A family friend of ours recently fell victim to a phishing attack perpetrated by an attacker who paid for Google Ads for a search term like "BANKNAME login". The site was an immaculate knock off, with a replay attack in the background. She entered her 2fa code from the app on her phone but the interface rejected the code and asked her for another one. In the background, this 2nd code was actually to authorise the addition of a new "pay anyone" payee, and with that her money was gone[0].
I have accounts with 2 banks, one uses SMS 2fa and the other uses an app which generates a token. I had thought that the app was by default a better choice because of the inherent lack of security in SMS as a protcol BUT in the above attack the bank that sends the SMS would have been better because they send a different message when you're doing a transfer to a new payee than when you're logging in.
So really the ideal is not just having an app that generates a token but one that generates a specific type of token depending on what type of transaction you're performing and won't accept, for example, a login token when adding a new payee. I haven't seen any bank with that level of 2fa yet, has anyone else?
I guess perhaps passkeys make this obsolete anyway since it establishes a local physical connection to a piece of hardware.
[0] Ron Howard voice: "she eventually got it back"
Turns out ads aren't just annoying little acts of psychological terrorism that eat up a lot of bandwidth and computing power, they are also the #1 vector for spreading scams and malware on the web.
In other words: If you're trying to improve your security posture, installing an ad-blocker is one of the best things you can do. If you have less tech-savvy friends and relatives, I would strongly recommend setting up uBlock Origin for them.
Why isn't there any market fulfillment for "safe, non-intrusive ads", on the part of a vendor? Is it because it's not possible, or not worth the overhead either because of cost or no effect on consumer behavior/blocking?
This seems like it ought to be low-hanging fruit. I would have less aversion to clicking on ads if I did not default to it being a security risk.
They are rare but do exist, see ethicalads and Modrinth’s ad program
They are still third-party ad networks that require a browser to cross multiple domains, etc. etc. etc.
I am not ideologically opposed to advertisements but I do believe the only safe ads are first party hosted coming from the same domain.
most people publishing a website either cannot or do not care to host the ad server on the same domain, they just want to monetize the site.
things could get a lot better, but this self hosting suggestion in particular will never see wide adoption unless major hosting providers build it and host for their customers. most people don't even bother to self-host/bundle stuff like their fonts and JS libraries unless they have have a JS framework in the loop doing it for them.
That's sort of beside the point, though. The site owner's commitment to running ads is useless unless there are people to view them, and, as long as unsafe ads are ubiquitous, the only safe advice to give to people is that they should run ad blockers everywhere. It doesn't matter that that isn't what the site owner wants to happen.
there are plenty of site owners that would voluntarily choose a more ethical ad hosting network if it was a good and easy option.
adding a pain-in-the-ass hurdle like "has to be hosted on the same domain" that 99.99% of people won't see the value of or understand is only going to hurt adoption of the better solutions.
Right, but that's my point—this is not a situation where visitors have to hope that site owners will be responsive to their preferences; rather, visitors are in a position to enforce their preferences via ad blockers, so there's no incentive for them to compromise on matters that, however poorly appreciated or understood, genuinely can affect security.
agree - but that gets to the larger point that mass adoption of anything like has to be fairly frictionless.
We are barely getting a third of people to use adblockers - you'd have to squeeze the ad server industry a lot more to make them change. How to squeeze them? Get more people to use an adblocker that enforces serving from the same domain. How to get more people to use an adblocker? Make it frictionless, like enabled by default on browsers.
Then by squeezing them, they would be forced to respond by building tooling making it more frictionless to serve ads form the same domain, etc.
Who said anything about an ad server ?
An ad is a particularly sized JPEG that you place in your images directories… and then point to with an HTML tag.
Everything we tried to build for you was lost once you deviated from that level of complexity.
one suggestion more arrogant, ridiculous, and in bad faith than the last
you're now implying everyone hosting a website should pound the pavement to sell their own ads - or use a a static export from an ad network and build it into the website themselves? Sure maybe they should but they never will. Dream on.
You are a speck of dust in the universe of computing. Get a grip.
Pack before the web most places doing ads had them al, in house, salesmen (mostly male) design and so on., large byers (mcdonalds) might hire an agency to talk to all the little newspapers, but even the little ones did this in house.
Modrinth’s ads are this way.
