EEVblog Electronics Community Forum
Products => Test Equipment => Topic started by: EEVblog on August 14, 2022, 11:40:33 am
-
What's the deal with this ebay store?
Stuff like used test gear, supposed based in Bondi Junction in Sydney with massive feedback and reputation, but a dodgy image saying that all bids wil be removed, and if interested to email some dodgy domain that doesn't exist?
I can understand these scams, but how do they get 47,000 feedback and 99.7% feedback? I can only presume these are hijacked ebay store, like Youtube channel get hijacked?
-
Report it to @AskeBay on Twitter?. They are super responsive there unlike the website.
Definitely hijacked or bought an old store.
That image is against seller rules as well.
-
Report it to @AskeBay on Twitter?. They are super responsive there unlike the website.
Definitely hijacked or bought an old store.
That image is against seller rules as well.
I found another one, and even bigger store, stealing and reusing photos because they are background watermarked :palm:
Might be a video on this warning people tomorrow.
-
Searched eBay.com for that seller. There were a lot of its listings in UK. Almost all were very low priced.
https://www.ebay.com/sch/i.html?_from=R40&_nkw=&_in_kw=1&_ex_kw=&_sacat=0&_udlo=&_udhi=&_ftrt=901&_ftrv=1&_sabdlo=&_sabdhi=&_samilow=&_samihi=&_sadis=15&_stpos=44090&_sargn=-1%26saslc%3D1&_salic=1&_fss=1&_fsradio=%26LH_SpecificSeller%3D1&_saslop=1&_sasl=topshoediscount&_sop=1&_dmd=1&_ipg=60&_fosrp=1 (https://www.ebay.com/sch/i.html?_from=R40&_nkw=&_in_kw=1&_ex_kw=&_sacat=0&_udlo=&_udhi=&_ftrt=901&_ftrv=1&_sabdlo=&_sabdhi=&_samilow=&_samihi=&_sadis=15&_stpos=44090&_sargn=-1%26saslc%3D1&_salic=1&_fss=1&_fsradio=%26LH_SpecificSeller%3D1&_saslop=1&_sasl=topshoediscount&_sop=1&_dmd=1&_ipg=60&_fosrp=1)
Restricted search to >$100 USD and got only 8 listings. Here's just one of them:
https://www.ebay.com/itm/374213037138?hash=item5720d5cc52:g:nfMAAOSwbBphn1nq (https://www.ebay.com/itm/374213037138?hash=item5720d5cc52:g:nfMAAOSwbBphn1nq)
All of those items were in Australia and the disclaimer about removingbids for Keysight MSOS254A is the same. Listing shows $287.65, but when clicked on, it shows current bid AU$898
Suspicious. The UK store might be legitimate. The Australian???
-
yeah the ebay normal declaration page is a joke, it never works for me
I've seen many photo of the same items sold under many "items numbers"
pfff
-
Hijacked store. They'll take your money and vanish.
Take a look at their sales history, usually they sold something completely different in the past. I suspect that "topshoediscount" used to sell shoes, not test gear.
-
It's a recurring theme. I posted about it in TEA earlier today, an Aussie fashionware shop account hacked, and with lots of high end TE and other expensive items "for sale".
I reported a couple of the items, if enough people do likewise ebay will take the shop down.
-
I found this on the Web: "Some fraudulent people set up a website with products and use a PayPal logo on their cart but the Logo goes to their personal account.
PayPal will not investigate or refund the transaction."
If so, that is scary!
-
If you tell Ebay that it has listings directing people to complete the purchase offsite where Ebay won't get the fees they will delete it immediately. Self interest is a persuasive argument.
-
PayPal will not investigate or refund the transaction."[/b]
If so, that is scary!
Why? How many "detectives" would Paypal have to employ? Is there any garantee that they'd get it 100% right every time?
An awful lot more people are going to get ripped off if people can simply reverse Paypal transactions with hardly any questions asked.
"Caveat Emptor" is a very old saying.
-
What's the deal with this ebay store?
Stuff like used test gear, supposed based in Bondi Junction in Sydney with massive feedback and reputation, but a dodgy image saying that all bids wil be removed, and if interested to email some dodgy domain that doesn't exist?
I can understand these scams, but how do they get 47,000 feedback and 99.7% feedback? I can only presume these are hijacked ebay store, like Youtube channel get hijacked?
