The irony of a tech worker storing crypto in a centralized exchange instead of an offline wallet.
this post was submitted on 17 Sep 2025
19 points (100.0% liked)
Technology
40289 readers
412 users here now
A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.
Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.
Subcommunities on Beehaw:
This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
founded 3 years ago
MODERATORS
At least some of this is due to the fact that we have really appallingly-bad authentication methods in a lot of places.
- The guy was called via phone. Phones display Caller ID information. This cannot be trusted; there are ways to spoof it, like via VoIP systems. I suspect that the typical person out there
understandably
does not expect this to be the case.
-
The fallback, at least for people who you personally know, has been to see whether you recognize someone's voice. But we've got substantially-improving voice cloning these days, and now that's getting used. And now we've got video cloning to worry about too.
-
The guy got a spoofed email. Email was not designed to be trusted. I'm not sure how many people random people out there are aware of that. He probably was
he was complaining that Google didn't avoid spoofing of internal email addresses, which might be a good idea, but certainly is not something that I would simply expect and rest everything else on. You can use X.509-based authentication (but that's not normally deployed outside organizations) or PGP (which is not used much). I don't believe that any of the institutions that communicate with me do so.
-
Using something like Google's SSO stuff to authenticate to everything might be one way to help avoid having people use the same password all over, but has its own problems, as this illustrates.
-
Ditto for browser-based keychains. Kind of a target when someone does break into a computer.
-
Credentials stored on personal computers
GPG keys, SSH keys, email account passwords used by email clients, etc
are also kind of obvious targets.
-
Phone numbers are often used as a fallback way to validate someone's identity. But there are attacks against that.
-
Email accounts are often used as an "ultimate back door" to everything, for password resets. But often, these aren't all that well-secured.
The fact that there isn't a single "do this and everything is fine" simple best practice that can be handed out to Average Joe today is kind of disappointing.
There isn't even any kind of broad agreement on how to do 2FA. Service 1 maybe uses email. Service 2 only uses SMSes. Service 3 can use SMSes or voice. Service 4 requires their Android app to be run on a phone. Service 5 uses RFC 6238 time-based one-time-passwords. Service 6
e.g. Steam
has their own roll-their-own one-time-password system. Service 7 supports YubiKeys.
We should be better than this.
The first comment in response is probably the most important bit:
In addition: trust no inbound communications. If something is in fact urgent, it can be confirmed by reaching out, rather than accepting an inbound call, to a number publicly listed and well known as representative of the company.
My bank is continuously surprised that I understand this. It’s probably a bad sign.
Honestly, the email record eventually shared screams scam. It's not quite fluent English, has urgency and requests the information not be shared with anyone else. That's a pretty damning trifecta and should have been a red flag for someone who literally works in an authentication role.
should have been a red flag for someone who literally works in an authentication role.
Maybe. But the point he was making is that the typical person out there is probably at least as vulnerable to falling prey to a scam like that, and that that's an issue, and that sounds plausible to me. I mean, we can't have everyone in society (a) be a security expert or (b) get scammed.
I fell for an email scam about 15 years ago. I was job searching and got a message about a contract editing position looking for a native English speaker, which, given that I had my resume up for just such a role, didn't make me bat an eye. So I responded expressing interest. Long story short, it was one of those "we FedEx you excessive checks and then you keep your portion and Western Union the rest to this other person" affairs.
Of course the first check bounced, my bank account was flagged for fraud, with a balance of -$999,999, and it took weeks to be made whole (thankfully I was) while I navigated the byzantine process of "look, I got fucked; it's as simple as that."
It took going through that experience to be able to look for clear tells (important, as once you've fallen for one scam, you're flagged as an easy mark, so more come down the pike), and I agree that most people shouldn't be expected to be able to spot that unless they've gone through it.
My point is, if you actively work in security, the bar is far higher. This writer basically gave someone his PIN because his phone didn't provide full headers, and instead of verifying on desktop, just assumed it was legit, which is an amateur-level error for an authentication professional.
Man with $130,000 worth of crypto falls for a scam. Whodathunk 🤭