Intrusive ads are more profitable for the ad company, while the costs are largely born by other parties. A strategy to privatize the gains and socialize the costs is common in a lot of sleazy industries.
There is zero reason for ad companies or ad networks to be covered by any safe harbor provisions of the law. They should have 100% criminal liability for every mal-advertisement they send to a user.
Ads are a paid transaction and Ad Companies absolutely need to be held liable for the money that they take because of who they take it from voluntarily. Google should be ashamed at all the money they are making from scammers and criminals and other evils. They should have a terrible score at every agency remotely like the Better Business Bureau. They should be tarred and feathered in public opinion. The brand name should already be tarnished by all this Evil across too many years of negligence. Same goes for Meta/Facebook, though they do have some of the tarnish already, more than Google has managed to get to stick. (I think too many people still want to believe the "Do No Evil" lie and its lasting brand propaganda.) Other companies should be wary of working with Google because of that bad reputation. ("No, we won't be using GCP because Google does too much business with criminals.")
Yes, it is hard to scale Terms of Service enforcement. Yes it is a hard problem to solve finding bad actors at scale. That shouldn't be a free pass to just not do it at all. Especially when money is changing hands. If someone is paying you to be a bad actor they are either paying you to look the other way (called a "bribe" in most jurisdictions, and illegal in some of them) or you aren't doing due diligence before accepting bad money (called things like "laundering" and "embezzlement" at scale). "It's hard to scale" doesn't sound like a good excuse to do financial crimes, last I checked with banking regulators and is in fact the opposite (a larger crime); why should Google or Meta get a free pass in advertising because they don't want to put the work in and take the revenue hit?
Yes, and so should every person that works for them.
What evidence do you have that they are "not doing it at all"?
"Do no evil. Instead enable others to do evil profitably and take a cut off the top."
They don't. DMCA safe-harbor covers copyright violations. All it takes is a prosecutor willing to use the CFAA to hold business as accountable as people.
That's true, but Section 230 of the Communications Decency Act of 1996 provides broader (but not unlimited) immunity for user submitted content.
I feel like this was one of the original selling points of Google's ads. They were pretty simple, unobtrusive, mostly text, ads.
One of the original factors in the rapid uptake of Chrome was believed to be that the ads for it were the first time an ad appeared on google.com.
There were ads on google.com since at least 2000[1]. Chrome wasn't announced until 2008. Disclosure: I work at Google but not on ads or Chrome.
[1] https://googlepress.blogspot.com/2000/10/google-launches-sel...
I believe they meant on https://google.com (the home page)
Oh, I didn't think of that. But I don't think that's really true either. There seem to be ads on the homepage before Chrome:
Google News: https://web.archive.org/web/20021001073516/http://www.google...
Google Calendar: https://web.archive.org/web/20060831050142/http://www.google...
For comparison, Chrome: https://web.archive.org/web/20080904192205/http://www.google...
Now admittedly the Chrome one is a bit flashier. Although I haven't exhaustively gone through every homepage variant before Chrome, so it's possible there was something as flashy before Chrome as well.
The doubleclick acquisition was the end of that.
Isn't that when the business majors took over?
Google’s search ads have become explicitly more intrusive and less distinguishable from the real content over time, deliberately and knowingly.
It’s funny, that while many parts of Google are making improvements to the web security ecosystem, they are completely ready to throw it out of the window when it comes to making them more money.
You mean you can’t see the “promoted content” label that is 1 px high?
It doesn't seem to be profitable, in part because the internet now consists of mega-sites and if your network doesn't serve ads on the mega-sites, no one is interested in your network.
Project Wonderful was a fantastic webcomic-focused ad network. From my perspective as a reader, being shown ads for other webcomics while I'm reading a webcomic was... a positive, really. A lot of webcomic artists ran Project Wonderful ads and nothing else. They shut down in part because of the rise of facebook.
It's to the point that even the US government (even with all its faults and lobbying) recommends using an ad blocker for this reason.
Very interesting! Could you link to that recommendation?
Here you go: https://www.ic3.gov/Media/Y2022/PSA221221
TIP: I sold my senior mom on uBlock Origin because YT ads are so obnoxious. The added benefits are extra security and performance improvements. She was even able to understand that if something doesn't seem to be working right (like a banking site) "turn it off and try again".