Yes, accounts get hacked to place fraudulent listings. That is always the case with these kind of scam listings that have been going on for at least a decade. A tell-tale sign is that suddenly the seller starts selling completely different items. Nothing new here really.
-
@EEVblog
So they are back at it again....
There are a few posts back to 2020 about this same technique and, if I remember correctly, using the same "instruction" page as you presented.
https://www.eevblog.com/forum/testgear/suspicious-ebay-seller/msg3397736/#msg3397736 (https://www.eevblog.com/forum/testgear/suspicious-ebay-seller/msg3397736/#msg3397736)
After about a month or so they seemed to be removed quickly by ebay.
I assumed at the time they used a highjacked account with good ratings and that ebay would not detect the fraud since the "instructions" were in the photos.
There are a few other threads on eevblog about this.
-
This has been a recurring scam for at least two years. Once every couple of days or weeks, another account gets hacked, filled with all kinds of auctions for expensive items, like test equipment, guitars, etc, and stating somewhere either in the description or one of the pictures that you should contact them outside eBay. Generally eBay removes them within 24h. It's been quiet for a number of months, but it happened a couple of times this week.
Checking the description and pictures carefully should make it easy to spot. Also, I doubt if anything bad will happen if you bid on eBay, since the item will be removed before the auction finishes. Worst case they send you a message asking you to send money in a way that's not traceable and without the ability to get money back. Just don't email random people you have zero information of and send them money...
-
Might be a video on this warning people tomorrow.
Next you'll be making a new video warning people not to buy speakers out of the back of a white van (in case they didn't see your first video on the subject).
(https://www.eevblog.com/forum/testgear/ebay-scams/?action=dlattach;attach=1566550)
-
The Comic Sans Scammers have struck every Friday for years. They are sloppy as all get out -- same listings, same text, same strategy -- but eBay can't be bothered to spend a couple of intern-days giving chase. eBay takes 13% of every sale and they can't even sweep the floors. Ugh.
-
No sooner I saw the request for email, I smelled the rat.
-
Didn't have time to make a video, both seller accounts now have all listsing removed.
https://www.ebay.com.au/sch/40004/i.html?_ssn=top_formalwear-accessories&store_name=topformalwearaccessoriesonline&_dmd=2&_oac=1 (https://www.ebay.com.au/sch/40004/i.html?_ssn=top_formalwear-accessories&store_name=topformalwearaccessoriesonline&_dmd=2&_oac=1)
-
Quote from: EEVblog on Today at 07:53:40 (https://www.eevblog.com/forum/index.php?topic=336688.msg4358899#msg4358899)Didn't have time to make a video, both seller accounts now have all listsing removed.
>https://www.ebay.com.au/sch/40004/i.html?_ssn=top_formalwear-accessories&store_name=topformalwearaccessoriesonline&_dmd=2&_oac=1 (https://www.ebay.com.au/sch/40004/i.html?_ssn=top_formalwear-accessories&store_name=topformalwearaccessoriesonline&_dmd=2&_oac=1)
don't worry they will soon come back with other accounts !
make an ebay alert on some high end gears and you can catch them, almost once a week.
-
These auctions appear because the accounts that were hijacked had a shit password or clicked through on a phishing link. The accounts usually get canned pretty quickly so in the end it’s removing idiots from eBay albeit indirectly.
-
I wonder why they pick on test gear as the thing to sell? It doesn't seem like the sort of thing the average scammer would even be aware of.
-
I think they did a quick scan in each category of ebay and picked high value items out and cloned them. There'susually stuff from other categories in there from guitars to diggers. Test gear regularly scores high values in Business Office and Industrial due to all the test gear rental folk pimping out high end Keysight and Tek stuff.
-
Expensive items sold on ebay legitimately from time to time, where people look hoping to find a bargain.
It probably applies to all sorts of other things like that, such as high end cameras, or studio equipment.
-
It seems unfair that the apparently legitimate topshoediscount account was also deleted.
I suspect that was the easiest path for eBay.
-
Report it to @AskeBay on Twitter?. They are super responsive there unlike the website.
Well to my surprise, it did work for me, the seller had to remove the duplicate links ....
-
It seems unfair that the apparently legitimate topshoediscount account was also deleted.
I suspect that was the easiest path for eBay.
It's probably part of the security policy of eBay. Once an account is compromised then it's a financial risk for eBay either though purchasing being made by proxy identity or seller fraud. The seller topshoediscount is probably a liability for them with bad or reused or compromised passwords.
