| Products > Test Equipment |
| Ebay SCAMS? |
| << < (12/12) |
| Someone:
--- Quote from: EEVblog on August 17, 2022, 01:58:15 am --- --- Quote from: manicdoc on August 16, 2022, 10:59:34 pm --- --- Quote from: EEVblog on August 16, 2022, 10:56:08 pm --- --- Quote from: manicdoc on August 16, 2022, 10:10:20 pm ---If your bank insists you can only use SMS auth, change your bank to one that allows physical token auth, or limit the amount you keep with that bank to an amount you do not mind loosing. --- End quote --- The biggest bank in Australia doesn't have hardware 2FA, just SMS code. --- End quote --- CBA will do hardware 2FA - netcode token, but you have to fight for it... Ah ANZ - don't use them directly. Bendigo certainly does 2FA, got a physical token, it's not my imagination... --- End quote --- Do any of them support any of the modern ubiquitious hardware tokens like Yubikey? --- End quote --- Commonwealth moved to SMS or their branded app. Bendigo moved to Symantec VIP (app). The banks that are still issuing hardware tokens are doing branded "secure" devices that you cannot BYO, Westpac, Bank of Queensland, Rabobank, ANZ (business only, consumer gets app), .... others For the small(?) number users that do want a 2FA solution, just look at the complaints/support issues from the consumers it is forced upon. There is a business decision in there somewhere. |
| manicdoc:
--- Quote from: Someone on August 17, 2022, 02:56:30 am --- --- Quote from: EEVblog on August 17, 2022, 01:58:15 am --- --- Quote from: manicdoc on August 16, 2022, 10:59:34 pm --- --- Quote from: EEVblog on August 16, 2022, 10:56:08 pm --- --- Quote from: manicdoc on August 16, 2022, 10:10:20 pm ---If your bank insists you can only use SMS auth, change your bank to one that allows physical token auth, or limit the amount you keep with that bank to an amount you do not mind loosing. --- End quote --- The biggest bank in Australia doesn't have hardware 2FA, just SMS code. --- End quote --- CBA will do hardware 2FA - netcode token, but you have to fight for it... Ah ANZ - don't use them directly. Bendigo certainly does 2FA, got a physical token, it's not my imagination... --- End quote --- Do any of them support any of the modern ubiquitious hardware tokens like Yubikey? --- End quote --- Commonwealth moved to SMS or their branded app. Bendigo moved to Symantec VIP (app). The banks that are still issuing hardware tokens are doing branded "secure" devices that you cannot BYO, Westpac, Bank of Queensland, Rabobank, ANZ (business only, consumer gets app), .... others For the small(?) number users that do want a 2FA solution, just look at the complaints/support issues from the consumers it is forced upon. There is a business decision in there somewhere. --- End quote --- oh, for sure, I see they need to be competitive which pushes more towards the ease of use over core security. Regarding hardware failures, I bank with more than one bank. Yep, bummer on them not allowing generic hardware tokens, but these are banks after all... |
| SeanB:
Most of the scammers do not bother cloning a SIM, they will instead use an insider at the mobile company to instead do a SIM swap, preferably on a Friday afternoon, or just after 12 on Saturday, so the ability to respond is much more difficult. Swap SIM, put the newly activated one in a phone, and try the login to the bank, and enter the 2FA and you are in. Then have some already existing accounts at various banks, and transfer to the first one, in the same bank, so as not to trip EAP limits, and instant transfer. Done before midnight, and again after midnight, to double the take, till either account reaches overdraw limit, or the access is closed down by the person finally getting hold of the bank to have the account blocked. Very common, and relies on having somebody in the mobile company call centre who has access to do this, either using theor own credentials, or most likely by also having installed keyloggers to get credentials of other agents or supervisors to use, or using shared credentials. Shared is common, because call centre IT is often lazy, so will have a common login for everybody, and never change it, even if they have had 600% annual turnover of staff. To the mark their phone just stops working Friday night, and the next morning they go to a phone shop to enquire, and find out about it, and also then find the empty bank account. |
| manicdoc:
--- Quote from: SeanB on August 17, 2022, 08:54:52 am ---Most of the scammers do not bother cloning a SIM, they will instead use an insider at the mobile company to instead do a SIM swap, preferably on a Friday afternoon, or just after 12 on Saturday, so the ability to respond is much more difficult. Swap SIM, put the newly activated one in a phone, and try the login to the bank, and enter the 2FA and you are in. Then have some already existing accounts at various banks, and transfer to the first one, in the same bank, so as not to trip EAP limits, and instant transfer. Done before midnight, and again after midnight, to double the take, till either account reaches overdraw limit, or the access is closed down by the person finally getting hold of the bank to have the account blocked. Very common, and relies on having somebody in the mobile company call centre who has access to do this, either using theor own credentials, or most likely by also having installed keyloggers to get credentials of other agents or supervisors to use, or using shared credentials. Shared is common, because call centre IT is often lazy, so will have a common login for everybody, and never change it, even if they have had 600% annual turnover of staff. To the mark their phone just stops working Friday night, and the next morning they go to a phone shop to enquire, and find out about it, and also then find the empty bank account. --- End quote --- Yep, classic. Do not depend on your phone number as a factor if you can avoid it. In Australia, it used to be easy to bluff your way into taking over someone's mobile account, which has been tightened down a bit, yet I still wouldn't be trusting your phone number with anything financial. |
| Nevada:
You're right: it is a hacked account. I regularly see similar listings. |
| Navigation |
| Message Index |
| Previous page |