Another lesson here is to bookmark/ memorize the url of your bank, and don’t trust search engines to take you to your bank
This might not be sufficient anymore. Many online payments are rendered either on the shop's pages or on a third party payment provider, including 3DSecure implementations. These don't redirect to any sensible bank URLs.
Both of my banks use a payment flow which uses a hardware authenticator. But only one bank seems secure: it prompts for an amount and a reference and generates an OTP based on that. This is distinct from any other signing operations with the same authenticator. The other bank tells me to enter a 6 digit number (which is allegedly made up out of a part of the amount and a reference), but it is impossible to tell this apart from any other signing operation. It doesn't strike me as too hard to abuse that to either log in to my account, to sign another payment, or even to create a direct debit...
I ran into this. I'm trying to set up an account on wise.com. The way they want me to set up my bank for direct deposit is to type my banks password into their site! I asked support if there was any other way to do this (for example the regular institution, branch, account numbers) and they said no. But they reassured me that despite me typing the password into their site that they don't have access to it! (Ok, it was actually a Plaid iframe, but still not my bank. Clickjacking would also be very easy to implement and there is no way for the average user to understand this.)
Then banks wonder why their customers get phished.
Plaid is a cancer of the payment system. It's amazing how they're trying to normalize entering your banking credentials into their third-party site.
It's not even their site as far as the user can tell. It is a full-screen iframe. At least if it was their site a bank could say "plaid.com is fine". Still bad to make acceptable domains more than one but at least it isn't infinite.
I have a couple of bills to pay to the city and the 3rd party pay processor (they switched a couple years back) they got looks like the page was made by a moderately talented 5th grade web developer. I actually called them to verify I had the exact URL correctly and also told them the page looked like it was made by complete amateurs and was kind of scary it was so poorly done.
In the past I've heard people say the opposite - that if less computer savvy people are using google instead of URLs, it's a good thing.
The reasoning was it protects them against typosquatters and whitehouse.com situations. I guess when people were giving out that advice, google wasn't the way it is now.
Yeah -- this was good logic back in the day.
Now one has to scroll down -- sometimes several links -- before finding a link that isn't an ad.
Maybe this is where encouraging people to use the "I'm Feeling Lucky" button would help, because it should still go to the top non-ad-link?
There was a time wherein the top result for facebook was a blog which faced a deluge of comments complaining that they couldn't log onto their facebook.
"Always use a bookmark" has always been the best advice. I'm fairly sure getting a bunch of typosquatting domains is standard practice now for major (particularly financial) sites so typing in the site from a reliable printed source for the first access is fine (particularly since you can be extra careful if you only do it once). For using shared computers, I'd still personally recommend typing from a reliable printed source.
For logins, a major advantage of having browsers save login info is to recognize legit sites becuase the login can be filled out (though it should be set to require a click on the login form and not just appear). Occasionally sites change in a way that breaks this but usually just once to use a subdomain and can be investigated more closely when it happens.
I think browsers should add a "site bookmark" feature that uses a well known mechanism to allow all associated sites to be annotated in a way that shows up similar to how EV certificates used to work (but is entered by users). That would make it possible to recognize legitimate links into a site (as long as you annotate the correct site the first time) and there could be an option to be notified when leaving the annotiated set of domains for particularly sensitive sites. Currently the closest is bookmarking the home page, editing the URL to remove everything after the domain, checking that the edited url is bookmarked (this is fragile since sites change the redirection quite a bit), and then hold the back button and go back to to the linked page, although this might not work for additional domains (e.g. support sites are often on a subdomain). Ideally, the site bookmarks would also annotate search results before they are clicked. While "remember to check if the site is legit" is not ideal it is a far better situation than "no way to tell if the site is legit". This could also be used to add a standard OTP entry mechanism that binds to a site and gives a warning if it is from a site you haven't given an OTP to before or stored login info (and shows the site name when you enter the OTP).
I'd like to throw a little blame onto many namebrand websites.
Sites like Digital Ocean try to load dozens of third-party trackers for a single page. Their supposedly secure payment processing includes cross-site violations that are blocked by modern browsers.
When their credit card management pages fail to work with reasonable browser defaults or sane browser add-ons they immediately advise their users to strip out all security protections. You are supposed to just trust content coming from seemingly unrelated domains including multiple processors you may or may not have ever heard of. Paypal? Ok, plausible. Stripe? I guess, but both? Pendo? Sentry? Optimizely? Hexagon? Google Ads? Google Analytics? Six other different Paypal domains? Eight other Stripe domains? Multiple Typekit domains? TagManager? Spuare? The list keeps going.