They introduced a thing called PSD2 here in the UK which forced financial organisations to have at least a basically workable 2FA implementation. eBay should do the same. However at the same time the average user is absolutely incompetent when it comes to remembering credentials and managing 2FA effectively so eBay probably don't want to enforce it. They do offer it though.
-
I understand the need for safety, but just like face masks, I am skeptical every "enhancement" actually helps much. I don't mean some predicted advantage, but rather actual data.
Case on point, PayPal (USA) will not let you sign on to your account using either e-mail or landline to one's registered address. It must be a text capable mobile device. Any data to support that?
-
Yes. That’s usually a separate physical device.
So the credentials are something YOU know.
The SMS is delivered to something YOU have.
Some dude in North Korea does not have your phone.
-
Yes. That’s usually a separate physical device.
So the credentials are something YOU know.
The SMS is delivered to something YOU have.
Some dude in North Korea does not have your phone.
SIM cloning is a thing. The safest thing is to never assume you are safe, and to keep an eye on your paypal account etc.
-
Yes. That’s usually a separate physical device.
So the credentials are something YOU know.
The SMS is delivered to something YOU have.
Some dude in North Korea does not have your phone.
SIM cloning is a thing. The safest thing is to never assume you are safe, and to keep an eye on your paypal account etc.
That's very bad security advice.
SIM cloning is not a concern. It requires physical access to the SIM card. The point of this is to prevent remote attacks to your credentials by physically partitioning them. The guy in North Korea can't clone your SIM when your phone is in your pocket but he can rip off your leaked credentials. But they are absolutely no good if you have your SIM in your device.
Also if all of your credentials are exposed then you are 100% compromised already. Your money is gone. And Paypal and eBay have no liability to give it back because you handed the keys over with your bad security posture. And if you just have a username and password then you're already exposed.
This is why 2FA is important and SMS is good enough.
For ref I use a Yubikey authenticator - that's a completely physically isolated factor.
-
Some dude in North Korea does not have your phone.
Probably not, but some dude in Chicago might. Cell phones are often stolen or lost. My home landline is buried up to the house and then screwed to its walls.
What's the difference between sending to a cell phone and sending to my registered PC?
And finally, you are talking theory, not data. What the incidence of fake sign-ins from registered PC's or landlines v. cell phones?
-
If Yubikey is so good, why doesn't PayPal recognize or use it?
https://www.yubico.com/ (https://www.yubico.com/)
-
Yes. That’s usually a separate physical device.
So the credentials are something YOU know.
The SMS is delivered to something YOU have.
Some dude in North Korea does not have your phone.
SIM cloning is a thing. The safest thing is to never assume you are safe, and to keep an eye on your paypal account etc.
That's very bad security advice.
SIM cloning is not a concern. It requires physical access to the SIM card. The point of this is to prevent remote attacks to your credentials by physically partitioning them. The guy in North Korea can't clone your SIM when your phone is in your pocket but he can rip off your leaked credentials. But they are absolutely no good if you have your SIM in your device.
Also if all of your credentials are exposed then you are 100% compromised already. Your money is gone. And Paypal and eBay have no liability to give it back because you handed the keys over with your bad security posture. And if you just have a username and password then you're already exposed.
This is why 2FA is important and SMS is good enough.
For ref I use a Yubikey authenticator - that's a completely physically isolated factor.
Your SIM might be safe from some NK rando, but how about the person in the shop you bought the phone from? Or when you have it repaired? It might be rare but it's not unknown. Being a pauper and buying the cheapest phone in the range probably protects me from such, but I certainly never take it for granted.
Also ISTR you have a low opinion of the security on Android phones in general (not related to SIM cloning I know, but still a possible route to overconfidence re 2FA?)...
-
Probably not, but some dude in Chicago might. Cell phones are often stolen or lost. My home landline is buried up to the house and then screwed to its walls.
Oh an "expert". Here we go.
If your cell phone is lost / stolen, then one factor is lost. The other two are completely useless without it. Thus the security model is intact.
Your land line can be unburied. I used to be a phone phreaker and have tapped a few phone lines in my time. All you require is a linesman's set on copper pairs and you can make and receive calls outside the premises. If it's like the UK, you can even crack the box open down the road and tap there or just dig the lines up.
A land line is NOT secure at all. In fact it's 10x worse than a mobile phone because if your phone isn't a piece of crap you can destroy it remotely and the PIN is tarpitted so you can't get through it (caveat: don't buy an Android phone).
