
From Facebook account takeover to an empty bank account - dsr12
https://badcyber.com/from-full-facebook-account-takeover-to-an-empty-bank-account/
======
AdmiralAsshat
As an aside, it drives me up the wall that Facebook's 2FA settings are stuck
on SMS. Although other options exist like a Yubikey or a TOTP scheme, _even if
you select one of those_ , Facebook still sends you a 2FA SMS whenever you try
to login.

At this point I ignore it and use my TOTP app anyway, but it bothers me to no
end, as it leaves my account that much more vulnerable to a hacker
intercepting the SMS in transit and using it to break into my Facebook
account. Facebook does not allow you to disable 2FA SMS without disabling 2FA
altogether.

~~~
efrafa
Are you sure about it? I use 2FA with authy and never got sms.

------
jwilk
> (to avoid the bank calling and asking “are you sure you want to speculate
> with cryptocurrency today”)

Huh? Do banks actually do that?

~~~
michaelt
I gather some banks have fraud detection systems that will flag suspicious
transactions, triggering a phone call to the customer.

While I haven't experienced that personally, a friend reported getting such a
call from his bank after he ordered $400 of fireworks online.

Unfortunately it's all pretty opaque and bank dependent - as far as I know,
there's no way a merchant can trigger such a call, for example.

~~~
stevenwoo
This happened to me in the 90's so not sure how possible it is today. Someone
got hold of my account number - I think it was in Las Vegas when I used an ATM
and didn't get the receipt, then when I realized it a couple of minutes later,
walked up to get it and didn't find it. A month later at home in Austin, my
ATM card was declined at the bank ATM and I was baffled because I knew I had
enough money for the transaction. When I went into the branch for an
explanation they told me that I had no money in my account because earlier
that day someone of a different gender and race ( they had video) had used 12
different bank branches in a different city (Houston) to withdraw 2000 at a
time via check. I had to a sign something that swore that I did not do that
and the act was not connected to me before they would restore the stolen funds
to my checking account.

------
mamon
The scheme is very elaborate, multi-step process so the risk is quite low.
Once in motion it is nearly impossible to prevent by a bank, but it would be
trivially preventable by Facebook, if they just bothered to check the url and
warn if they find them suspicious.

EDIT:

BTW this shows that sites like Let's Encrypt, which automatically issue
certificates to websites kind of defeat the whole purpose of certificates -
they only check that the site exists and requestor has admin access to it, but
do nothing to check whether it is legitimate business or scam.

A green padlock in the address bar should mean that the site is trustworthy.
Now it only means that site admin knows how to setup https.

~~~
zeta0134
Sure, in theory, but how do you solve a problem like this in practice? What is
it about a given URL that makes it suspicious?

Is there a whitelist? Because then the press and the rest of the internet will
cry censorship and stifling of innovation.

Is there an algorithm? Then the scammers simply learn how to game the
algorithm and defeat it easily. (This applies to some easy checks like domain
registration date too.)

Is it a team of humans? That's a lot of sites and a lot of humans to employ.
What about user-reports? Now you have to deal with false reporting and abuse.

While it's possible for some combination of approaches to succeed here, it's
not nearly trivial.

~~~
ecesena
Most importantly, how could you create a trustworthy online business like an
ecommerce, if you can't get an https site until you're trustworthy?