Plenty of reasonable protections cause alarm bells left and right. The answer? Disable those protections. Train users to think they are the problem.
I'd be interested in anybody explaining why a welcome page needs assets from 17 other domains, including paypal and stripe.
https://cloud.digitalocean.com/welcome
Why are multiple payment processors included on this page that doesn't involve any payment?
pptm.js is paypal's tag manager, for "Marketing Solutions". Gives the vendor shopper insights (clickthru, etc).
Stripe recommends putting stripe.js on every page to help detect fraud better (https://docs.stripe.com/js/including)
Also that Google, as a search engine that is also the world's biggest advertising company really should be able to manage not to sell ads to phishing scammers!
Maybe if platform is large enough it should be criminally liable for phishing attacks. I see no reason why Google should not be responsible in vetting each and every link they advertise at top of their search results.
KY(C)A
Or skip the website and use their native app.
then you can't block anything
Why do you need to block stuff on your bank? I do all my banking through their app tbh. If I had to block stuff from the bank then I’d switch banks.
Very difficult with most big banks.
In my experience with Bank of America and US Bank they bounce you around to several totally different top level domains as you navigate through the web-based banking.
These are third-party service providers that the banks contract for various pieces of their online infra… And it is a complete mess in terms of conditioning consumers to be phished.
that's true and kind of a joke by now, bofa has at least two parallel bill pay systems (both seem white-labeled from someone else?) keep redirecting through multiple domains, both are barely usable and take forever to load to do basic tasks. Security definitely takes a back seat when fighting with their UIs to get anything done.
If Google ad words even allows a scammer to create an ad for a bank login page then we have a more fundamental problem.
I tried out buy Google ads once out of curiosity cause they gave me a free credit. It was crazy how many ridiculous stipulations and guidelines I had to work around before they'd accept my ad.
How are they that strict for me, but seemingly they'll sell to a phishing page that's impersonating a bank and targeting it to people searching for that bank?
Because the impersonator is probably a lot more sophisticated at this than you or I, and it's likely that 999 impersonators were rejected and this is just the 1/1000 who found a way around it.
The system probably produces a lot of false positives AND negatives.
And even at those failure rates (no matter how anecdotal), economies of scale creep in so a couple billion failures/day still would result in nearly a billion successes per year. The machine never rests and is fueled by creative people from all walks of life from every possible place on earth.
Don’t they usually put in “legitimate” ads and info then swap out the content afterwards with the spamscam?
I have an ads account; I don't see them checking I haven't done a switcheroo on the landing page contents. I think I could easily put a JS redirect on the landing page, if nothing else worked.
They are reasonably strict about the keywords though -- I often go into a "verifying" stage when setting up the ads.
I'd guess the phishers spent a lot of time and burned some google adwords accounts looking for what would get through any automated checks they had.
I once tried to buy a domain which contained the word "Google" from Namecheap, but I was rejected with an error telling me that I needed to contact support and show that my use of the trademark was approved by Google. So instead I went to Google Domains and bought it from them with no issues.
Criminals are incentivized to evade detection. And you only get to observe the successful criminals and none of the unsuccessful ones. This makes it appear like the criminals are getting through the filters trivially. What you don't see is the work they are putting in to get a successful phishing ad up there.
Not to excuse failures, but there isn't a "it is easy for them but hard for me" situation.
My understanding of EU regulation is that it effectively requires this by requiring the 2FA to validate not just the identity but also the transaction (such as an amount, or destination account).
Unfortunately it means that all banks use SMS. We did have card reader 2FA that also did this but it's falling out of use because users don't like having to carry a card reader around.
My EU bank uses an app for consumer accounts. It hasn’t used sms for a few years, except when setting the app up on a new phone/sim.
So it does when it needs to authenticate you :)
The difference is, it’s a pain, has happened twice in 5 years, and I know what triggered it, and it doesn’t happen with every 3d secure purchase or login.
So much less likely to get phished.
Yes, the Payment Services Directive requires "dynamic linking" to a specific amount and a specific payee in article 97, and the RTS in article 5 go on to say that the payer should be "made aware of the amount of the payment transaction and of the payee".