What's the difference between sending to a cell phone and sending to my registered PC?
1. You access your paypal account from your registered PC. That means there's not a second factor thus 2FA is pointless. You have all your credentials in one place. The point of 2FA is to separate them.
2. Pushing notifications to PCs is somewhat more difficult than mobile devices.
And finally, you are talking theory, not data. What the incidence of fake sign-ins from registered PC's or landlines v. cell phones?
No this is not theory at all. It is a security practice REQUIRED by every financial company in the EU as an example. The reason it exists is because there is data. Lots of it.
See: https://ec.europa.eu/info/law/payment-services-psd-2-directive-eu-2015-2366_en
If you know better, that's up to you...
Edit: to note if you think you know better, when you get ripped off your bank will laugh and put the phone down on you because it's your fault not theirs so the liability is shifted (always think in terms of who is liable in financial transactions).
-
If Yubikey is so good, why doesn't PayPal recognize or use it?
https://www.yubico.com/ (https://www.yubico.com/)
It does. Paypal uses TOTP as a standard so you need an authenticator app. In that case I use Yubico Authenticator with my phone: https://www.yubico.com/products/yubico-authenticator/ (https://www.yubico.com/products/yubico-authenticator/) ... this integrates with the yubikey.
-
Your SIM might be safe from some NK rando, but how about the person in the shop you bought the phone from? Or when you have it repaired? It might be rare but it's not unknown. Being a pauper and buying the cheapest phone in the range probably protects me from such, but I certainly never take it for granted.
Also ISTR you have a low opinion of the security on Android phones in general (not related to SIM cloning I know, but still a possible route to overconfidence re 2FA?)...
You're not wrong. This is why I use a physical hardware key. Also because my risk profile is huge and may result in court if I fuck up :)
The main thing we have here is not to have perfect security but a defence against common problems. If it's 99.9% effective, which basic SMS 2FA is, that reduces the risk for the majority of users and the risk to the business and the costs of handling claims etc.
As for Android, the problem is that you can root an Android intentionally or otherwise without too much of an issue. At that point the hardware and software integrity is gone which means anything on the device could read or generate 2FA tokens or data from messages.
Edit: On iOS there's a physically separate device in the hardware that contains keys which cannot be arbitrarily extracted. Worth reading: https://support.apple.com/en-gb/guide/security/sec59b0b31ff/web
Edit 2: my objections to Android are mostly due to the absolute lax update cycle, attention from vendors and cheap ass SoC implementations, the play store being chock full of malware including fake 2FA apps that steal your bank details (google it) and general user arrogance that it's fine. It's not.
-
Your SIM might be safe from some NK rando, but how about the person in the shop you bought the phone from? Or when you have it repaired? It might be rare but it's not unknown. Being a pauper and buying the cheapest phone in the range probably protects me from such, but I certainly never take it for granted.
Also ISTR you have a low opinion of the security on Android phones in general (not related to SIM cloning I know, but still a possible route to overconfidence re 2FA?)...
You're not wrong. This is why I use a physical hardware key. Also because my risk profile is huge and may result in court if I fuck up :)
The main thing we have here is not to have perfect security but a defence against common problems. If it's 99.9% effective, which basic SMS 2FA is, that reduces the risk for the majority of users and the risk to the business and the costs of handling claims etc.
As for Android, the problem is that you can root an Android intentionally or otherwise without too much of an issue. At that point the hardware assurance is gone which means anything on the device could read or generate 2FA tokens.
Yes! I certainly don't lose any sleep over it though. And I believe my particular flavour of Android phone has the ability to shred its contents either remotely or by failure to input the correct PIN x number of times.
I do miss the simplicity of the UI on the older Samsung phones though.
-
Yes! I certainly don't lose any sleep over it though. And I believe my particular flavour of Android phone has the ability to shred its contents either remotely or by failure to input the correct PIN x number of times.
I do miss the simplicity of the UI on the older Samsung phones though.
Yeah that's a reasonable configuration to set up.
To note my ex-father-in-law was ripped off for £10k because Halifax didn't have 2FA on their online banking and he accidentally got a keylogger malware downloading porn. They gave it back but realistically all customers pay for that outcome. 2FA would have saved him.
