
Man's $1M Life Savings Stolen as Cell Number Is Hijacked - gscott
https://www.nbcsandiego.com/news/national-international/Mans-1M-Life-Savings-Stolen-In-Cell-Phone-Scam-509097961.html
======
praestigiare
We have allowed institutions to frame this kind of fraud in the way that they
prefer, but nothing was stolen from this man. A million dollars was stolen
from the bank.

It is the same with "identity theft." There is no such thing. If someone takes
out a loan or credit card in my name, they have taken nothing from me. I am
not even involved, and the law should recognize that.

By framing it as theft from consumers, it allows the institutions which are
actually responsible to avoid consequences.

------
dawhizkid
If you google this guy this story came out late last year...not sure why this
is "news" now.

This specific story fails to mention a very important part - that the $1m was
in a crypto exchange account.

They arrested the guy that stole the funds. Presumably he got it back now.

As an aside, the victim claims the $1m is 90% of his net worth and it's for
his kid's education. To put it all in crypto is an...interesting decision.

~~~
tuesdayrain
Taking out loans and putting over 100% of my net worth into crypto was
undoubtedly the best decision I have ever made. Keeping it there too long and
losing nearly all of the profit was also the worst decision I've ever made.
Funny how that works.

~~~
konschubert
The quality of a decision is not determined by the resulting outcome. It is
determined by how well the decision changed the likelihood of outcomes to fit
what the decision maker desired.

My personal opinion would be that both decisions were of roughly equal
quality.

------
jimrandomh
If compromising a cell phone number alone is enough to steal funds, then it
wasn't 2-factor authentication, it was 1-factor authentication. Unfortunately,
many institutions are bad at computer security and designing authentication
systems.

------
axaxs
This actually touches on a semi important issue: underpaid employees. From
casinos, to fast food, to apparently carriers, people paid minimum wage just
don't care enough about real issues, and rightly so IMHO. No, I don't want
people's accounts to be stolen, but it is pure schadenfreude to watch this
play out.

~~~
hopscotch
> semi important

I'd rate income inequality and poverty higher, personally.

~~~
bobthepanda
If people are underpaid that also contributes to income inequality and
poverty, no?

~~~
hopscotch
That was my point.

------
hopscotch
Why are banks liquidating such huge assets without proper ID or delay?

I guess people can't remember secrets, so you have to use something as a root
of trust for password resets and so on.

Would be good if the banks realised that the available roots are all dubious
and so they should require authentication on several for suspicious
transactions.

Phone numbers aren't secure. Post isn't secure. Email isn't secure (and can
often be rooted with the phone number---thanks shitty 2fa). Credit cards can
be stolen.

But it's hard to get the phone number and the postal address and the physical
debit card and the email all at once.

~~~
dragonwriter
> But it's hard to get the phone number and the postal address and the
> physical debit card and the email all at once.

Not much harder than getting the physical card plus, maybe, one of the other
three. All the rest can frequently be traced from any one of the three, and
sometimes the card, via the name on the card,is enough to find the rest.

~~~
hopscotch
I meant control of the postal address, which is quite hard. A little harder
than access to the physical debit card.

Same for email and phone. Gaining control of the account.

------
eyerishcoffee
In some cases you can block withdrawals from accounts. I’ve done so after my
information was compromised via the Equifax hack. I managed to lock things
down as hard as I can and in at least one case (either Vanguard or Fidelity I
forget) it will require a notarized document before any money can be removed
from the account.

This story reminds me that I need to make another pass over accounts to see if
I can lock things down further.

The disappointing thing is that although I was able to get a physical OTP
device for my Wells Fargo account they still insist on using a telephone
number backup for 2FA. There doesn’t appear to be a way to disable it.

~~~
camkego
I've written about the Wells Fargo issue before, here:
[https://news.ycombinator.com/item?id=15562850](https://news.ycombinator.com/item?id=15562850)

You can remove your phone number from your account to disable the security-
defeating manner of how WF allows telephone 2FA to override the physical OTP
2FA.

I am still baffled that Wells Fargos effectively eliminates any security
benefit of the RSA-style OTP 2FA token devices by allowing telephone/SMS
authentication as an alternative at login-time. It's like they don't
understand security or they don't care.

------
shishy
Slightly related: the "Reply All" podcast had an episode called "The Snapchat
Thief" where they discuss swim swapping, etc.

May be of interest to some of you: [https://gimletmedia.com/shows/reply-
all/v4he6k/130-the-snapc...](https://gimletmedia.com/shows/reply-
all/v4he6k/130-the-snapchat-thief)

------
pcvarmint
[https://krebsonsecurity.com/2019/01/stole-24-million-but-
sti...](https://krebsonsecurity.com/2019/01/stole-24-million-but-still-cant-
keep-a-friend/)

------
holyend
No recourse eh? Magical internet beans are without mercy. Failed design unless
you’re an anarchist.

In a civilized society it would have been difficult to turn millions into
cash, at least providing a buffer and perhaps way to get the stolen wealth
back.

Bitcoin marked a potentially a dark turn; far superior technologies that
respect our needs will emerge, however.

It’s mind boggling that something like getting sim jacked through a major
carrier no less can ruin someone’s life so thoroughly, which speaks to the sad
state of affairs for civilian digital security.