The most elegant implementation I saw of this were card readers with a 2D (colored) barcode scan ; the 2D barcode contained transaction details that the card reader would display on its screen. This was an effective control against MITM. But even I myself always misplaced the card reader.
So now, most confirmations are done using the banking app. Even if I use a credit card by filling in its details on a US website, I get a push notification on my phone to confirm the tx on my app.
The app asks for a password or uses biometrics, so thats 1FA, and the app is enrolled at some point, so the token on your phone (I presume in some secure storage) counts as the 'thing you have' for 2FA.
Enrolling the app nowadays usually entails scanning your ID card and a 'live selfie' (blink your eyes). And of course you get notified (via e-mail) that you just installed the app on some device.
I preferred the blinky bars; the reader for them is tiny, not locked to an account, battery lasts what feels like forever, and they're cheap enough that you can trivially eat a loss (from forgetting where it is or leaving it in a place where it disappears before you get a chance to collect it).
Maybe just stick an airtag to the back?
This is not true, I have used multiple financial things where they have different codes for different uses (Raiffeisen, K&H) or apps which have a server sent event and local approval showing the transaction (wise, Fineco)
Just use apps. Apple protects.
Nope. Apple participates in the same pay-for-search-placement scheme, and therefore will happily distribute the same kinds of scams. https://usa.kaspersky.com/blog/dangerous-apps-in-app-store/2...
Well, TIL
It's really incomprehensible, whatever minuscule revenue Apple is getting from running this protection racket, I mean ad network, must be minuscule compared to the potential damage they cause to their users and brand. But I guess that's next quarter's problem.
Their ad business is generally booming but the brand rap can’t be worth letting these in. OTOH maybe it’s either all in or don’t bother. There’s no way to staff reviews at the scale you need an ads business to work.
Then I can picture a great way, locally, to screw these knock off big times.
Either the site is a great knock off, visually similar (if not identical) or it won't fool people, right?
So what about this: what about the browser saving, locally, screenshots of the login pages you visit.
Then, when a new login is made, compare, visually, the page to what's saved and see if any saved pages are similar?
"Oops, the page www.banklng.com looks nearly identical to www.banking.com which you visited previously, they're probably trying to scam you!".
Another step everyone will ignore because it isn't a problem for any particular person until it is.
Well then enforce it, at the browser level.
When a measure becomes a target, it ceases to be a useful measure.
I feel like PassKeys and browser-integrated password managers both solve this problem better already. And yeah they're extra things to do, but so is this.
"...with a replay attack in the background."
Wouldn't this be MITM?
I'm not familiar with the nuances of terminology, but I would expect MITM to only apply when you (and your computer) actually attempt to connect to service A, and a malicious actor X intercepts that communication. Phishing is different in the sense that you connect to the phishing page directly, and it may or may not replay some of your inputs to the actual service it is phishing.
I guess theoretically phishing could be considered MiTM, but the latter term generally implies the attack is fully transparent to the user, whereas phishing convinces the user to insert the malicious party themselves.
I called this a "replay attack" because it sounds more like this:
"A replay attack in a network communications setting involves intercepting a successful authentication process—often using a valid session token that gives a particular user access to the network—and replaying that authentication to the network to gain access"
Even though this wasn't a session token, it was an authentication process and token, gathered from a fraudlent source and replayed to a valid source.
MITM is:
"A man in the middle (MITM) attack is a general term for when a perpetrator positions himself in a conversation between a user and an application—either to eavesdrop or to impersonate one of the parties, making it appear as if a normal exchange of information is underway."
So to me a MITM would be more like using a wifi access point to access the correct banking URL, but the service carrying the data was acting maliciously.
We have it: FIDO U2F. you could even treat it like the new password less manager, with a computer/phone specific store.
My gut? It actually works, and people didn't like that. Users and orgs like authentication slightly broken so they can work around systems.
People like authentication systems that are secure enough to keep bad actors out, but not so secure that it keeps legitimate users out. It's got nothing to do with users wanting to break into a system.
I like FIDO U2F as a second factor, although you always need a fallback of some kind in case you are stuck using a device without a USB port. I don't like it as a single factor, as most devices make it hard or impossible to back up your keys. Using Passkeys with Bitwarden is pretty interesting though, and appears to satisfy most of my concerns, as they're just stored in my password manager and move devices with me.