-
@bdi39
Re: Second factor
This is the EU regulation I found here:https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L2366&from=EN
Paragraph 96 includes the following:
Those measures typically include encryption systems based on personal devices of
the payer, including card readers or mobile phones, or provided to the payer by its account servicing payment
service provider via a different channel, such as by SMS or email.
So, it appears email is accepted. My gripe is the requirement of a mobile phone per se, not the need for a different channel. A landline should also suffice and satisfy the need for a second channel.
-
Email is a weak and stupid idea. I'm not sure why they included that. Don't use it.
Think of these vectors:
1. Your email credentials are compromised. You reused the same credentials for your online banking. Owned.
2. Your email credentials are compromised. You did not reuse the same credentials but the highjacker resets your online banking password and confirms via email. Owned.
3. Your computer has a keylogger installed on it. They now have access to all of your factors.
You need a separate physical device. The mobile phone is the best one we have out there.
I'm not sure what your objection is with respect to a mobile phone.
A landline is possible. eBay and Amazon AWS both can use land lines for validation. But it's less secure than a physical device.
Edit: point though on usability... some security is better than none or too much:
(https://imgur.com/6aXo52u.jpg)
-
I'm not sure what your objection is with respect to a mobile phone.
I don't have one and don't intend to get one. It would be a waste of money. I refuse to use one while driving or in any public place. I don't want to be tracked like an animal.
As for the landline, yes, that is my preferred method. Maybe I was unclear on that. Every other financial with which I deal (including at least 7 very large ones) uses landline authentication. PayPal is the sole exception I know of to date.
-
Ok so you’re a self inflicted outlier. That’s fine.
-
Yes, accounts get hacked to place fraudulent listings. That is always the case with these kind of scam listings that have been going on for at least a decade. A tell-tale sign is that suddenly the seller starts selling completely different items. Nothing new here really.
Yeah easily 10+ years same thing.
And they are so strict with new sellers, ban legitimate sellers and freeze their accounts. So its not like they are loose with the rules. They just don't care to do it right.
Once you add the newly required taxes and fees, its about 25%. Better to not sell on Ebay unless you absolutely have to.
-
Nah you just have to know how to play it. I've sold 700 items on eBay with no problems at all. If you list on certain days and stick around for the offers you hardly pay anything. I don't have access to another market I can get a return on that is as good including all the appropriate charges.
Typical example is I sell something for £500, I pay £20 on charges and charge the buyer for the courier. Problem? Add £20 to the asking price!
-
Nah you just have to know how to play it. I've sold 700 items on eBay with no problems at all. If you list on certain days and stick around for the offers you hardly pay anything. I don't have access to another market I can get a return on that is as good including all the appropriate charges.
Typical example is I sell something for £500, I pay £20 on charges and charge the buyer for the courier. Problem? Add £20 to the asking price!
Yeah my mistake, YOU don't pay taxes but the buyer has to. So they are actually paying £600 for your item right (20% tax)?
-
No. There's no taxes on private sales at least here. Unless you exceed your capital gains limit and that's up to you to declare.
-
Nah you just have to know how to play it. I've sold 700 items on eBay with no problems at all. If you list on certain days and stick around for the offers you hardly pay anything. I don't have access to another market I can get a return on that is as good including all the appropriate charges.
Typical example is I sell something for £500, I pay £20 on charges and charge the buyer for the courier. Problem? Add £20 to the asking price!
Yep, just what we do here with NZ Trademe as there is no eBay here as Trademe headed them off at the pass by getting a good following here in the early days however their fees are on the steep side so they get tacked onto the asking price !
To add some credence to our listings we add our company name for prospective buyers to find us elsewhere and maybe get a better price. ;)
-
For ref I use a Yubikey authenticator - that's a completely physically isolated factor.
I also use Yubikey for accounts were possible. Haven't actually looked into if ebay supports it though.
-
For ref I use a Yubikey authenticator - that's a completely physically isolated factor.
I also use Yubikey for accounts were possible. Haven't actually looked into if ebay supports it though.
Looks like they offer 2F Email, Ebay app, or Security key options. But they definitely do not push using them.
At the top left of the Ebay site, where you see your name, click the arrow to bring up a drop down menu and click Account settings.
Under Personal Info, click Sign in and security.
Find the Security key sign in row near the bottom and click Turn on.
-
The problem with smartphones is that you have to be disciplined to use them as a distinct separate factor. In that, you actually use it as an additional factor and do not use eBay on that device.
