[WesternWind]

Hey, just going to say what I've been telling folks IRL, if you are reading this, and your parents and family members aren't tech savvy, you need to set them up with two factor authentication now.

Because you know how to do that, and it's so much easier than helping them when they get hacked.

[ethbr1]

As evidence of the current state of play:

Friend receives an email from ISP, asking her to contact them.

She searches, comes across a "customer service number" on a legit looking page, calls them up.

(Whoever she called) plays out a 30 minute charade about how she's been flagged by IRS for illegal activity and is about to have her business accounts frozen, including multiple phone transfers to "another party" (played by different people) to boost authenticity.

And during this whole time, they not once asked her for any "red flag" information (e.g. account #, SSN).

Instead, it seemed to be a shell game of extracting limited information (last 3 of your account #?), then having "unrelated" parties parrot that back as proof of their "working for the government."

I expect it would have eventually escalated into an actionable ask, but they were definitely playing the intermediate-term game.

If not for the utter moral black hole of the endeavor, I'd be kind of impressed.

[__MatrixMan__]

I shouldn't, but sometimes I play along just to see what the scam looks like.

Last time I did this, it took three days of texting my new friend before it was finally clear that what she really wanted more than anything was to teach me to trade cryptocurrency.

Once, I thought I had her, because she spelled D&D like: D&D, but she played it off real cool and just explained that her English isn't that great so she used translation software.

In retrospect I think that all of her probing questions about my Svirfneblin cleric were because she later intended call him up and teach him to trade cryptocurrency. I like to think he's in some scammer's database now, causing confusion. He'd like that too.

Once I understood what she was after, I explained that my problem with cryptocurrency was that it resembled money too closely and really what I'd like to do with blockchains is to do away with money in favor of something entirely different.

Her training dataset had not prepared her for this conversation, so it was quite clear when her human handler took over. They were very rude, unlike their AI pet, and tried to bully me into sharing other people's contact info, which is when I lost interest.

[soco]

I noticed the same pattern. The rude humans afterwards answered with expressions sounding like translated Chinese (like, I wouldn't think mentioning the ancestors' graves)

[reginald78]

And since actual ISP customer service is actually this terrible much of the time it wouldn't even set off alarm bells.

[Calamityjanitor]

MFA doesn't stop this kind of phishing. If you're tricked to put in your password, you'll likely put in your 2FA code right after. A yubi key or device passkey that uses webauthn can stop these methods, since the domain seeking authentication is checked and won't authenticate unless it's the original domain.

Even then, that won't help scams and fraud that just trick you into sending money, or direct you to install malware.

[rsanek]

surely it won't hurt. at minimum, it makes the attacker's job much harder -- their window to exploit becomes max 30 seconds instead of however long you don't change your password.

[Calamityjanitor]

Tools like evilnginx proxy the traffic, then grab the auth token / cookie after a successful login. From there you can send the session tokens to something like necrobrowser to automatically do whatever you want with the account. The whole hack can happen in seconds.

[dools]

I set up 2fa codes through Google Authenticator with my family, and employees. That is to say I generate a QR code, we all scan it while we are in the room together and can use it at any time to check who we are really speaking to. This is in addition to a question/answer pair that we have had with my immediate family for years (duress question, duress answer, standard question, standard answer).

[jobigoud]

Interesting. So it's a bit like providing a public key, if they need to make sure they are talking with you they ask you to provide the TOTP and they control they have the same number on their side?

[dools]

Yeah that's right. So me, my 2 kids and my wife all have the same code, I have one with my brother and my dad (my mum is a bit too past it ... ) and one with my employees (I only have 2 ... ). It's like a way to prove you were all the same people in the room at the same time! I have a little script that produces a QR code, then I delete it and it will never exist again :) EDIT: my youngest daughter in particular really loves it. When I go on a run and get home without my key, and I knock on the door she grabs her iPad and opens the door a little crack and says "what's the code?"

[MontagFTB]

If you are your family’s de facto IT support, it is worth considering Seraph Secure, which can detect when someone might be falling prey to an online scam and can notify you (among other things).

https://www.seraphsecure.com/

[diob]

It's not just that either.

Talk to them about investment / romance scams as well. Unfortunately, most folks do these things "willingly" and get in deep.

[elphinstone]

OP's article is too long and complex for my elderly relatives, I fear. Any reccs for getting them to use 2FA?

[skybrian]

Rather than sending an article that they'll ignore, I recommend helping them do it when you visit. Note: you're guarding against phishing and also locking themselves out of their accounts. Both are important.

I bought Mom a Yubikey and helped her set it up on her Google account. She has it on her keychain. She doesn't need to remember how to use it, though, since it's only needed when she buys a new computer.

For good measure, I also helped her print out backup codes (and I know where they are) and I registered my Yubikey, just in case.

Nowadays, an old backup phone might also work, but I think paper backups are better because an old, unused phone might not start.