It only works in a couple of situations and it's difficult to manage. When the site doesn't support it (which is almost all of them), when you don't have USB, when you lose or forget your YubiKey, when you don't have a phone with NFC or lose it, when you can't afford the device, or it's difficult for the user to set up, etc it fails. Now you need a different factor to finish logging in, which is probably weaker, so attackers will try to degrade this first factor to force the second weaker one.
It's a nice-to-have but not even close to a universal solution.
Kraken is a cryptocurrency exchange that utilizes (at least) two different TOTP codes, one for login and one for money transfers.
For a long time (still?) Kraken also refused to add SMS 2FA as an option due to its weak security.
I still don't see how that's worse than no 2FA at all, which was an option, but I appreciated that they were banging the "SMS 2FA isn't very secure" drum.
It’s worse in a lot of implementations because often SMS is often used as part of a recovery flow in cases where you lose the first factor.
I find it more secure in some contexts to never give a company my phone number at all if possible, so that it simply can’t be used as any kind of authentication no matter what.
Yeah, I'd draw a hard line between "SMS 2FA is better than no 2FA" and "SMS should never become a single-factor recovery method."
I agree SMS should never be an option for single-factor recovery.
I'm paranoid enough at this point that I check that the Cert authority for my bank is the one I know it to have before I log in on the website.
What's your process? Where do you save the cert? I'd be interested in automating that.
Oh nah, I just check the lock icon in firefox, and it's a pretty unusual (and not publically accessible) cert authority so I'd notice if it's a different one
Was this in the US or elsewhere, what was the amount and how long did it take to notice? Just curious.
In the US the bar to pull money out of an account is pretty low. Most banks would allow reasonably-sized transfers out with just routing and account numbers. I was stunned by this, but this is the reason utilities and stores can pull your money without you even talking to your bank. Just give them the info. And that information is not secret, it is printed on your every check.
The flip size is that for those "convenience" and service payments the money is easy to get back: banks, at least traditional, will bend over backwards to prevent being seen as enabling fraud.
It was in Australia, amount was thousands of dollars, she noticed when she was asked to enter yet another code and all of a sudden it made her snap out of her "autopilot" and take notice and look at the URL and other details. So as soon as she realised that something was fishy, she logged into the correct site, then saw the money was gone.
This was a "pay anyone" transfer. So money was being transferred to a bank by BSB/Account number in the background. The bank required a code when a new Payee is added, but the codes were not differentiated, so she was asked for a code to login, then told the code was wrong and asked for another code. In the background the real banking site to which her actions were being replaced had successfully logged in and had initiated a transfer to a new Payee. The real banking site asked the attackers for a code to add the new Payee, the fake banking site asked her for a new code to login.
The thing that really enabled the attack is that the same code generator was used for both codes, without any indication that a different action was being performed.
I understand the attack (I heard some high visibility telegram channels were recently compromised by a similar technique).
My point was that most bank transactions are actually reversible for a while after the money supposedly left the account.
I still don’t understand why banks just don’t use FIDO2/WebAuthn yet.
I’d much prefer to use a Yubikey over all other options at this point.
Because banks are financial institutions and every decision they make is based in that. If the cost of insurance is less than the cost to actually secure the system, they will choose that every time.
Banks and payment processors have some of the worst technical debt. For example, a lot of transactions are processed using the ISO8583 standard, a binary bitmap-based protocol from the 80s. The way cryptography was bolted onto this was the minimum required to meet auditing standards: specific fields are encrypted but 99% of the message is left plaintext without even an HMAC.
I don't work at a bank, but I do work in fintech, and this strikes me as excessively cynical. The reason banks are slow about this stuff is not necessarily because "it's cheaper" (though maybe it is), but because the complexity of any change is simply off the charts: money-related logic must work correctly, to a far higher standard than almost any tech company. It makes you conservative, in the same way that demanding 99.999% uptime is exponentially harder than demanding 99%, and makes moving quickly essentially impossible.
(Also, of course, they're probably working on COBOL stacks that were written in 1978.)
For a bank, pile on top of that mountains of (often conflicting) regulatory review, such that just about any change sounds the alarm for armies of nearby lawyers to swarm upon you and bury you in paper. All it takes 0.1% of annoyed users filing complaints that they can't access their accounts, and you might well be looking at a steep fine, a class-action lawsuit, or worse.
