Comment on I Was Scammed Out of $130,000 — And Google Helped It Happen
tal@olio.cafe 2 weeks ago
At least some of this is due to the fact that we have really appallingly-bad authentication methods in a lot of places.
The guy was called via phone. Phones display Caller ID information. This cannot be trusted; there are ways to spoof it, like via VoIP systems. I suspect that the typical person out there reasonably does not expect this to be the case.
The fallback, at least for people who you personally know, has been to see whether you recognize someone's voice. But we've got substantially-improving voice cloning these days, and now that's getting used. And now we've got video cloning to worry about too.
The guy got a spoofed email. Email was not designed to be trusted. I'm not sure how many people random people out there are aware of that. He probably was --- he was complaining that Google didn't avoid spoofing of internal email addresses, which might be a good idea, but certainly is not something that I would simply expect and rest everything else on. You can use X.509-based authentication (but that's not normally deployed outside organizations) or PGP (which is not used much). I don't believe that any of the institutions that communicate with me do so.
Using something like Google's SSO stuff to authenticate to everything might be one way to help avoid having people use the same password all over, but has its own problems, as this illustrates.
Ditto for browser-based keychains. Kind of a target when someone does break into a computer.
Credentials stored on personal computers --- GPG keys, SSH keys, email account passwords used by email clients, etc --- are also kind of obvious targets.
Phone numbers are often used as a fallback way to validate someone's identity. But there are attacks against that.
Email accounts are often used as an "ultimate back door" to everything, for password resets. But often, these aren't all that well-secured.
The fact that there isn't a single "do this and everything is fine" simple best practice that can be handed out to Average Joe today is kind of disappointing.
There isn't even any kind of broad agreement on how to do 2FA. Service 1 maybe uses email. Service 2 only uses SMSes. Service 3 can use SMSes or voice. Service 4 requires their Android app to be run on a phone. Service 5 uses RFC 6238 time-based one-time-passwords. Service 6 --- e.g. Steam --- has their own roll-their-own one-time-password system. Service 7 supports YubiKeys.
We should be better than this.