Email can be used as an authentication vector but this needs to be proportional to what it is protecting. Also, behind the scenes, there might be other secondary checks done that are not obvious to the end user. For instance, the geo region you are signing in matches whoever clicked the link. Your time of action is consistent with past behavior etc...
-
Whenever you use the same device for both parts of 2FA it is per se vulnerable.This is the scenario which hijacker try to get control of. Keylogger plus remote control plus the right exploit. Your encryption HW wont help. They just use it.
Only different hardware is safe. Eg. use an old phone for the key sms where you have no other apps. Use a different email account only on a non-surf and work device without stored password for all financial account reset possibilities, e.g on an old pc.
There is just too much illegal money for those who succeed. It is not the question if, but when. The system must only be very common to be a lucrative target. If you believe the propaganda, that this can't happen, this is your first mistake.
-
Whenever you use the same device for both parts of 2FA it is per se vulnerable.This is the scenario which hijacker try to get control of. Keylogger plus remote control plus the right exploit. Your encryption HW wont help. They just use it.
Only different hardware is safe. Eg. use an old phone for the key sms where you have no other apps. Use a different email account only on a non-surf and work device without stored password for all financial account reset possibilities, e.g on an old pc.
There is just too much illegal money for those who succeed. It is not the question if, but when. The system must only be very common to be a lucrative target. If you believe the propaganda, that this can't happen, this is your first mistake.
Exactly, I'm a CISSP with 20+ years of online security experience, I have zero banking apps and use separate physical tokens... None of my financial accounts have ever been hacked. Do not mix up your factors, number one security sin. If your bank insists you can only use SMS auth, change your bank to one that allows physical token auth, or limit the amount you keep with that bank to an amount you do not mind loosing.
What really gets my goat is that scammers deliberately target over 60-year-olds, as they know they can be easily led by the nose. If banks put in place some additional checks (like secondary person auth for new payees) for those wanting it who are over 60 years old, this scamming would come to a halt. They have the ability, yet do nothing - which talks volumes about how little banks really care about their customers. There are some good banks, Bendigo Bank in Australia being one, they actually phone you up and help you keep your money safe - the others don't give a hoot.
-
If your bank insists you can only use SMS auth, change your bank to one that allows physical token auth, or limit the amount you keep with that bank to an amount you do not mind loosing.
The biggest bank in Australia doesn't have hardware 2FA, just SMS code.
According to this directory, none of the banks do:
https://2fa.directory/au/#banking
-
If your bank insists you can only use SMS auth, change your bank to one that allows physical token auth, or limit the amount you keep with that bank to an amount you do not mind loosing.
The biggest bank in Australia doesn't have hardware 2FA, just SMS code.
CBA will do hardware 2FA - netcode token, but you have to fight for it...
Ah ANZ - don't use them directly. Bendigo certainly does 2FA, got a physical token, it's not my imagination...
-
There is SCA legislation in AU. I’ve been working on a large AU fintech proposition for a couple of years that requires it. Particularly when you have OpenBanking integration.
Note here from Auspaynet for their cardholder not present stuff. I think the banks probably talked around physical tokens for ages rather than force it on users. They did in the UK for ages but are bending now. See: https://www.auspaynet.com.au/sites/default/files/2019-06/CNP_Fraud_Mitigation_Framework_Summary.pdf (https://www.auspaynet.com.au/sites/default/files/2019-06/CNP_Fraud_Mitigation_Framework_Summary.pdf)
To note my online banking here uses the online banking apps as the 2FA device. That’s an almost acceptable compromise as my phone has a reasonable security posture. You can’t just pick it up and log into the banking apps without me actually being present (FaceID device unlock and secondary app authentication)
-
If your bank insists you can only use SMS auth, change your bank to one that allows physical token auth, or limit the amount you keep with that bank to an amount you do not mind loosing.
The biggest bank in Australia doesn't have hardware 2FA, just SMS code.
CBA will do hardware 2FA - netcode token, but you have to fight for it...
Ah ANZ - don't use them directly. Bendigo certainly does 2FA, got a physical token, it's not my imagination...
Do any of them support any of the modern ubiquitious hardware tokens like Yubikey?
https://www.commbank.com.au/support.digital-banking.explain-netcode-token.html (https://www.commbank.com.au/support.digital-banking.explain-netcode-token.html)
"Exceptional circumstances", and you only get one. Too bad if you lose it or it breaks.
There is a reason why I have 4 Yubikeys.