This is a great example of why a search engine shouldn’t overtly let people pay them to alter rankings lol.
I am continually surprised that in a country as litiguous as the US companies can continue to sell advertising space and then just shrug when the buyer uses that space to defraud someone.
And why ads should be to the side at the very least and not mixed with search results
How did entering login and 2fa do the following things.
1. Login
2. Add payee
3. Create transaction
4. Verify transaction
This appears to be a banking issue where they do not try to maximize the attack surface.
Sure people will try to game the system by doing phishing but its the responsibility of banks to actively make it harder
Yep. A few simple steps like an extra SMS (or email) code to add a recipient, an email notifying about the change, not perfect, but will make this harder to pull off. Not sure what is '"pay anyone" payee', i don't think it's a thing at my bank. They could try to scrape the account number though, I think in the States that may be enough to try to debit someone's account.
I read it as the first 2fa code was used to login, then the system quickly attempted to add this new payee which required a second 2fa code, so the phishing site quickly sends another request stating the code saying the first was rejected.
This almost happened to my S/O. Luckily I had setup NextDNS to block newly registered domains along with a list of uncommon TLDs so the site got blocked.
I go further: I generate tens of thousands of variants of all the "sensitive" websites we use (like banks and brokers).
All the "levenshtein edit distance = 1" and some of the LED = 2. All variation of TLDs, etc.
I blocklist most TLDs (now that most are facetious): the entire TLD. I blocklist many countries both at the TLD level and by blocking their entire IP blocks (using ipsets).
For example for "keytradebank.be", I generate stuff like:
I don't care that most make no sense: I generate so many that those who could fool my wife are caught by my generator.I then force the browser to use the "corporate" DNS settings: where DoH/DoT is forbidden from the browser to the LAN DNS. I can still use DoH/DoT after that if I feel like it.
So any DNS request passes through the local DNS resolver (the firewall ensures that too).
My firewall also takes care of rejecting any DNS attempt to an internationalized domain names (by inspecting packets on port 53 and dropping any that contains "xn--"). I don't care a yota about the legit (for some definition of legit): "pile of poo heart" websites.
My local DNS resolver has 600 000 entries blocked I think, something like that.
I then also use a DNS resolver blocking known malware/porn sites (CloudFlare's 1.1.1.3 for example).
So copycat phishing sites have to dodge my blocklist, the usual blocklists (which I also put in my DNS), then 1.1.1.3's blocklist.
P.S: some people go further and block everything by default, then whitelist the sites they use. But it's a bit annoying to do with all the CDNs that have to be whitelisted etc.
I'm curious if the different SMS message would have mattered in practice.
I for one don't ever read those messages, and Android at least will usually copy the code for you making them even easier to ignore.
I read those messages. The ones from one of my banks that uses SMS and differentiates them, says "your code to do BLAH is BLAH". I was actually saved from phishing once because my credit card company included the vendor and the amount in the transaction SMS and it was for a different site and a much larger amount than what I thought I was spending.
I think at least some UK banks will do this. When I've done it using a card + card reader, you select the option to choose which type of operation you're trying to do. And if you're just trying to login it just displays a rolling code, but for authorisation of particular events it will take the form of a challenge/response, i.e. you have to select the operation on the card reader + enter a code provided from the site. This should I think prevent _simple_ replay attacks.
I even think for some transactions such as transfers over a certain amount, you have to enter the amount into the reader as part of the code generation.
Yes, my AIB card reader works like this. When transferring money to an unknown account I also need to enter the amount and "sign" that with the card reader. For adding a new payee it's a challenge/response.
Your solution wouldn’t have prevented the attack you describe unless the user can immediately tell the difference between login 2FA codes and “new payee” 2FA codes and knows not to enter one code into the wrong form.
Well, that's what I'm saying. When I get an SMS from one of my banks for example it says "your code to transfer X to Y is ABC" or "Your code to add a new payee is ABC". In this case she had a code generating app, but the codes were not different for login versus other high risk actions. The same is true for my other bank, which has a code which you use to login, and the same code generator, with no distinction, is used for example when you make a large BPay transaction.
The way both my banks work is that I log into the bank, do something that requires confirmation, and then I need to go open my app to confirm it, and it shows all the details for what exactly I'm confirming in the app.
