income inequality and poverty higher, personally.

If people are underpaid that also contributes to income inequality and poverty, no?
(comment deleted)
This is a very important problem. It’s crazy that mobile carrier customer support is outsourced to dumb monkeys that have no idea what they’re doing and have no reason to care about it given their miserable pay.
We have allowed institutions to frame this kind of fraud in the way that they prefer, but nothing was stolen from this man. A million dollars was stolen from the bank.

It is the same with "identity theft." There is no such thing. If someone takes out a loan or credit card in my name, they have taken nothing from me. I am not even involved, and the law should recognize that.

By framing it as theft from consumers, it allows the institutions which are actually responsible to avoid consequences.