-
If your bank insists you can only use SMS auth, change your bank to one that allows physical token auth, or limit the amount you keep with that bank to an amount you do not mind loosing.
The biggest bank in Australia doesn't have hardware 2FA, just SMS code.
CBA will do hardware 2FA - netcode token, but you have to fight for it...
Ah ANZ - don't use them directly. Bendigo certainly does 2FA, got a physical token, it's not my imagination...
Do any of them support any of the modern ubiquitious hardware tokens like Yubikey?
Commonwealth moved to SMS or their branded app. Bendigo moved to Symantec VIP (app). The banks that are still issuing hardware tokens are doing branded "secure" devices that you cannot BYO, Westpac, Bank of Queensland, Rabobank, ANZ (business only, consumer gets app), .... others
For the small(?) number users that do want a 2FA solution, just look at the complaints/support issues from the consumers it is forced upon. There is a business decision in there somewhere.
-
If your bank insists you can only use SMS auth, change your bank to one that allows physical token auth, or limit the amount you keep with that bank to an amount you do not mind loosing.
The biggest bank in Australia doesn't have hardware 2FA, just SMS code.
CBA will do hardware 2FA - netcode token, but you have to fight for it...
Ah ANZ - don't use them directly. Bendigo certainly does 2FA, got a physical token, it's not my imagination...
Do any of them support any of the modern ubiquitious hardware tokens like Yubikey?
Commonwealth moved to SMS or their branded app. Bendigo moved to Symantec VIP (app). The banks that are still issuing hardware tokens are doing branded "secure" devices that you cannot BYO, Westpac, Bank of Queensland, Rabobank, ANZ (business only, consumer gets app), .... others
For the small(?) number users that do want a 2FA solution, just look at the complaints/support issues from the consumers it is forced upon. There is a business decision in there somewhere.
oh, for sure, I see they need to be competitive which pushes more towards the ease of use over core security. Regarding hardware failures, I bank with more than one bank. Yep, bummer on them not allowing generic hardware tokens, but these are banks after all...
-
Most of the scammers do not bother cloning a SIM, they will instead use an insider at the mobile company to instead do a SIM swap, preferably on a Friday afternoon, or just after 12 on Saturday, so the ability to respond is much more difficult. Swap SIM, put the newly activated one in a phone, and try the login to the bank, and enter the 2FA and you are in. Then have some already existing accounts at various banks, and transfer to the first one, in the same bank, so as not to trip EAP limits, and instant transfer. Done before midnight, and again after midnight, to double the take, till either account reaches overdraw limit, or the access is closed down by the person finally getting hold of the bank to have the account blocked.
Very common, and relies on having somebody in the mobile company call centre who has access to do this, either using theor own credentials, or most likely by also having installed keyloggers to get credentials of other agents or supervisors to use, or using shared credentials. Shared is common, because call centre IT is often lazy, so will have a common login for everybody, and never change it, even if they have had 600% annual turnover of staff. To the mark their phone just stops working Friday night, and the next morning they go to a phone shop to enquire, and find out about it, and also then find the empty bank account.
-
Most of the scammers do not bother cloning a SIM, they will instead use an insider at the mobile company to instead do a SIM swap, preferably on a Friday afternoon, or just after 12 on Saturday, so the ability to respond is much more difficult. Swap SIM, put the newly activated one in a phone, and try the login to the bank, and enter the 2FA and you are in. Then have some already existing accounts at various banks, and transfer to the first one, in the same bank, so as not to trip EAP limits, and instant transfer. Done before midnight, and again after midnight, to double the take, till either account reaches overdraw limit, or the access is closed down by the person finally getting hold of the bank to have the account blocked.
Very common, and relies on having somebody in the mobile company call centre who has access to do this, either using theor own credentials, or most likely by also having installed keyloggers to get credentials of other agents or supervisors to use, or using shared credentials. Shared is common, because call centre IT is often lazy, so will have a common login for everybody, and never change it, even if they have had 600% annual turnover of staff. To the mark their phone just stops working Friday night, and the next morning they go to a phone shop to enquire, and find out about it, and also then find the empty bank account.
Yep, classic. Do not depend on your phone number as a factor if you can avoid it. In Australia, it used to be easy to bluff your way into taking over someone's mobile account, which has been tightened down a bit, yet I still wouldn't be trusting your phone number with anything financial.
-
You're right: it is a hacked account. I regularly see similar listings.