I believe it's the 3d secure protocol, my bank has it, usually a push notification or with a token.
I never understood why these sms confirmations don’t tell you what you are actually confirming.
They should also tell you when some major change was made.
Seems so silly!
When I tried to pay on a website a while ago I kept getting "unknown error". Fast forward about an hour waiting in the helpdesk phone queue, and turns out you need to set up a special password for that. This is not an "unknown" error, it's a known error... Why can't it just show me? Sigh.
I wonder how many people they've need to "help" with this. Yes, I know there's tons of old code in many banks, but they would have saved money if they had a single developer work on this full-time for a month or something. Support people may be cheaper than devs, but they're not free.
The Nordea ID app tells you if you're verifying a purchase and shows how much you'll pay.
FYI, passkeys do not require anything in hardware. You can connect them to software only password managers like 1Password or Bitwarden.
Where they are nice though is that they are also tied to a specific origin (domain), so a phishing site can't ask for the real passkey. But I've never seen a passkey be a primary source of authentication, so they can always fool the user to falling back to some weaker auth (email reset or 2fa).
I've noticed my browser has started recognizing URLs that look similar to legit URLs of bigger companies and then warns me that the site is likely a phishing site. Sometimes it gets false positives for URL shorteners (like goo.gl instead of google.com)
just this week, I clicked on the 1st search result ad for "amazon" in google search. It led me to a windows-themed "Virus detected" amazon clone. I'm not using Windows. I was able to close the tab, but it left a bad taste in my mouth for google search results.
(I know I could have just typed "amazon.com" and gone directly. But browser autocomplete makes it a tiny bit easier to use the omni-url bar and just type "amazon" than "amazon.com")
My bank app asks for different tokens for different operations. A code for login, a code for transfers (the code needs to be generated with the payee account number as input). So it’s not a problem of tokens vs SMS.
If the business model of your search engine is based on ads, your (search user) relationship with them is fundamentally adversarial. Ad blockers will get you some temporary respite, but it doesn't change the nature.
This is an observation from a happy kagi subscriber that doesn't use an ad block.
I wish we could break people of the habit of searching for websites that they visit all the time and using search results to navigate to them.
Maybe a secure browser profile that blocks search engine usage and can only visit sited in bookmarks or a whitelist so if you get a new bank and its not on the common whitelist have to explicitly add it to bookmarks.
Use your Chrome secure profile tm for banking and refuse to auto complete payment info on the insecure side.
Instead, the 2fa app should show you the action you are authenticating, just like the SMS version.
But actually, we have put way too much stuff on the (inherently transient) web. What solves your problem is permanent client-side storage. Your friend shouldn't reach the bank through a google search.
Passkeys or FIDO hardware tokens are the solution, as written up by Google ages ago, because they only enter the TOTP code when the URL matches the right site, it wouldn't enter the code for the phishing URL
It's worth reminding your loved ones that the FBI specifically recommend using an ad blocker in search engines to avoid exactly this kind of scam [0].
[0] https://www.ic3.gov/Media/Y2022/PSA221221
ADS ARE THE PRIMARY WAY ELDERS GET DEFRAUDED
That’s fun to read about because my bank forces you to use their integrated 2fa which always rejects the first code you put in.
HSBC actually has this. All of their country-specific apps allow you to generate a different security code depending on whether you want to login to the website, verify a transaction (e.g. transfer funds to payee), or re-authenticate (e.g. to change your personal info, like your phone number).
Here's a screenshot of what that looks like on their Australia app (similar screens in their US and UK apps): https://www.hsbc.com.au/content/dam/hsbc/au/images/ways-to-b...
They've had this for years. I'm not quite sure why this isn't a standard yet or at least been adopted by other US banks.
My local german bank uses an App specifically for 2fa. When i log in i have to approve the login within the app and the website redirects automatically. It shows me that I am approving a login or a transaction with all the transaction details. Since I don't enter my second factor into the browser, a replay wouldn't be possible and it would be VERY obvious to spot the difference between approving a login and approving a transaction. German Sparkasse for those that care.
I was saved from a phishing attack by using a password manager that refused to auto-fill my password since the hostname didn't match.
Some banks in India have a separate “transaction password” that’s required to operate on the account vs just login and view balances. It’s not a rotating token, but it’s somewhat close to what you’re suggesting.